CMMC Practice AU.4.054
Review audit information for broad activity in addition to per-machine activity.
Bold Coast Security Guidance
This practice also requires the use of a SIEM to collect log information from multiple sources, and correlate them for signs of malicious activity. Attackers are aware of thresholds and alerting technologies, so you must adapt your thresholds to look across multiple systems and users for failed logins. Its imperative to know what is considered normal in your environment first to establish thresholds for events like failed logins, password changes, and administrative activity. Also identifying when this activity occurs will be helpful, although a sophisticated attacker will attempt to hide their activity during normal business hours.
Be sure to revisit your threshold reporting on a regular basis and evaluate "normal" in your environment to take into account increases or decreases in component parts, such as users and servers.
The full scope of adversary activity may not be apparent from analyzing a single machine. A broad perspective is necessary for full cybersecurity situational awareness . Activity might be reviewed across multiple machines, an enclave, or an entire enterprise. This will require
audit logs collated with the same scope as the analysis.