Requirement text: AU.4.054: Review audit information for broad activity in addition to per-machine
activity.
DISCUSSION FROM SOURCE: CMMC
The full scope of adversary activity may not be apparent from analyzing a single machine. A
broad perspective is necessary for full cybersecurity situational awareness. Activity might
be reviewed across multiple machines, an enclave, or an entire enterprise. This will require
audit logs collated with the same scope as the analysis.
CMMC CLARIFICATION
Examining audit logs for system-specific indicators provides an important “point-defense”
ability for a specific system (see practice AU.4.053). Comparing log information across
multiple disparate systems allows for a holistic and time-correlated approach to detect cyber
attack actions that would not constitute a threat indicator or generate any action when
identified on any single system. Some of these attacks may be subtle or infrequent, while
others just comprise a large number of machines. This practice requires that a system
perspective be used to look for these subtle and distributed (in both logical space and time)
indicators and to act upon detecting them in line with other auditing practices. The
definition and scope of the system perspective will vary as the size of the organization or
enclave changes. For very small installations, broad activity may only mean more than one
system.
Example 1
You are working your shift in the security operations center (SOC) when you are alerted to
a trend that has appeared in logs from across the company networks. The centralized log
collection server has identified minor indicators that show periodic increases in failed login
attempts across most of the corporate data servers. While the number of failed attempts did
not cross the threshold for account locking, together they passed the 24-hour moving
window for failed login attempts, having exceeded the average of such attempts by 1000%.
You obtain a list of all account names for which access failed and see that four accounts have
had extremely high failure counts. You initiate a log query to identify the IP addresses of the
systems that attempted to access these four accounts over the past 10 days and notify the
threat hunting team of the analysis results.
Example 2
As part of the security operations center (SOC) standard operating procedures (SOP), you
execute a run of a log analysis tool on the system-wide audit log looking for pre-defined
indicators of broad security-relevant activity. The analysis tool notifies you that after-
normal-work-hours, failed login attempts are occurring across a large number of machines
resulting in locked accounts across the system. On a machine-by-machine basis a locked
account does not warrant any escalation but across multiple systems this indicates a
potential denial of service attack to cause a significant impact on workforce productivity at
the start of the next workday.
References
• CMMC
• NIST CSF v1.1 PR.PT-1
• NIST SP 800-53 Rev 4 RA-5(6), RA-5(8), RA-5(10)