CMMC Practice AU.4.054: Review audit information for broad activity in addition to per-machine activity.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
Examining audit logs for system-specific indicators provides an important “point-defense” ability for a specific system (see practice AU.4.053). Comparing log information across multiple disparate systems allows for a holistic and time-correlated approach to detect cyber attack actions that would not constitute a threat indicator or generate any action when identified on any single system. Some of these attacks may be subtle or infrequent, while others just comprise a large number of machines. This practice requires that a system perspective be used to look for these subtle and distributed (in both logical space and time) indicators and to act upon detecting them in line with other auditing practices. The definition and scope of the system perspective will vary as the size of the organization or enclave changes. For very small installations, broad activity may only mean more than one system.