3.3.6 — Search and Report

The One-Liner

If the assessor asks “show me all admin logins from last month” — can you pull that in under a minute?

What It Says

Provide audit record reduction and report generation to support on-demand analysis and reporting.

What It Actually Means

Two capabilities, both required:

1. Audit record reduction. The ability to take raw log data — millions of events — and reduce it to meaningful, actionable information. This means filtering, searching, and querying logs to extract what matters without wading through noise. “Show me all failed logins by privileged accounts last week” should produce a clean result, not a raw log dump.

2. Report generation. The ability to produce formatted reports on demand — not just on a schedule. When the assessor, an incident responder, or management asks a question, you can generate a report answering it within minutes. Pre-built reports for common questions (admin activity, failed authentications, CUI file access) plus ad-hoc query capability for questions you didn’t anticipate.

The key word is on-demand. Monthly scheduled reports alone don’t satisfy this. Someone needs to be able to ask a question and get an answer quickly. A SIEM with a query interface is the standard solution. Even a well-organized log management tool with search capabilities works — the bar is the ability to reduce and report, not a specific product.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is an audit record reduction capability provided?	SIEM or log tool where you can search, filter, and query logs to extract specific information on demand
2	Is a report generation capability provided?	Ability to produce formatted reports — pre-built dashboards plus ad-hoc query results exported as reports

---

What to Have Ready on Assessment Day

Documents they’ll review: Audit and accountability policy; procedures addressing audit record reduction and report generation; system security plan; list of pre-built reports and saved searches; sample generated reports; SIEM or log tool documentation

People they’ll talk to: Personnel with audit record reduction and report generation responsibilities; information security personnel; anyone who runs ad-hoc log queries

Live demos they’ll ask for: “Show me all privileged account activity from last week — pull the report now.” “Generate a report of failed logins across all CUI systems for the past 30 days.” “Show me file access activity for a specific user.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me how you search your audit logs. Run a query right now.”
• “Generate a report of all admin logins from the past 30 days.”
• “Can you filter logs by user, by system, by event type? Show me.”
• “What pre-built reports do you have? Show me one.”
• “If I asked you to find all file access to a specific CUI document last month, how long would it take?”
• “Can you export results in a format suitable for management review or incident investigation?”

Real-World Example

A defense contractor uses Microsoft Sentinel with KQL (Kusto Query Language) for on-demand log analysis. Pre-built workbooks cover: privileged account activity, failed authentications, CUI SharePoint file access, VPN connections by user, and configuration changes. When the assessor asks “show me all admin logins from an unusual location in the past 30 days,” the IT security lead runs a saved query that joins Entra ID sign-in logs with a known-location list and produces results in under 30 seconds. The results are exported to PDF for the assessment evidence package. For ad-hoc questions, the team writes KQL queries on the spot — during the assessment, the assessor asks about a specific user’s file access, and the team produces the answer within two minutes.

---

Where Companies Trip Up

Raw logs only. Logs exist but there’s no search or query interface. Someone has to grep through text files on individual servers. This isn’t audit record reduction — it’s pain. Deploy a SIEM or log management tool.

Can’t answer ad-hoc questions. Monthly reports exist but when the assessor asks an unexpected question, it takes hours to produce an answer. On-demand means minutes, not hours. Build saved searches for common questions and ensure your team can write ad-hoc queries.

No report export. You can search logs on screen but can’t produce a formatted report for management or an investigation file. Ensure your tool can export query results as PDF, CSV, or a dashboard snapshot.

Only one person knows how. The SIEM works but only one engineer can query it. Cross-train at least two people. If your log analyst is on vacation during the assessment, you need someone else who can demonstrate the capability.

---

How to Talk About This

To a CEO or Board

We can answer any audit question on demand — who accessed what, when, from where. Pre-built reports cover routine questions; our team can produce ad-hoc reports for any investigation within minutes.

To an Engineering Team

Sentinel with KQL query interface. Pre-built workbooks: admin activity, failed auth, CUI file access, VPN sessions, config changes. Ad-hoc queries for anything not pre-built. Results exportable to PDF/CSV. Two trained operators minimum. Saved searches tested monthly.

---

Connected Requirements

Requirement	Why it matters here
3.3.1 — Log Everything	Creates the raw audit data this requirement makes searchable and reportable
3.3.5 — Connect the Dots	Correlation feeds into the analysis capability; this requirement provides the query interface
3.6.2 — Detect and Report	Incident investigation depends on the on-demand search capability
3.3.2 — Trace Every Action	The ability to trace actions to users requires searchable, filterable logs

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AU.L2-3.3.6 | SPRS Weight: 1 point | POA&M Eligible: Yes