|
controlSI-4
System Monitoring (SI-4)
Monitor the system to detect: Identify unauthorized use of the system through the following techniques and methods: [organization-defined]; Invoke internal monitoring capabilities or deploy monitoring devices: Analyze detected events and anomalies; Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; Obtain legal opinion regarding system monitoring activities; and Provide [organizat
Security Baselines
LOWMODERATEHIGH
integritymalwareflaw-remediationmonitoring
Why These Connect
Baselined In3
This control is included in the linked security baseline (LOW, MODERATE, or HIGH).
Supports99
These related controls work together — a change to one may affect the others.
Mitigates37
This control helps defend against or reduce the risk of the linked threat technique.
Enhances25
These enhancements add specific capabilities or refinements to the base control.
Related Controls(59)
AC-3Access Enforcement (AC-3)
LMH
AC-8System Use Notification (AC-8)LMH
AC-17Remote Access (AC-17)LMH
AC-18Wireless Access (AC-18)LMH
AC-19Access Control for Mobile Devices (AC-19)LMH
AU-2Event Logging (AU-2)LMH
AU-4Audit Log Storage Capacity (AU-4)LMH
AU-5Response to Audit Logging Process Failures (AU-5)LMH
AU-6Audit Record Review, Analysis, and Reporting (AU-6)LMH
AU-7Audit Record Reduction and Report Generation (AU-7)MH
AU-9Protection of Audit Information (AU-9)LMH
AU-12Audit Record Generation (AU-12)LMH
CA-7Continuous Monitoring (CA-7)LMH
CM-3Configuration Change Control (CM-3)MH
CM-6Configuration Settings (CM-6)LMH
CM-7Least Functionality (CM-7)LMH
CM-11User-installed Software (CM-11)LMH
CM-12Information Location (CM-12)MH
CP-9System Backup (CP-9)LMH
IA-3Device Identification and Authentication (IA-3)MH
IR-4Incident Handling (IR-4)LMH
IR-5Incident Monitoring (IR-5)LMH
PE-3Physical Access Control (PE-3)LMH
PM-12Insider Threat Program (PM-12)PM-14Testing, Training, and Monitoring (PM-14)PM-23Data Governance Body (PM-23)PM-31Continuous Monitoring Strategy (PM-31)RA-5Vulnerability Monitoring and Scanning (RA-5)LMH
RA-10Threat Hunting (RA-10)SA-24Design For Cyber Resiliency (SA-24)SC-26Decoys (SC-26)SC-35External Malicious Code Identification (SC-35)SC-37Out-of-band Channels (SC-37)SC-48Sensor Relocation (SC-48)SI-3Malicious Code Protection (SI-3)LMH
AC-2Account Management (AC-2)LMH
AC-4Information Flow Enforcement (AC-4)MH
AU-13Monitoring for Information Disclosure (AU-13)AU-14Session Audit (AU-14)CM-8System Component Inventory (CM-8)LMH
IA-10Adaptive Authentication (IA-10)MA-3Maintenance Tools (MA-3)MH
MA-4Nonlocal Maintenance (MA-4)LMH
PL-9Central Management (PL-9)SC-5Denial-of-service Protection (SC-5)LMH
SC-7Boundary Protection (SC-7)LMH
SC-18Mobile Code (SC-18)MH
SC-31Covert Channel Analysis (SC-31)SC-36Distributed Processing and Storage (SC-36)SC-43Usage Restrictions (SC-43)SI-6Security and Privacy Function Verification (SI-6)H
SI-7Software, Firmware, and Information Integrity (SI-7)MH
SR-9Tamper Resistance and Detection (SR-9)H
SR-10Inspection of Systems or Components (SR-10)LMH
SI-8Spam Protection (SI-8)MH
SI-15Information Output Filtering (SI-15)SI-18Personally Identifiable Information Quality Operations (SI-18)SR-2Supply Chain Risk Management Plan (SR-2)LMH
SR-4Provenance (SR-4)Threat Coverage(37 ATT&CK techniques)
T1566PhishingT1059Command and Scripting InterpreterT1204User ExecutionT1047Windows Management InstrumentationT1053Scheduled Task/JobT1505Server Software ComponentT1548Abuse Elevation Control MechanismT1027Obfuscated Files or InformationT1562Impair DefensesT1070Indicator RemovalT1036MasqueradingT1112Modify RegistryT1110Brute ForceT1003OS Credential DumpingT1528Steal Application Access TokenT1558Steal or Forge Kerberos TicketsT1087Account DiscoveryT1046Network Service DiscoveryT1057Process DiscoveryT1018Remote System DiscoveryT1570Lateral Tool TransferT1560Archive Collected DataT1005Data from Local SystemT1114Email CollectionT1071Application Layer ProtocolT1573Encrypted ChannelT1105Ingress Tool TransferT1041Exfiltration Over C2 ChannelT1567Exfiltration Over Web ServiceT1048Exfiltration Over Alternative ProtocolT1486Data Encrypted for ImpactT1485Data DestructionT1499Endpoint Denial of ServiceT1498Network Denial of ServiceT1595Active ScanningT1598Phishing for InformationT1588Obtain Capabilities
Control Enhancements(25)
SI-4(1)System-wide Intrusion Detection System (SI-4(1))SI-4(2)Automated Tools and Mechanisms for Real-time Analysis (SI-4(2))
MH
SI-4(3)Automated Tool and Mechanism Integration (SI-4(3))SI-4(4)Inbound and Outbound Communications Traffic (SI-4(4))MH
SI-4(5)System-generated Alerts (SI-4(5))MH
SI-4(6)Restrict Non-privileged Users (SI-4(6))WSI-4(7)Automated Response to Suspicious Events (SI-4(7))SI-4(8)Protection of Monitoring Information (SI-4(8))WSI-4(9)Testing of Monitoring Tools and Mechanisms (SI-4(9))SI-4(10)Visibility of Encrypted Communications (SI-4(10))H
SI-4(11)Analyze Communications Traffic Anomalies (SI-4(11))SI-4(12)Automated Organization-generated Alerts (SI-4(12))H
SI-4(13)Analyze Traffic and Event Patterns (SI-4(13))SI-4(14)Wireless Intrusion Detection (SI-4(14))H
SI-4(15)Wireless to Wireline Communications (SI-4(15))SI-4(16)Correlate Monitoring Information (SI-4(16))SI-4(17)Integrated Situational Awareness (SI-4(17))SI-4(18)Analyze Traffic and Covert Exfiltration (SI-4(18))SI-4(19)Risk for Individuals (SI-4(19))SI-4(20)Privileged Users (SI-4(20))H
SI-4(21)Probationary Periods (SI-4(21))SI-4(22)Unauthorized Network Services (SI-4(22))H
SI-4(23)Host-based Devices (SI-4(23))SI-4(24)Indicators of Compromise (SI-4(24))SI-4(25)Optimize Network Traffic Analysis (SI-4(25))