Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AU.L2-3.3.5 – Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
Understanding the Requirement
This control requires that your organization defines how audit records are reviewed, analyzed, and reported, and ensures those processes are correlated so investigations and responses happen quickly and effectively. The goals are to have explicit audit review and reporting procedures and to link those procedures together so alerts, log analysis, and investigative reporting form a coherent process. As part of NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, this means documenting responsibilities, tools (for example a SIEM), alerting thresholds, and escalation paths so suspicious or unauthorized activity is detected, investigated, and remediated in a timely manner.
Technical Implementation
- Centralize logs into a SIEM or managed logging service. Forward system, application, firewall, VPN, authentication, and endpoint logs to a central platform (cloud SIEM or MSSP) so events can be correlated across sources. For SMBs, use an affordable cloud SIEM or a managed detection service to avoid big upfront infrastructure costs.
- Define and document audit review workflows. Create a simple runbook that states who reviews alerts, what thresholds trigger review, how to enrich alerts (e.g., pull related logs, account attributes, and recent changes), and how to escalate. Assign roles (owner, analyst, escalation contact) and expected SLA times for triage and investigation.
- Create correlation rules and prioritized alerts. Implement rules that combine multiple signals (failed logins + new device + privilege change) rather than relying on single events. Tune rules to reduce false positives; apply severity levels and map them to escalation steps in your runbook.
- Automate triage and preservation actions. Where possible, integrate automated actions: enrich alerts with user and asset context, create incident tickets, snapshot affected endpoints, and take containment actions (disable account, isolate host) through playbooks. Ensure automation preserves original logs for forensic review.
- Maintain synchronized timestamps and log retention. Ensure all systems use NTP and consistent time zones so correlated events line up. Establish retention and archival policies sufficient for investigations (e.g., 90–365 days depending on regulatory needs) and document how to place logs on legal hold.
- Review, test, and report regularly. Schedule periodic reviews of correlation rules, conduct tabletop exercises for common incidents, and produce routine summary reports for leadership showing incidents detected, time to triage, and corrective actions taken.
Example in a Small or Medium Business
Acme Design runs a cloud-hosted SIEM provided by a managed service. They forward logs from Active Directory, their VPN, web servers, and endpoint detection agents to the SIEM. When an employee’s credentials are abused, the SIEM correlation rule—configured to look for multiple failed VPN attempts followed by a successful login from an unusual IP and a privilege elevation—fires an alert. The alert automatically creates an incident ticket and notifies the security lead and the system administrator. The runbook instructs the admin to disable the account, isolate the affected workstation, and preserve the workstation’s disk image; the incident ticket includes links to the relevant logs and a checklist for evidence collection. Analysts review correlated logs across sources in the SIEM, identify lateral access attempts to a file server, and restore access only after resetting credentials and applying a required MFA configuration. Leadership receives a short incident summary report describing timeline, impact, containment steps, and recommended policy or control changes. After the event, Acme tunes the correlation rule to reduce similar false positives and updates the runbook to speed future responses.
Summary
Correlating audit review, analysis, and reporting combines clear policy and documented workflows with practical technical controls—centralized logging/SIEM, correlation rules, automated triage, and retention—so SMBs can detect, investigate, and respond to suspicious activity quickly. By assigning roles, maintaining consistent timestamps, automating evidence preservation and ticketing, and regularly reviewing rules and reports, small organizations can meet the control’s objectives without large security teams, ensuring investigations are efficient and compliant.
