SI-4: System Monitoring
From NIST's SP800-53:
a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| PR.IP-8 | Effectiveness of protection technologies is shared |
| DE.CM-1 | The network is monitored to detect potential cybersecurity events |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
| DE.DP-5 | Detection processes are continuously improved |
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed |
| DE.DP-3 | Detection processes are tested |
| DE.CM-5 | Unauthorized mobile code is detected |
| DE.DP-4 | Event detection information is communicated |
| DE.AE-2 | Detected events are analyzed to understand attack targets and methods |
| PR.DS-5 | Protections against data leaks are implemented |
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
| DE.AE-3 | Event data are collected and correlated from multiple sources and sensors |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
| DE.DP-2 | Detection activities comply with all applicable requirements |
| RS.AN-1 | Notifications from detection systems are investigated |
| RS.CO-3 | Information is shared consistent with response plans |
| DE.AE-4 | Impact of events is determined |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1505.004 | IIS Components | Persistence |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1137.001 | Office Template Macros | Persistence |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1602 | Data from Configuration Repository | Collection |
| T1036.001 | Invalid Code Signature | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1555.005 | Password Managers | Credential Access |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1003.004 | LSA Secrets | Credential Access |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1218.013 | Mavinject | Defense Evasion |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1059.006 | Python | Execution |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1056.002 | GUI Input Capture | Collection, Credential Access |
| T1110.003 | Password Spraying | Credential Access |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1029 | Scheduled Transfer | Exfiltration |
| T1055.014 | VDSO Hijacking | Defense Evasion, Privilege Escalation |
| T1059.002 | AppleScript | Execution |
| T1218.009 | Regsvcs/Regasm | Defense Evasion |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1569 | System Services | Execution |
| T1552.004 | Private Keys | Credential Access |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1565 | Data Manipulation | Impact |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1135 | Network Share Discovery | Discovery |
| T1564.002 | Hidden Users | Defense Evasion |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1499.003 | Application Exhaustion Flood | Impact |
| T1555 | Credentials from Password Stores | Credential Access |
| T1055.004 | Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
| T1213 | Data from Information Repositories | Collection |
| T1114.003 | Email Forwarding Rule | Collection |
| T1070 | Indicator Removal | Defense Evasion |