This post explains how to configure a Security Information and Event Management (SIEM) system to meet AU.L2-3.3.5 requirements from NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 by building log correlation, automated alerts, and audit evidence that small businesses can implement pragmatically and defensibly.
Understanding AU.L2-3.3.5 in Practical Terms
AU.L2-3.3.5 requires organizations to correlate audit records and generate automated alerts when suspicious activities are detected so reviewers can respond quickly and produce evidence for auditors. For a small business, that means centralizing logs, aligning event taxonomy to required controls, and implementing deterministic correlation rules that map to threats to Controlled Unclassified Information (CUI) handling—for example, detecting credential abuse, lateral movement, or unauthorized privilege changes.
Practical SIEM Implementation Steps
Start with scope and log source inventory: enumerate endpoints (Windows, Linux, macOS), identity services (Active Directory, Azure AD), perimeter devices (firewall, VPN, proxy), cloud platforms (AWS CloudTrail, AzureActivity), and critical applications (mail servers, file shares, SaaS with audit APIs). For each source record: confirm you can forward logs to the SIEM via supported protocols (syslog/CEF/LEEF, API ingestion, collector/agent). Small-business tip: begin with the top 8–12 sources that carry the most risk (domain controllers, VPN, EDR, firewall, file server) and expand iteratively.
Log collection, normalization, and enrichment
Configure agents or collectors to send structured logs (CEF/JSON) where possible. Normalize fields to a consistent schema: timestamp (UTC), event_id, username, src_ip, dst_ip, source_host, process_name, outcome (success/failure), and log_severity. Enrich logs with geo-IP, AD user attributes (role, privileged group membership), and asset classification (CUI-handling host). Ensure Windows Event IDs such as 4625 (failed logon), 4624 (logon), 4688 (process creation), 4672 (special privileges) are parsed into normalized fields. For Linux, parse auth logs (sshd failures, sudo) and systemd journal entries. Use parsing rules and test them against real events to avoid gaps.
Time synchronization, integrity, and secure transport
Make NTP time sync mandatory for all log sources and the SIEM (UTC). Ingested logs must retain original timestamps; if the SIEM adds ingestion timestamps, preserve the original in a dedicated field. Use TLS for log transport (syslog over TLS, API HTTPS) and mutual authentication where supported. Protect logs at rest with AES-256 and restrict SIEM console access with RBAC and MFA. For audit evidence, enable immutable storage or write-once media for archived logs if budget allows.
Correlation rules and real-world detection examples
Create correlation rules that combine events across sources and time windows. Example detection rules for a small business: (1) Horizontal brute force: alert if a single username has >= 5 failed logons across >= 3 hosts within 10 minutes. (2) Lateral movement: alert if a user authenticates to a server then a second host within 2 minutes and a new RDP connection is established. (3) Privilege escalation: alert on AD group membership changes to Domain Admins (AD event + admin console API change). (4) Data exfil candidate: alert on large file transfer from CUI-labeled file server to an external IP through proxy or VPN. Express these as SIEM correlation queries, e.g., JOIN auth logs on username and time window, then COUNT() and DISTINCT(host) thresholds. Use MITRE ATT&CK mappings in rule metadata to show auditors why the rule maps to a threat.
Alerting, automation, and playbooks
Configure alert channels tuned by severity: low-priority email for informational correlations, high-priority SMS/push and a ticket in ServiceNow or Jira for critical incidents. Implement suppression and noise reduction (e.g., suppress repeated identical alerts for 30 minutes per host). Integrate with EDR and SOAR: automatic containment playbook might quarantine a host (EDR API), block IP at firewall, and create a ticket with attached log excerpts. For small teams, create a lightweight runbook: triage checklist, containment actions, evidence collection steps (copy relevant logs, snapshot EDR telemetry), and escalation contacts. Document SLA expectations (e.g., acknowledge within 15 minutes for high alerts).
Compliance evidence, retention, and audit readiness
To satisfy auditors, store the following evidence: log source inventory and onboarding receipts, parsing/normalization rules and test cases, correlation rule definitions with thresholds and rationale, alert history with timestamps and ticket IDs, and SOAR playbook runs showing automated responses. Define retention policy in the SIEM: keep high-fidelity logs (auth, admin changes, file access) online for 90 days, archived for 1 year (or per contract), and provide searchable indices for investigator access. Exportability matters: auditors should be able to reproduce alerts and view raw logs that triggered them.
Risk of not implementing AU.L2-3.3.5 is high: without correlation and automated alerts you risk delayed detection of credential compromise, lateral movement, and data exfiltration—leading to larger breaches, loss of CUI, regulatory penalties, and lost DoD contracts. For a small business, even isolated incidents can escalate quickly without cross-source correlation because attackers exploit gaps between endpoint and network telemetry.
Summary: implement AU.L2-3.3.5 by inventorying key log sources, enforcing time sync and secure transport, normalizing and enriching events, writing pragmatic correlation rules (with thresholds tuned to your environment), and wiring alerts into ticketing and SOAR for rapid response; maintain documented evidence and retention to prove compliance. Start small, iterate with real incidents and red-team tests, and continuously tune rules to reduce noise while preserving high-fidelity detection.
