CMMC Practice AU.2.044

Review audit logs.


CMMC Version 1.02, pg. 90

Bold Coast Security Guidance

Audit logs don't do anything if you don't have a policy and a plan on how you're going to look at them! There is a wealth of information in there that is only meaningful if you review it on a regular basis. The CMMC example is, respectfully, not enough. There are tools available which will review your audit trails in real-time and send alerts, and third party services which should be considered for organizations with many reporting hosts, but not enough budget for a 24x7 network operations center. But more on these options later! For now, start reviewing your logs to get a baseline of normal activity. For instance, getting a count of "normal" failed logins would tell you something was wrong when the number spikes for an unknown reason.

Discussion From Source

CMMC Reviewing audit logs is a common control in information security. Organizations have the flexibility to determine which logs and specific events to review. The level of audit log review should be determined based on a risk assessment or similar activity.