Audit And Accountability
Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.
Speed of response can be critical in stopping a cyber attack and limiting exposure to the attack. The speed of response is improved when log source platforms automatically and immediately identify indicators for which immediate action is required and authorized to be taken automatically. Some logging platforms will not support automated analysis and action. In those cases, the immediate analysis occurs at the centralized log collection server (see practice AU.3.048). The analysis would look for specific log entry text or data element values in cases where there is certainty that an action should and can occur immediately, as defined by the organization. Actions may range from notifications to blocks. The actions must be automatic but need not be comprehensive in stopping the threat. Example Upon seeing a specific text string in a log on the corporate CUI database server indicating that a large query had been requested, an alert is generated to notify the security operations center (SOC) of the log event. The SOC processes the alert automatically and a full report is generated and a window pops up for the SOC member responsible for the CUI database as well as the overall SOC lead. In a more clear and critical case, where evidence of compromise is conclusive and decisive and response is already authorized by senior management, the action may be to cut off the server from some connected systems or to even shut down the server to prevent further exposure or data exfiltration. The clear evidence may have been provided by external shared indicators of a cyber incident at a peer organization for which early warning signs have been identified.
Adversary activity typically leaves indications in audit logs. Patterns and signatures from previously seen adversary activity or malicious software are shared and can be used in automated analysis. Organizations can define thresholds for the level and definition of suspicious activity on which to take an action. The automated activity can be distributed or centralized.
CIS Controls v7.1 6.6
NIST SP 800-53 Rev 4 SI-4(2)
NIST CSF v1.1 DE.AE-3