800-53|AC-2(12)

Title

ACCOUNT MONITORING / ATYPICAL USAGE

Description

The organization:

Supplemental

Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: CA-7

Category: ACCESS CONTROL

Parent Title: ACCOUNT MANAGEMENT

Family: ACCESS CONTROL

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.5.2 Log all Successful and Failed Administrative Logins	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.5.2 Log all Successful and Failed Administrative Logins	Cisco	CIS Cisco NX-OS L1 v1.0.0
2.1 Ensure that IP addresses are mapped to usernames - User ID Agents	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
2.1 Ensure that IP addresses are mapped to usernames - Zones	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
2.3 Ensure that User-ID is only enabled for internal trusted interfaces	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + NG
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + NG
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
2.3.9.4 Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + NG
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + NG
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 EMS Gateway v2.0.0 L1
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Enterprise v2.0.0 L1
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1 + BL + NG
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Stand-alone v2.0.0 L1 + BL + NG
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 10 Enterprise v2.0.0 L1
2.3.11.6 Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'	Windows	CIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
4.1.10 Ensure session initiation information is collected - /var/log/btmp	Unix	CIS Amazon Linux 2 STIG v1.0.0 L2
4.1.10 Ensure session initiation information is collected - /var/log/wtmp	Unix	CIS Amazon Linux 2 STIG v1.0.0 L2
4.1.10 Ensure session initiation information is collected - /var/run/utmp	Unix	CIS Amazon Linux 2 STIG v1.0.0 L2
4.1.10 Ensure session initiation information is collected - auditctl /var/log/wtmp	Unix	CIS Amazon Linux 2 STIG v1.0.0 L2
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.2.1 Ensure 'Audit Application Group Management' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.5.2 (L1) Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.5.2 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.5.3 (L1) Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.5.4 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.5.4 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1

Detections

Analytics