AU-7(2) — Automatic Sort and Search

The audit system must support automatic sorting and searching of log records by various criteria — timestamp, user, event type, source system, severity.

Example 1: Ensure your SIEM supports full-text search across all indexed log data. In Splunk, every field is searchable and sortable by default. Create field extractions for any custom log formats so that all data is consistently parseable.

Example 2: In Sentinel, verify that your log schema normalizes key fields (TimeGenerated, UserPrincipalName, IPAddress, Computer) across all data sources. Use ASIM (Advanced Security Information Model) normalization parsers so that queries work across different log source formats without needing source-specific syntax.