CMMC Practice AU.3.051: Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Organizations must review, analyze, and report audit records to help detect and respond to security incidents in a timely manner for the purpose of investigation and corrective actions. Collection of audit logs into one or more central repositories (per AM.3.048) facilitates correlated review. Small organizations may be able to accomplish this manually. Larger organizations will use an automated system for analysis that does correlation of log information across the entire enterprise and supports the use of centralized intel feeds. By centralizing intel feeds, subscription costs should be reduced and the effectiveness of the analysis should be increased. Some organizations may want to orchestrate the entire analysis process which includes the use of APIs for collection, correlation, and the automation of responses based on programed rulesets.