AU.L2-3.3.5: Audit Correlation for CMMC Level 2
Audit correlation ties together fragmented log data to reveal patterns of suspicious or unauthorized activity that individual audits might miss. Under CMMC Level 2, you must establish processes that connect audit record review, analysis, and reporting to detect and respond to threats in real time. Without correlation, you're flying blind—audits become scattered documents instead of actionable intelligence.
What this means
Audit correlation is the practice of connecting audit records from multiple systems, applications, and sources to identify relationships between events that indicate unlawful, unauthorized, suspicious, or unusual activity. CMMC AU.L2-3.3.5 requires that your organization correlate findings across audit logs, not treat each log independently. This means establishing processes where audit data flows into a centralized analysis function, rules flag anomalies, and investigation teams respond with clear incident protocols.
How to comply
- 1.Centralize audit log collection from all systems, applications, and network devices into a single repository or SIEM platform
- 2.Define correlation rules that link events across systems—such as failed login attempts followed by privilege escalation or unusual data access patterns
- 3.Document audit review procedures that include scheduled analysis of correlated logs for suspicious patterns and anomalies
- 4.Establish investigation protocols that specify how teams respond when correlation triggers an alert
- 5.Create reporting templates that document findings, timeline of events, and recommended remediation actions
- 6.Review and update correlation rules quarterly to adapt to emerging threats and operational changes
- 7.Train personnel on the correlation process and their role in investigation and response workflows
Evidence auditors look for
- SIEM platform configuration showing active correlation rules and alert thresholds
- Audit log analysis reports demonstrating multi-source event correlation and pattern detection
- Investigation runbooks detailing response procedures triggered by correlated audit findings
- Sample incident reports showing correlated events, timeline reconstruction, and root cause analysis
- Quarterly correlation rule review and update documentation
- Access logs showing authorized reviewers querying and analyzing correlated audit data
- Audit trail demonstrating regular execution of correlation analysis workflows
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates audit log correlation by centralizing logs from your infrastructure, applying pre-built CMMC correlation rules, and alerting your team to suspicious patterns—eliminating manual log hunting and speeding investigation response times.
See how GRCWatch handles this control automatically
Start free trial