NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-4(7)Automated Response to Suspicious Events

Notify {{ insert: param, si-04.07_odp.01 }} of detected suspicious events; and Take the following actions upon detection: {{ insert: param, si-04.07_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Least-disruptive actions include initiating requests for human responses.

Practitioner Notes

Configure automated responses to certain types of suspicious events — the system should react faster than a human can for high-confidence threats.

Example 1: Set up automated playbooks in Microsoft Sentinel (Logic Apps) that automatically disable a user account when impossible travel is detected, or automatically block an IP address in the firewall when a brute force attack is confirmed.

Example 2: Configure Microsoft Defender for Endpoint to automatically isolate a machine from the network when a high-confidence ransomware detection occurs. The machine stays online for investigation but cannot communicate with other machines on your network.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status