NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-7(1)Automatic Processing

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: {{ insert: param, au-07.01_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.

Practitioner Notes

The audit system should automatically process log data to identify events of interest without requiring manual querying for every investigation.

Example 1: Configure Splunk's Notable Events framework (via Enterprise Security) to automatically identify and prioritize significant events. Risk-based alerting assigns risk scores to events and generates a notable event when a user's cumulative risk exceeds a threshold.

Example 2: In Sentinel, enable UEBA (User and Entity Behavior Analytics). The system automatically baselines normal behavior for each user and entity, then generates anomaly-based alerts when behavior deviates significantly — no manual rule creation needed for behavioral detections.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component