AU.L2-3.3.5: Correlate audit record review, analysis, and reporting for investigating and responding to indications of unlawful, unauthorized, suspicious, or unusual activity

📖 What This Means

This practice requires organizations to actively review and analyze audit logs to detect and respond to suspicious or unauthorized activities. It means not just collecting logs, but connecting the dots between different events to identify potential threats. For example, if an employee's account logs in at 3 AM from a foreign country and immediately accesses sensitive files, these events should be correlated and flagged for investigation. Another example would be linking multiple failed login attempts across systems to detect a potential brute force attack. The goal is to turn raw log data into actionable security intelligence.

🎯 Why It Matters

Without correlation and analysis, audit logs are just data - not security intelligence. The 2022 Verizon DBIR found that 80% of breaches could be detected through log analysis if properly correlated. A real-world example is the Target breach, where attackers' movements through systems were logged but not correlated in time to prevent data exfiltration. For DoD contractors, this control is critical because CUI is a high-value target. The CMMC framework emphasizes this practice because catching suspicious activity early can prevent data breaches, which could cost $4.24 million on average (IBM 2021) and lead to loss of contracts.

✅ How to Implement

1. Enable Azure Sentinel or AWS GuardDuty for cloud-native log correlation
2. Configure log ingestion from all cloud services (e.g., AWS CloudTrail, Azure Activity Logs)
3. Set up alerts for suspicious patterns (e.g., geographic anomalies, privilege escalation)
4. Create automated playbooks for common investigation scenarios
5. Establish weekly review process for correlated alerts
6. Integrate with identity providers (e.g., Azure AD) for user context
7. Document investigation procedures for cloud-specific incidents

⏱️

Estimated Effort

Initial setup: 40-80 hours (depending on environment complexity). Ongoing: 5-10 hours/week for review and maintenance. Requires mid-level security analyst skills.

📋 Evidence Examples

SIEM Correlation Rules

Format: PDF/Configuration files

Frequency: Update quarterly or when new threats emerge

Contents: Documented rules for detecting suspicious activity patterns

Collection: Export from SIEM configuration

Alert Review Logs

Format: CSV/PDF reports

Frequency: Daily for critical alerts, weekly summary

Contents: Dated records of reviewed alerts with analyst notes

Collection: SIEM-generated reports

Incident Response Documentation

Format: Word/PDF

Frequency: Review semi-annually

Contents: Procedures for investigating correlated events

Collection: Policy document with version control

Training Records

Format: PDF/Spreadsheet

Frequency: Annual refresher training

Contents: Staff training on log analysis and correlation

Collection: HR training records

Sample Correlated Alert

Format: Screenshot/PDF

Frequency: Keep 3 recent examples

Contents: Example of a detected suspicious pattern with investigation notes

Collection: Redacted SIEM screenshot

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For AU.L2-3.3.5 ("Correlate audit record review, analysis, and reporting for investigating and responding to indications of unlawful, unauthorized, suspicious, or unusual activity"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your audit logging infrastructure, including which events are logged, the SIEM/log management platform, retention periods, log protection mechanisms, and review processes. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"AU.L2-3.3.5 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to correlate audit record review, analysis, and reporting for investigating and res.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"AU.L2-3.3.5 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to correlate audit record review, analysis, and reporting for investigating and res.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"AU.L2-3.3.5 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all systems generating audit logs within the CUI boundary
• Document log flow from sources to centralized SIEM
• Specify log storage locations and retention tiers
• Ensure this control covers all systems within your defined CUI boundary where correlate audit record review, analysis, and reporting for investigating and responding to indications of unlawful, unauthorized, suspicious, or unusual activity applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Audit and Accountability Policy
📄 SIEM architecture documentation
📄 Log retention configuration
📄 Evidence artifacts specific to AU.L2-3.3.5
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will verify that required events are logged, check log completeness (all required fields present), test log protection mechanisms, and review evidence of regular log reviews.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a SIEM or equivalent tool ingesting logs from all systems handling CUI?

✅ YES → Proceed to Q2

❌ NO → GAP: Implement centralized log collection within 30 days. Start with Wazuh (free) or evaluate commercial SIEM options.

Remediation:

30 days

Question 2: Are correlation rules configured to detect at least: (a) multiple failed logins, (b) after-hours access, and (c) unusual data access patterns?

✅ YES → Proceed to Q3

❌ NO → GAP: Create and test basic correlation rules within 14 days. Use MITRE ATT&CK framework for guidance.

Remediation:

14 days

Question 3: Is there a documented process for reviewing and responding to correlated alerts?

✅ YES → Proceed to Q4

❌ NO → GAP: Document alert review procedures within 7 days. Template available from CMMC AB website.

Remediation:

7 days

Question 4: Can you demonstrate at least two examples where correlation identified suspicious activity in the past 90 days?

✅ YES → Proceed to Q5

❌ NO → GAP: Conduct retrospective analysis of logs to identify missed patterns. Implement improved detection within 21 days.

Remediation:

21 days

Question 5: Are all personnel with access to CUI trained on reporting suspicious activity?

✅ YES → COMPLIANT

❌ NO → GAP: Conduct security awareness training within 14 days. Document attendance.

Remediation:

14 days

⚠️ Common Mistakes (What Auditors Flag)

1. Collecting logs but not analyzing them

Why this happens: Focus on compliance checkbox rather than security value

How to avoid: Schedule daily review time and assign accountability

2. Lack of cross-system correlation

Why this happens: Silos between IT teams or systems

How to avoid: Implement centralized SIEM and create cross-team review procedures

3. No documented investigation procedures

Why this happens: Reliance on tribal knowledge

How to avoid: Create playbooks for common scenarios and review quarterly

4. Insufficient log retention

Why this happens: Cost concerns or lack of storage planning

How to avoid: Implement 90-day retention policy with archive options

5. Alert fatigue from poor tuning

Why this happens: Initial setup without ongoing refinement

How to avoid: Monthly review of false positives/negatives and adjust rules

📚 Parent Policy

This practice is governed by the Audit and Accountability Policy

View AU Policy →

📚 Related Controls

AU.L2-3.3.1 (Audit log content requirements) AU.L2-3.3.2 (Audit log storage capacity) IR.L2-3.6.1 (Incident response policy) SI.L2-3.14.7 (Monitoring for unauthorized personnel)