Back to Control Explorer
AU.4.053
Content
Control Acronym
AU
Family
Audit And Accountability
CMMC Level
4
800-171 Control #
N/A
CMMC Description
Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.
CMMC Clarification
Speed of response can be critical in stopping a cyber attack and limiting exposure to the attack. The speed of response is improved when log source platforms automatically and immediately identify indicators for which immediate action is required and authorized to be taken automatically. Some logging platforms will not support automated analysis and action. In those cases, the immediate analysis occurs at the centralized log collection server (see practice AU.3.048). The analysis would look for specific log entry text or data element values in cases where there is certainty that an action should and can occur immediately, as defined by the organization. Actions may range from notifications to blocks. The actions must be automatic but need not be comprehensive in stopping the threat. Example Upon seeing a specific text string in a log on the corporate CUI database server indicating that a large query had been requested, an alert is generated to notify the security operations center (SOC) of the log event. The SOC processes the alert automatically and a full report is generated and a window pops up for the SOC member responsible for the CUI database as well as the overall SOC lead. In a more clear and critical case, where evidence of compromise is conclusive and decisive and response is already authorized by senior management, the action may be to cut off the server from some connected systems or to even shut down the server to prevent further exposure or data exfiltration. The clear evidence may have been provided by external shared indicators of a cyber incident at a peer organization for which early warning signs have been identified.
800-171 Description
800-171 Discussion
N/A
Other Source Discussion
Adversary activity typically leaves indications in audit logs. Patterns and signatures from previously seen adversary activity or malicious software are shared and can be used in automated analysis. Organizations can define thresholds for the level and definition of suspicious activity on which to take an action. The automated activity can be distributed or centralized.
CIS Control References
CIS Controls v7.1 6.6
NIST 800-53 Control Ref.
NIST SP 800-53 Rev 4 SI-4(2)
CMMC Derived
CMMC
NIST CSF Control References
NIST 800-171 References
Applicable FAR Clause
NIST CSF Control Reference
NIST CSF v1.1 DE.AE-3