NIST SP 800-171 Rev 2 practice 3.3.5 requires organizations to correlate audit record review, analysis, and reporting processes to support investigation and response to anomalous or potentially malicious activity. This practice goes beyond simply collecting logs: it demands that defined processes for reviewing, analyzing, and reporting on audit records be formally established and then actively correlated so that events from multiple sources—network devices, endpoints, applications, identity systems—are examined together rather than in silos. Correlation enables analysts to detect patterns and attack chains that would be invisible when viewing any single log stream. The practice is grounded in NIST SP 800-171 Rev 2 Section 3.3 and directly supports the audit reduction and report generation capability described in NIST SP 800-53 AU-6 and AU-12. Without correlation, high-volume environments generate too much noise for human review, and subtle indicators of compromise are routinely missed.
Where it stops · what it isn't
- —This practice does not specify which audit events must be captured—that is addressed by AU-L2-3.3.1 (event logging) and AU-L2-3.3.2.
- —This practice does not mandate a specific SIEM product or tooling; it requires the capability and defined process, not a particular vendor solution.
- —This practice does not govern audit record protection or retention periods, which are addressed by separate AU domain practices.
- —This practice does not require automated real-time alerting by itself, though correlation often enables it; alerting is addressed by AU-L2-3.3.6.
- —This practice does not cover incident response procedures themselves; those are governed by the IR domain (IR-L2-3.6.1/3.6.2), though AU-3.3.5 provides the analytical foundation for IR.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.