Out of 110 Controls for CMMC2 the SIEM Collects Logs

Minimum Logs for CMMC Level 2

1. Microsoft 365 / Entra ID Logs

Required

• User Logins
• Failed Logins
• MFA Events
• Conditional Access Events
• Password Changes
• Privilege Elevations

Examples

• User logged in from Russia
• MFA failure
• New admin account created

2. Active Directory Logs Collected

• Authentication
• Failed Logins
• Group Membership Changes
• Account Lockouts
• New User Creation
• User Deletion

Critical Events

• Domain Admin Added
• New Administrator Account
• Account Disabled

3. Firewall Logs Collected

• VPN Connections
• Failed VPN Attempts
• Firewall Denies
• Configuration Changes
• Geo-IP Blocks

Examples

• Login attempt from China
• Firewall rule modified
• New VPN connection

4. Endpoint Protection Logs Collected

SentinelOne or Defender or CrowdStrike

• Malware Detection
• Quarantines
• Behavioral Alerts
• Process Execution
• Threat Hunting Data

5. Windows Event Logs

Security Log

Collect the Following:

• Login Events
• Failed Logins
• Privilege Escalation

System Log

Collect the Following

• Service Failures
• Reboots
• Hardware Events

6. Server Logs

File Servers

Collect:

• File Access
• Permission Changes
• Share Access

Domain Controllers

Collect the Following

• Authentication Events
• Kerberos Events

7. Backup System Logs

Examples

Datto or Axcient or Cove or Veeam

Collect:

• Backup Success
• Backup Failure
• Restore Attempts

8. Email Security Logs

Microsoft 365

Collect:

• Mail Flow
• Phishing Detection
• Malware Detection
• User Click Events

Defender for Office 365

Critical for:

• Business Email Compromise
• Credential Theft

9. Vulnerability Scanner Logs

Examples

Tenable, Rapid7, Qualys, Collect:

• New Vulnerabilities
• Critical Vulnerabilities
• Remediation Status

10. Network Infrastructure Logs

Switches

Wireless

Routers

Collect:

• Admin Logins
• Configuration Changes
• Wireless Authentication Events

Critical Events Every SIEM Should Alert On

Identity

• New Admin Account
• MFA Disabled
• Multiple Failed Logins
• Impossible Travel

Endpoint

• Malware Detected
• Ransomware Behavior
• Unauthorized Software

Network

• VPN Login After Hours
• Firewall Configuration Changes
• Port Scanning

Microsoft 365

• Mailbox Forwarding Rule Created
• New Global Admin
• Suspicious Login

What Auditors Will Ask

For CMMC:

Show me:

• Login activity
• Failed logins
• Account changes
• Privilege changes
• Audit logs
• Retention settings

Microsoft Environment Recommendation

If your client is on:

Microsoft 365 Business Premium

Send to:

Microsoft Sentinel

Collect:

Source	Priority
Entra ID	Critical
M365 Audit	Critical
Defender	Critical
Intune	Critical
Windows Servers	Critical
Firewalls	Critical
Backup Systems	High
Switches	Medium
Printers	Low