800-53|SI-4(4)

Title

INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC

Description

The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.

Supplemental

Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: SYSTEM AND INFORMATION INTEGRITY

Parent Title: INFORMATION SYSTEM MONITORING

Family: SYSTEM AND INFORMATION INTEGRITY

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.5.4 Configure SNMP Traps	Cisco	CIS Cisco NX-OS L2 v1.1.0
1.6.3 Configure Netflow on Strategic Ports	Cisco	CIS Cisco NX-OS L2 v1.1.0
3.1.3.3 Log OSPF Adjacency Changes	Cisco	CIS Cisco NX-OS L1 v1.1.0
3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protections	Cisco	CIS Cisco NX-OS L1 v1.1.0
3.2 Ensure intrusion prevention is enabled for untrusted interfaces	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
3.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'	microsoft_azure	CIS Microsoft Azure Foundations v3.0.0 L2
3.3.2 Configure Storm Control	Cisco	CIS Cisco NX-OS L2 v1.1.0
3.4 Ensure logging is enabled on all firewall policies	FortiGate	CIS Fortigate 7.0.x v1.3.0 L1
3.4.1 Configure LLDP	Cisco	CIS Cisco NX-OS L1 v1.1.0
3.7 Ensure VPC flow logging is enabled in all VPCs	amazon_aws	CIS Amazon Web Services Foundations L2 3.0.0
3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network	GCP	CIS Google Cloud Platform v3.0.0 L2
4.1.1 Detect Botnet connections	FortiGate	CIS Fortigate 7.0.x v1.3.0 L2
4.4.3 Ensure all Application Control related traffic is logged	FortiGate	CIS Fortigate 7.0.x v1.3.0 L1
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profiles	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
5.2.2.6 Enable Azure AD Identity Protection user risk policies	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v3.1.0
5.2.2.7 Enable Azure AD Identity Protection sign-in risk policies	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v3.1.0
5.3 Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flows	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
5.3 Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flows	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
5.5 Ensure all WildFire session information settings are enabled	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
5.5 Ensure all WildFire session information settings are enabled	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.1 Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3'	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.1 Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3'	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics	microsoft_azure	CIS Microsoft Azure Foundations v3.0.0 L2
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threats	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in use	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.7 Ensure a VPP is set to block attacks against critical and high vulnerabilities, and set to default on med, low, and info vulns	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical/high, and set to default on medium, low, and info	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical/high, and set to default on medium, low, and info	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing traffic	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the Internet	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering Profile	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering Profile	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packets	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
7.4 Ensure that logging is enabled on built-in default security policies	Palo_Alto	CIS Palo Alto Firewall 10 v1.2.0 L1
7.4 Ensure that logging is enabled on built-in default security policies	Palo_Alto	CIS Palo Alto Firewall 11 v1.1.0 L1
7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT)	VMware	CIS VMware ESXi 6.7 v1.3.0 Level 1
7.7 (L1) Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collector	VMware	CIS VMware ESXi 7.0 v1.4.0 L1
7.7 Ensure Virtual Disributed Switch Netflow traffic is sent to an authorized collector	VMware	CIS VMware ESXi 6.7 v1.3.0 Level 1
F5BI-AS-000239 - The BIG-IP ASM module must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.	F5	DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-LT-000239 - The BIG-IP Core implementation must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.	F5	DISA F5 BIG-IP Local Traffic Manager STIG v2r3

Detections