NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-4(13)Analyze Traffic and Event Patterns

Analyze communications traffic and event patterns for the system; Develop profiles representing common traffic and event patterns; and Use the traffic and event profiles in tuning system-monitoring devices.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Identifying and understanding common communications traffic and event patterns help organizations provide useful information to system monitoring devices to more effectively identify suspicious or anomalous traffic and events when they occur. Such information can help reduce the number of false positives and false negatives during system monitoring.

Practitioner Notes

Look for patterns in traffic and events over time — single events may look normal, but patterns can reveal sophisticated attacks that operate slowly.

Example 1: Configure your SIEM to correlate events over time windows. A single failed login is normal. But 50 failed logins across 20 different accounts over 3 hours from the same source IP is a password spray attack. Set correlation rules to catch these patterns.

Example 2: Use UEBA (User and Entity Behavior Analytics) in your SIEM to build baselines for each user and detect deviations. If a user who normally accesses 5 files per day suddenly downloads 500 files, that anomaly triggers an investigation even though each individual access was authorized.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status