NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-6(3)Correlate Audit Record Repositories

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Organization-wide situational awareness includes awareness across all three levels of risk management (i.e., organizational level, mission/business process level, and information system level) and supports cross-organization awareness.

Practitioner Notes

Correlate audit records across multiple systems and repositories. An attack often spans multiple systems — phishing email, then compromised workstation, then lateral movement. You need to connect the dots.

Example 1: In your SIEM, normalize all log sources to a common data model (Splunk CIM, Sentinel schema). When investigating an incident, search across all data sources for the suspect username, IP address, or file hash. The common schema makes cross-source correlation possible.

Example 2: Enable Microsoft Sentinel entity mapping so that alerts automatically correlate by user identity, IP address, and hostname. When you investigate an incident, Sentinel's Investigation Graph shows all related alerts and events across Azure AD, M365, Defender for Endpoint, and custom data sources — all linked to the same entity.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component