SI.L2-3.14.7 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requires organizations to identify unauthorized use of systems β a goal best achieved by integrating a well-designed Security Information and Event Management (SIEM) solution with User and Entity Behavior Analytics (UEBA); this post provides practical, small-business-focused steps for deployment, tuning, and evidence collection to meet the Compliance Framework practice expectations.
What SI.L2-3.14.7 requires and the Compliance Framework perspective
At its core, the control requires continuous monitoring and analysis of system activity to detect and identify unauthorized use. For Compliance Framework purposes this maps to: (1) collecting relevant log sources; (2) retaining and protecting logs; (3) analyzing logs to detect anomalous access and actions; and (4) producing artifacts (alerts, incident tickets, retention evidence, tuning records) that an assessor can review. The objective is demonstrable capability β not perfect detection β so focus on repeatable processes, documented rules, and measurable outcomes.
Designing your SIEM + UEBA architecture (practical details)
Start by cataloging log sources: Windows Security (Event IDs 4624/4625/1102/4672), Linux auth/sudo and syslog, Active Directory replication and Kerberos (4769), VPN appliances (successful/failed auth), cloud audit logs (AWS CloudTrail: ConsoleLogin/CreateUser; Azure AD SignInLogs), firewalls, proxies/DNS logs, EDR telemetry (process creation, command-line), and application logs (SSO, email gateway). For small businesses, a practical stack is: lightweight collector (Wazuh/OSSEC or vendor agent) -> central log ingest (Elastic Stack or cloud SIEM like Microsoft Sentinel or Splunk Cloud) -> UEBA module (built-in or 3rd-party). Technical specifics: ensure log forwarding via TLS, use structured formats (CEF/JSON) where possible, enforce NTP across hosts, and tag logs with asset and user identifiers for correlation.
Implementation tactics: parsing, retention, rules, and UEBA configuration
Normalize logs early (common fields: host, user, src_ip, dst_ip, event_type, timestamp). Create parsing pipelines (Logstash/Fluentd/ingest rules) and map fields to your SIEM schema. Retention: retain high-fidelity security logs for at least 90 days and critical audit trails (privileged activity, system configuration changes) for 1 year, unless contract/policy requires longer; compress/index cold storage to control costs. Define deterministic detection rules (correlation searches) such as: - multiple failed VPN auths (>=5) within 10 minutes followed by successful login from same IP; - logon outside normal hours + use of privileged API; - cleared audit logs (Windows Event ID 1102). Complement rules with UEBA: configure baselines for each user/device (work hours, typical hosts, average data transfer) and enable anomaly detections for βimpossible travelβ, sudden data exfiltration, and new app/process execution patterns.
UEBA model tuning and feature engineering for small businesses
UEBA works best when features are simple and explainable. Start with these signals: average logins per day, typical source IPs per user, usual hosts accessed, mean session duration, outbound data volume per day, new process execution frequency, and privilege escalations. Train baseline models with 14β30 days of clean telemetry, then enable anomaly thresholds (e.g., 3 standard deviations from baseline) and tune for false positives. For a small shop, prioritize high-confidence detectors: privilege escalation, impossible travel, and large outbound transfers. Document model parameters, training windows, and tuning decisions β these are auditor artifacts for Compliance Framework assessments.
Real-world small-business scenarios and detections
Scenario 1 β Compromised VPN credentials: SIEM rule correlates 10 failed VPN logins from one IP then a successful login from a new country within 15 minutes; UEBA flags user behavior change (new source + abnormal hours) and raises high-priority alert. Response: automatic MFA challenge (if supported), immediate VPN session termination, password reset, and incident ticket with logs exported. Scenario 2 β Insider exfiltration: UEBA notices a user copying >1GB to an external cloud storage during non-business hours and accessing systems they rarely use; SIEM correlates with proxy logs showing upload to external IP. Response: block account, preserve endpoint image, and export evidence to show detection chain for an assessor. Include the generated alerts, timelines, and remediation steps in your compliance artifacts.
Compliance tips, evidence collection, and best practices
For Compliance Framework auditors, provide: system architecture diagrams showing collectors and retention storage; logging/encryption configuration snippets; SIEM correlation rule definitions with timestamps of deployment; UEBA model configuration and a sample anomaly report; and incident response playbooks and past incident tickets demonstrating detection and response. Best practices: automate weekly rule health checks, maintain a false-positive log and tuning change log, schedule quarterly tabletop exercises that use SIEM alerts, and protect log integrity (WORM or hashed archives). Use role-based access for SIEM/UEBA consoles and retain analyst activity logs to show separation of duties.
Risk of non-implementation: failing to deploy SIEM + UEBA leaves unauthorized access undetected or detected late, increasing risk of data exfiltration, regulatory penalties, loss of contracts (especially with DoD/industry partners), and damage to reputation. From a compliance standpoint, lack of demonstrable monitoring and analysis will generate findings under SI.L2-3.14.7 and may lead to remediation orders or loss of eligibility for controlled contract work. The practical cost of detection gaps is often far higher than the incremental cost of a targeted SIEM/UEBA deployment.
Summary: To meet SI.L2-3.14.7 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2, implement a focused SIEM intake and normalization pipeline, enable deterministic correlation rules, deploy UEBA baselines for behavioral detection, and document tuning and incident artifacts for auditors; for small businesses this means prioritizing high-value log sources (identity, VPN, EDR, cloud audit), enforcing secure log transport and retention, and creating a concise evidence package (rules, alerts, playbooks) that proves you can identify and respond to unauthorized use.
