Reference: CMMC 1.02
Level Introduced: 5
Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.
Robust audit logging is critical in defending against cyber attacks and preventing future attacks since logs are a common starting point for incident response and a core element in post-attack cyber forensics. A cyber attacker may try to disrupt logging at the start of an attack, making the absence of audit logging an initial indicator of a potential attack. Even if the audit logging failure occurred from benign causes, restoring the logging is needed to maintain a secure posture.
Identifying assets that are reporting logs and comparing against the inventory of assets expected to provide audit logs provides the set of assets for which audit remediation is needed. It is important that the logging requirements for each asset, which may include many logs to be collected, are documented and compared to the set of received logs. Any discrepancies will start an investigation and remediation process.
You are working your shift in the security operations center (SOC) when one of your hourly scanning scripts indicates that a data server is not providing logs to the central log collection server. The data server is on the list of assets for which a log is required. You send a notification to the administrator for the server to investigate and turn logging on, and copy the company threat hunting team as well.
Practice AU.2.042 required the creation and retention of audit logs. Audit logs are essential to cybersecurity awareness and incident response. This practice requires organizations to proactively determine if any assets that should be creating audit logs are not generating the required logs.
Source: CMMC v1.02
The information system:
a. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
Audit records can be generated from many different information system components. The list of audited events is the set of events for which audits are to be generated. These events are typically a subset of all events for which the information system is capable of generating audit records. Related controls: AC-3, AU-2, AU-3, AU-6, AU-7.