CMMC Practice AU.4.053
Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally defined suspicious activity.
Bold Coast Security Guidance
Your SIEM solution must primarily be able to accept outside "indicators" of compromise, infection, or malicious activity. These signatures will be used to monitor the current state and trigger actions as noted by the guidance, but can also be used to look back in time to flag any previously identified, but unknown, activity which escaped detection.
Second, an advanced system which can automatically trigger actions, such as shutting it down, should be considered, as this can reduce the response time to a detected attack.
Since this is a Level 4 control, you can measure its effectiveness over time by including the system in penetration tests conducted in your environment. The solution should record, alert, and take action (if authorized) in response to the simulated attack on your systems.
Adversary activity typically leaves indications in audit logs. Patterns and signatures from previously seen adversary activity or malicious software are shared and can be used in automated analysis. Organizations can define thresholds for the level and definition of suspicious activity on which to take an action. The automated activity can be distributed or centralized.