AU.L2-3.3.5 of NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requires organizations to correlate audit record review, analysis, and reporting across systems to detect and respond to events affecting Controlled Unclassified Information (CUI); this post provides a practical blueprint for configuring a SIEM and reporting pipeline that meets that requirement while remaining attainable for small businesses.
Overview: what the control requires and what to produce for auditors
The control expects you to aggregate audit data, correlate events across systems, produce actionable alerts and periodic reports, and retain evidence that review/analysis occurred. For Compliance Framework purposes, that means you must show (1) collection and normalization of relevant log sources, (2) correlation logic that links multi-source events, (3) documented incident triage and reporting artifacts, and (4) retention and access controls for audit records. Your evidence can include SIEM ingestion dashboards, correlation rules, alert logs, incident tickets, and scheduled compliance reports.
Key SIEM components and data sources to configure
Start by cataloging data sources that contain audit records tied to CUI: Windows Security Events (Logon/Logoff, Audit Policy changes, Privilege use), Linux auth and syslog, file server access logs (SMB/NFS), DLP/FIM events, Active Directory/LDAP events, identity provider logs (Okta, Azure AD), cloud audit logs (AWS CloudTrail, Azure Activity Logs), VPN/Firewall logs, and application logs that touch CUI. For each source define: log format (CEF, LEEF, JSON, EVT), required fields (timestamp, hostname, username, event_type, process, dst_ip), and expected volume. Small business tip: prioritize sources that directly interact with CUI (file servers, identity stores, remote access) and expand later.
Normalization, time-sync, and enrichment
Practical correlation depends on consistent timestamps and canonical field names. Enforce NTP on all endpoints and ingest logs with timezone-normalized timestamps (ISO 8601) in the SIEM. Configure ingest pipelines (Logstash, Fluentd, Elastic ingest pipelines, or native collectors) to map fields to a canonical schema: host, user, src_ip, dst_ip, event_id, event_category, file_path, process_name, and correlation_id. Enrich logs at ingest with asset metadata (owner, CUI tag, business unit) and identity metadata (role, privileged status). This makes queries performant and correlation rules reliable.
Designing correlation rules and reporting pipelines
Good correlation links related events across time and systems rather than relying on single-event thresholds. Build rules that combine identity events (failed/successful auth), host events (process creation, service changes), and data-access events (file reads, exports). Example correlation use case: "Multiple failed logins to a service account, followed within 5 minutes by a successful login and a large file transfer from a file server" — this should produce a high-priority alert. Implement detection logic in your SIEM (Splunk correlation searches, Elastic Rules, Azure Sentinel analytics). Example Splunk-ish correlation (conceptual): search for failed logins per user over 10 minutes | join with file-access events on host and user within 5 minutes | if file-volume > threshold raise alert.
Sample rule snippets and pipeline ideas
Concrete examples help. In Elastic SIEM create a rule that triggers when: (count(auth_failure) by user,source.ip in last 10m > 10) AND (exists file_read events by same user on same host within 5m). In Azure Sentinel KQL you might write: SecurityEvent | where EventID in (4625,4624) | summarize FailedLogons=countif(EventID==4625), SuccessLogons=countif(EventID==4624) by Account, bin(TimeGenerated, 5m) | join kind=inner (FileEvents | where ActionType == "FileRead") on Account, Computer. For small-business managed SIEMs, use built-in templates (Brute Force + Data Exfil templates) and customize thresholds to reduce false positives.
Real-world small-business scenarios and examples
Scenario 1 — Remote contractor accesses CUI: contractor authenticates via VPN (VPN log), then uses an RDP session (host auth event) to access a file share (SMB read). Correlation links the VPN, RDP, and SMB events and alerts when the contractor downloads >X MB outside business hours. Scenario 2 — Compromised service account: multiple failed AD logons from unusual IPs, followed by successful logon and creation of new scheduled tasks on several hosts. Correlation should surface the cross-host pattern quickly. For both, enrichment with the asset inventory (which hosts store CUI) lets you prioritize alerts that touch CUI.
Implementation checklist and operational steps
Step-by-step for a small org: 1) Define scope: list systems that process CUI. 2) Deploy collectors/agents for those systems and verify logs reach the SIEM. 3) Standardize timestamps/fields in an ingest pipeline and tag CUI-related assets. 4) Implement core correlation rules (authentication anomalies, lateral movement patterns, bulk file access). 5) Create scheduled compliance reports (weekly summary of correlated incidents, monthly audit log health) and a canned report template for auditors showing log sources, retention, and incident artifacts. 6) Document playbooks for triage and link each alert to a ticketing system so auditors can follow chain-of-evidence. 7) Test by running scenarios (simulated failed logins + file transfer) and record the detection timeline.
Risks, tuning, retention, and best practices
Risk of not implementing this control includes missed detection of exfiltration or insider threats, inability to produce correlated evidence during an audit or incident, and potential loss of DFARS/CUI contracts. Best practices: keep at least 90 days of high-fidelity logs on hot storage and archive 1+ year to cold storage depending on contract requirements; restrict log-access with RBAC and audit access to the SIEM; sign/ hash archived logs if chain-of-custody is necessary; integrate threat intelligence and UEBA gradually; instrument meaningful dashboards and a small set of high-quality alerts to avoid alert fatigue. Regularly review and tune correlation thresholds quarterly and after major environment changes.
In summary, meeting AU.L2-3.3.5 in a small-business context is primarily an engineering and process exercise: collect and normalize audit data, enrich with identity and asset context, implement multi-source correlation rules that map to CUI impact, and document your pipelines and incident artifacts for auditors. Start small (identity, file servers, remote access), automate enrichment and reporting, and iterate on detections — that combination delivers both compliance evidence and practical security improvements.
