CMMC Practice IR.5.102: Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
To gain an advantage the organization should have pre-defined steps to reduce the risk from someone conducting a known pattern of malicious activity. The steps could be a manual checklist or automated series of actions using scripts or other technology. Organizations may call these pre-defined or automated lists a playbook or runbook. They help to establish a formalized incident response that can be performed. Organizations should balance the speed of response against the possibility of unintended side-effects in determining whether automated responses are appropriate.