3.3.5 — Connect the Dots

What It Says

Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

What It Actually Means

Pull logs from multiple sources into one place and look across them. A single failed login is noise. A failed login on Entra ID + a VPN connection from an unusual country + a large file download from the CUI share — individually, they’re events. Together, they’re an attack.

Two things the assessor checks:

Defined correlation processes. You have documented processes for how audit records from different sources are reviewed, analyzed, and reported together — not in isolation. This means logs from identity systems, endpoints, network devices, and cloud services are analyzed as a unified picture.
Processes are actually correlated. Logs from different repositories feed into a common analysis capability. The standard answer is a SIEM (Sentinel, Splunk, Chronicle) with correlation rules that fire when related events occur across multiple sources. The assessor will ask to see a correlation rule and an example of a correlated alert.

This doesn’t require a massive SOC. A small SIEM with basic correlation rules — impossible travel, brute force across multiple systems, privilege escalation followed by data access — satisfies the requirement. What fails is reviewing firewall logs in one console, AD logs in another, and cloud logs in a third, with nobody looking across all three.

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are audit record review, analysis, and reporting processes defined?	Documented procedures for log review including correlation across sources
2	Are those processes correlated across repositories?	SIEM or central platform with correlation rules that combine events from multiple log sources

What to Have Ready on Assessment Day

Documents they’ll review: Audit and accountability policy; procedures addressing audit record review, analysis, and reporting; system security plan; SIEM architecture documentation; correlation rule list; sample correlated alerts; investigation reports that used cross-source analysis

People they’ll talk to: Personnel with audit record review and analysis responsibilities; information security personnel; SOC analysts or whoever reviews correlated alerts

Live demos they’ll ask for: “Show me your SIEM. What sources feed it? Show me a correlation rule. Show me an example where correlated analysis revealed something individual logs wouldn’t have shown.”

The Assessor’s Playbook

These are the actual questions. Have answers ready.

“How do you correlate audit records from different systems? Show me the tool.”
“What log sources feed into your correlation capability?”
“Show me a correlation rule — what does it detect?”
“Can you show me an example where cross-source correlation identified suspicious activity?”
“Who reviews correlated alerts? How often?”
“If an attacker logged into the VPN and then accessed a CUI file share, would your correlation catch both events together?”

A defense contractor runs Microsoft Sentinel as their SIEM. Log sources include Entra ID sign-in logs, Defender for Endpoint, Windows Security events from CUI servers, the Palo Alto firewall, and the CUI SharePoint site. Correlation rules include: impossible travel (sign-in from two countries within an hour), brute force (10+ failed authentications across any source within 5 minutes), and data exfiltration pattern (privilege escalation followed by bulk file download within 30 minutes). When a correlation rule fires, Sentinel creates an incident assigned to the IT security lead. The team reviews incidents daily. During the assessment, they show an incident from two months ago: a correlated alert caught a contractor’s compromised credential — failed MFA from an unusual IP followed by a successful sign-in from the contractor’s normal IP minutes later. The correlation made it visible; the individual logs wouldn’t have raised an alert.

Where Companies Trip Up

No SIEM or central analysis. Logs exist on individual systems but nobody combines them. The network team reviews firewall logs, the identity team reviews Entra ID, and nobody looks across both. A SIEM solves this.

SIEM deployed but no correlation rules. The tool is there, logs are flowing, but there are no rules that correlate events across sources. It’s just a log warehouse. Build at least five basic correlation rules targeting common attack patterns.

Nobody reviews alerts. Correlation rules fire but nobody investigates. A SIEM without a review process is a very expensive log storage system. Define who reviews, how often, and what the escalation path is.

Siloed analysis. Different teams review different log sources independently. The assessor asks “how do you correlate firewall events with authentication events?” and the answer is “we don’t.” Central analysis is the entire point.

How to Talk About This

Connected Requirements

Requirement	Why it matters here
3.3.1 — Log Everything	Provides the raw audit records this requirement correlates
3.3.6 — Search and Report	On-demand queries against the correlated log data
3.3.7 — Sync the Clocks	Cross-source correlation requires synchronized timestamps
3.14.6 — Watch the Network	Network monitoring feeds into correlation analysis

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

CMMC Practice ID: AU.L2-3.3.5 | SPRS Weight: 5 points | POA&M Eligible: No