NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-4(4)Information Correlation

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Sometimes, a threat event, such as a hostile cyber-attack, can only be observed by bringing together information from different sources, including various reports and reporting procedures established by organizations.

Practitioner Notes

Individual incidents often look minor in isolation but form a pattern when correlated together. This enhancement requires you to connect the dots across incidents to get a big-picture view of what is happening.

Example 1: Use your SIEM (Splunk, Microsoft Sentinel, Elastic) to create correlation rules. For example, correlate multiple failed login attempts from different accounts with the same source IP to identify credential-stuffing attacks that individual alerts would miss.

Example 2: Maintain an incident tracking spreadsheet or database that logs every incident with common fields: date, type, affected systems, source IP, affected users. Review this quarterly to identify trends — are phishing attempts increasing? Is one department targeted more often than others?

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments