NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-12(1)System-wide and Time-correlated Audit Trail

Compile audit records from {{ insert: param, au-12.01_odp.01 }} into a system-wide (logical or physical) audit trail that is time-correlated to within {{ insert: param, au-12.01_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.

Practitioner Notes

Create a system-wide audit trail that correlates events across time and across systems. When you investigate an incident, you should be able to trace the attacker's path through your environment.

Example 1: Ensure all systems use synchronized time (NTP) so that events from different systems can be accurately correlated by timestamp. Then centralize all logs in your SIEM. An investigation query like "show all activity by user X across all systems between 2:00 PM and 3:00 PM" should return results from every system that user touched.

Example 2: In Sentinel, use the Investigation Graph to visualize the timeline of events across multiple data sources. When you select an entity (user, IP, host), Sentinel shows all related events in chronological order from Azure AD, Defender, M365, and custom logs — giving you a complete attack timeline.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component