NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY
SI-4(16) — Correlate Monitoring Information
Correlate information from monitoring tools and mechanisms employed throughout the system.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation—including malicious code protection software, host monitoring, and network monitoring—can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).
Practitioner Notes
Correlate monitoring information from multiple sources to build a comprehensive picture of security events. No single source tells the whole story.
Example 1: In your SIEM, create multi-source correlation rules. Combine Azure AD sign-in logs + endpoint detections + firewall logs + email security events. A phishing email (email log) followed by a credential login from a new location (Azure AD) followed by data download (endpoint) tells a story that no single source reveals.
Example 2: Use Microsoft 365 Defender's unified incident view that automatically correlates email, endpoint, identity, and cloud app alerts into a single incident. This cross-product correlation reveals multi-stage attacks that would be invisible if you looked at each product independently.