CMMC Practice AU.4.053: Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Speed of response can be critical in stopping a cyber attack and limiting exposure to the attack. The speed of response is improved when log source platforms automatically and immediately identify indicators for which immediate action is required and authorized to be taken automatically. Some logging platforms will not support automated analysis and action. In those cases, the immediate analysis occurs at the centralized log collection server (see practice AU.3.048).
The analysis would look for specific log entry text or data element values in cases where there is certainty that an action should and can occur immediately, as defined by the organization. Actions may range from notifications to blocks. The actions must be automatic but need not be comprehensive in stopping the threat.