This post shows how to design, build, and operate a logging and SIEM pipeline to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control SI.L2-3.14.7 — "identify unauthorized use of organizational systems" — with practical steps, concrete configuration pointers, and small-business examples so you can detect unauthorized access, misuse, and lateral movement in your environment.
High-level pipeline design (what to collect and why)
At a minimum, collect authentication logs, privileged activity, endpoint process/activity telemetry, network flow/firewall logs, VPN and remote-access logs, and cloud provider audit trails. For on-prem Windows hosts enable Security Auditing (Logon/Logoff, Account Management, Privilege Use) and deploy Sysmon for process creation, network connections, and driver loads. For Linux, enable auditd with rules for execve, changes to /etc/sudoers, user/group events, and SSH authentication. Network sources should include firewall accept/deny logs, proxy/web gateway logs, VPN/RADIUS logs, and NetFlow/IPFIX or VPC Flow Logs in cloud environments. Cloud-native sources include AWS CloudTrail, S3 access logs, Azure AD Sign-in logs, and GCP VPC Flow Logs. Collecting these sources provides the raw material to detect the typical unauthorized-use patterns called out in SI.L2-3.14.7.
Key event IDs and configuration examples
Practical event targets: Windows Security IDs 4624 (successful logon), 4625 (failed logon), 4648 (explicit credential use), 4672 (special privileges assigned), and Sysmon event 1 (ProcessCreate) and 3 (NetworkConnect). On Linux, capture /var/log/auth.log or rsyslog entries for sshd, sudo, and pam_unix events plus auditd rules such as -a always,exit -F arch=b64 -S execve to get process executions. In cloud, enable CloudTrail Read/Write events and turn on data events for S3 buckets that store CUI. Configure time sync (NTP) across all systems and use structured log formats: JSON for cloud logs and Common Event Format (CEF) or Elastic Common Schema (ECS) for SIEM normalization.
Collection, transport, normalization, and protection
Use lightweight agents (Winlogbeat/Filebeat/Osquery/Wazuh agents) to forward logs to a central collector. Transport logs encrypted (TLS) to prevent tampering in transit and authenticate agents (mutual TLS or agent keys). Ingest into a message queue (Kafka) or directly into the SIEM/ELK stack; normalize fields to a consistent schema (ECS recommended) for easier correlation. Harden and protect the log store: restrict access to log storage, enable disk encryption, implement write-once/read-many (WORM) where possible, and maintain cryptographic integrity checks (hash and HMAC) to demonstrate logs haven't been altered. Define retention policy aligned to contracts and risk — a common small-business baseline is 90 days "hot" searchable and 1 year archived, but confirm contractual/DoD requirements before finalizing.
Storage and retention practicalities
For small businesses with limited budget, tier hot indexes for 30–90 days on SSD-backed nodes and move older indices to cheaper object storage (S3/Blob) with lifecycle rules. Ensure access controls on archives and log exports for audits. Document retention, collection scope, and deletion policies in your System Security Plan (SSP) and Incident Response (IR) plan — auditors want to see both the technical configuration and the policy that drives it.
Detection engineering: rules, correlation, and playbooks
Translate SI.L2-3.14.7 into actionable detection use cases: impossible travel (same user authenticating from geographically distant locations within a short window), concurrent logins from two locations, logons outside normal hours by non-privileged accounts, new or unexpected local admin privilege grants, execution of credential-dumping tools, and data exfil patterns (large aggregated outbound transfers to unknown S3 buckets or external FTP). Use threat intelligence and asset tagging to reduce false positives: e.g., an engineer accessing systems from an approved VPN subnet shouldn't trigger impossible travel. Create correlation rules that combine identity, endpoint telemetry, and network events — for example, a VPN login followed by a process spawning certutil/curl that makes outbound connections to an IP not seen before should trigger a high-priority alert and an automatic host quarantine via EDR.
Small-business example: concrete deployment
A 50-person defense contractor could implement: Wazuh agents on endpoints, Winlogbeat/Filebeat to ship logs to an Elastic stack hosted in Azure, Sysmon configured with a community-hardened config (include command-line capture and image load rules), Azure Sentinel or Elastic SIEM for correlation, and CloudTrail/VPC Flow Logs for AWS workloads. Detection examples: an Elastic rule that fires on Windows 4624 where logon_type=3 (network) from a foreign ASN + absent EDR heartbeat; another rule that looks for Sysmon EventID 1 where process command_line contains encoded powershell and destination IP is unknown. Integrate alerts to Teams/Slack and create Jira tickets via webhook. For capacity planning, expect ~200–400 MB/day per 100 endpoints as a rough starting point depending on sysmon verbosity — tune Sysmon and auditd to balance telemetry and cost.
Operationalize, test, and provide audit evidence
Operational practices: build runbooks (isolate host, collect volatile data, block account), maintain playbooks for common alerts, and schedule purple-team exercises to validate rule coverage. Log and alert tuning is critical — start broad, measure noise, and iterate to reduce false positives to actionable levels. For audits, produce evidence: sample preserved logs showing detected unauthorized use, correlation graphs, alert timestamps, and remediation steps taken. Map each collected log type and detection to the SI.L2-3.14.7 control in your Plan of Action & Milestones (POA&M) or SSP so auditors can see coverage and control linkage. Also document access controls to logs and proof of integrity controls to demonstrate logs are protected from tampering.
Risk of not implementing this control is significant: without centralized logging and detection you can miss insider misuse, undetected lateral movement leading to CUI exfiltration, loss of contracts, regulatory penalties, and an inability to respond quickly to incidents. For small businesses, one successful unauthorized access can jeopardize DoD contracts and damage reputation; timely detection enabled by a SIEM pipeline materially reduces dwell time and impact.
Summary: build a pipeline that collects authentication, endpoint, network, and cloud logs; secure and normalize them; implement focused detection rules (impossible travel, privilege escalation, abnormal process and network activity); operationalize with runbooks and testing; and document mappings to NIST SP 800-171 / CMMC SI.L2-3.14.7. Start small with essential sources and expand telemetry and correlation over time — the combination of good data collection, tuned detections, and tested response is the practical path to identifying unauthorized use of organizational systems and demonstrating compliance.
