This post explains how to design, deploy, and operate a SIEM and log-management capability to identify unauthorized use of organizational systems in support of NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control SI.L2-3.14.7, with practical steps, sample detection rules, and small-business scenarios for real-world implementation.
What SI.L2-3.14.7 requires and how SIEM/log management maps to it
SI.L2-3.14.7 is focused on the ability to identify unauthorized use of systems — this means you must collect the right telemetry, store it long enough to analyze incidents, detect suspicious behavior, and retain evidence for audit and incident response. NIST SP 800-171 and CMMC Level 2 don't mandate a single product; they require demonstrable capability. A properly configured SIEM + log management pipeline provides that capability by centralizing logs, correlating events, alerting on suspicious patterns, and producing artifacts auditors can validate.
Practical deployment steps (small-business friendly)
Start with an inventory and a prioritized data-source list: domain controllers (Windows Security logs / Event IDs 4624/4625/4672/4673/4720/4728), Sysmon (process create, network connect, image loads), Linux auth and sudo logs, VPN and firewall logs, proxy/web gateway logs, cloud provider audit trails (AWS CloudTrail, Azure Activity Logs, Azure AD sign-ins), identity providers (Okta/Azure AD), and endpoint EDR alerts. For a small business, focus first on AD, perimeter (VPN/firewall), mail/cloud auth logs, and critical servers.
Next, choose architecture: SaaS SIEM (Microsoft Sentinel, Elastic Cloud, Splunk Cloud) vs self-hosted (Elasticsearch + Logstash + Kibana, Splunk Enterprise). For small teams, SaaS reduces operations overhead and provides built-in integrations. Estimate log volume (GB/day) to budget ingestion and retention costs — sample: a 50-user organization with EDR, AD, perimeter devices may produce 2–10 GB/day depending on verbosity.
Technical configuration essentials
Deploy collectors/agents: Winlogbeat/NXLog for Windows, Filebeat/Fluentd for Linux and applications, syslog for network devices. Ensure secure transport: TLS 1.2+ with certificate pinning or mutual TLS. Configure time synchronization across all hosts (NTP/Chrony) — unsynchronized timestamps break correlations and audit trails. Normalize fields (user, src_ip, dest_ip, event_id, outcome) at ingestion so rules work across sources.
Enable these specific logs and parsing: Windows Security events (logon success/failure, privilege use), Sysmon event IDs (1,3,7,8,10,11,22), firewall session start/deny, VPN connection/authentication events, web proxy logs for data exfiltration indicators, cloud provider audit trails (API calls). Map logs to MITRE ATT&CK techniques for traceability and to show auditors how detections correspond to known adversary behavior.
Detections and correlation rules — examples you can implement
Create a small, effective rule set and tune it. Example rules: (1) "Failed logon burst then success" — 5 failed logons from a single account followed by a success within 10 minutes; (2) "New geolocation login" — successful login from a country not seen before for that user within 30 days; (3) "Privileged group change" — a change to Domain Admins or local Administrators; (4) "Lateral movement" — remote service creation on server + RDP connection from host where that account previously authenticated; (5) "VPN login + suspicious endpoint" — VPN success for a device with recent EDR high severity alert. Implement thresholds and suppression to reduce false positives.
Sample detection pseudocode
Example: correlate(Events where event.type == "auth" AND outcome == "failure" within 10m) -> if count >= 5 AND next_event outcome == "success" -> generate alert "Compromised credentials likely". Map each alert to a runbook and an incident ticket automatically.
Evidence, tuning, and audit artifacts
For compliance, produce and maintain: data-source inventory and onboarding records, SIEM rule definitions with rationale (mapping to SI.L2-3.14.7), retention policy and proof of enforcement (storage configs, buckets, cold vs hot tiers), sample alert logs and incident tickets (redacted), and a schedule of log review/alert tuning. Demonstrate the ability to reproduce an incident timeline from collected logs (timestamped chain of events across host, network, identity). Keep playbooks and detective logic versioned in a repository (git) for auditability.
Operational and cost considerations
Plan for log volumes and retention: NIST/CMMC don't specify retention windows; choose one based on risk and contract terms — practical starting point is 90 days searchable (hot) and 1+ year archived for investigations. Use ingestion filters (drop noisy, low-value events) and parsing at source to limit costs. Implement role-based access to the SIEM and encrypt logs at-rest and in-transit to meet CUI handling expectations. For small businesses, use tiered storage and index lifecycle policies (hot -> warm -> cold) or archival snapshots to control costs.
Risks of not implementing the requirement
Without effective SIEM and log management you risk undetected lateral movement, credential compromise, data exfiltration, and loss of CUI — all of which can lead to contract termination, regulatory penalties, and reputational harm. For a small defense contractor, a single unlogged compromise could expose controlled unclassified information and fail a CMMC audit. Operationally, lack of logs slows incident response and forensic analysis, increasing recovery time and cost.
Compliance tips and best practices
1) Start small and iterate — identify 4–6 critical detection use cases and implement them first. 2) Ensure complete identity telemetry (Cloud IdP + AD) because most unauthorized access starts with credentials. 3) Time-sync and collect full context (process, parent process, command line, network connections). 4) Retain a demonstrable chain of custody for logs used in investigations. 5) Conduct periodic tabletop exercises and purple-team tests to validate detections and tune thresholds. 6) Document everything you change and why — auditors expect evidence and rationale, not just alerts.
In summary, meeting SI.L2-3.14.7 requires a disciplined, evidence-driven SIEM and log-management deployment: inventory your assets, collect the right telemetry, secure and normalize log transport, implement tuned correlation rules tied to real attack patterns, retain and archive logs appropriately, and maintain auditable records and playbooks. For small businesses, SaaS SIEMs can reduce operational burden; focusing on identity, perimeter, and endpoint telemetry yields the biggest detection return on investment while keeping compliance evidence manageable.
