CMMC Practice AU.L2-3.3.5 – Audit Correlation: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This link provides a list of no or low cost log management tools. This document from Ubuntu discusses Logwatch, a tool that will monitor your server's logs and email the administrator a digest on a daily basis. This NIST Special Publication provides practical guidance on developing and maintaining effective log management practices. This link from Norfolk State University serves as is an example of a log review, analysis, and reporting policy. This policy from SANS helps identify requirements that must be met by a system to generate logs. This SANS whitepaper offers common elements to success for log management, in order to prepare for regulatory compliance audits.
Discussion [NIST SP 800-171 R2]
Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems.
Further Discussion
Companies must review, analyze, and report audit records to help detect and respond to security incidents in a timely manner for the purpose of investigation and corrective actions. Collection of audit logs into one or more central repositories may facilitate correlated review. Small companies may be able to accomplish this manually with well-defined and -managed procedures. Larger companies will use an automated system for analysis that correlates log data from across the entire enterprise. Some companies may want to orchestrate the analysis process to include the use of Application Programming Interfaces (APIs) for collection, correlation, and the automation of responses based on programed rulesets.