AU-2(1) — Compilation of Audit Records from Multiple Sources

Compile audit records from multiple sources into a single view. When you have logs spread across dozens of systems, you need a way to bring them together for analysis.

Example 1: Deploy a SIEM (Splunk, Microsoft Sentinel, Elastic SIEM) and configure all systems to forward logs to it. Windows servers use the Windows Event Forwarding (WEF) feature or Splunk Universal Forwarder. Linux systems use rsyslog. Network devices use syslog.

Example 2: In Microsoft Sentinel, connect data sources: Azure AD sign-in and audit logs (via the built-in connector), Windows Security events (via the AMA agent), firewall logs (via syslog or vendor connector), and M365 audit logs (via the M365 connector). This gives you a single pane of glass for all audit data.