Detections
Analytics

800-53|AU-5(2)

Title

REAL-TIME ALERTS

Description

The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].

Supplemental

Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).

Reference Item Details

Category: AUDIT AND ACCOUNTABILITY

Parent Title: RESPONSE TO AUDIT PROCESSING FAILURES

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
3.092 - The system must generate an audit event when the audit log reaches a percentage of full threshold.WindowsDISA Windows Vista STIG v6r41
AOSX-13-000310 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple macOS 11 v1r8
APPL-12-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple macOS 12 v1r8
APPL-13-001031 - The macOS system must provide an immediate real-time alert to the System Administrator (SA) and Information System Security Officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts.UnixDISA STIG Apple macOS 13 v1r3
ARST-ND-000790 - The Arista network device must be configured to capture all DOD auditable events.AristaDISA STIG Arista MLS EOS 4.2x NDM v1r1
Big Sur - Configure Audit Failure NotificationUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Configure Audit Failure NotificationUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Configure Audit Failure NotificationUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Configure Audit Failure NotificationUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Configure Audit Failure NotificationUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Configure Audit Failure NotificationUnixNIST macOS Big Sur v1.4.0 - All Profiles
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - From-addressCiscoDISA STIG Cisco ASA FW v1r4
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Logging ErrorsCiscoDISA STIG Cisco ASA FW v1r4
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Recipient-addressCiscoDISA STIG Cisco ASA FW v1r4
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - SeverityCiscoDISA STIG Cisco ASA FW v1r4
CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - smtpCiscoDISA STIG Cisco ASA FW v1r4
CASA-ND-000930 - The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts - logging hostCiscoDISA STIG Cisco ASA NDM v1r6
CASA-ND-000930 - The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts - logging trapCiscoDISA STIG Cisco ASA NDM v1r6
CASA-VN-000090 - The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events - logging hostCiscoDISA STIG Cisco ASA VPN v1r3
CASA-VN-000090 - The Cisco ASA must be configured to generate an alert that can be forwarded as an alert to organization-defined personnel and/or firewall administrator of all log failure events - logging trapCiscoDISA STIG Cisco ASA VPN v1r3
Catalina - Configure Audit Failure NotificationUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Configure Audit Failure NotificationUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Configure Audit Failure NotificationUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Configure Audit Failure NotificationUnixNIST macOS Catalina v1.5.0 - 800-171
Catalina - Configure Audit Failure NotificationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Configure Audit Failure NotificationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
CISC-ND-001000 - The Cisco router must be configured to generate an alert for all audit failure events.CiscoDISA STIG Cisco IOS-XR Router NDM v2r5
CISC-ND-001000 - The Cisco router must be configured to generate an alert for all audit failure events.CiscoDISA STIG Cisco IOS XE Router NDM v2r9
CISC-ND-001000 - The Cisco router must be configured to generate an alert for all audit failure events.CiscoDISA STIG Cisco IOS Router NDM v2r8
CISC-ND-001000 - The Cisco switch must be configured to generate an alert for all audit failure events.CiscoDISA STIG Cisco IOS Switch NDM v2r8
CISC-ND-001000 - The Cisco switch must be configured to generate an alert for all audit failure events.CiscoDISA STIG Cisco NX-OS Switch NDM v2r7
CISC-ND-001000 - The Cisco switch must be configured to generate an alert for all audit failure events.CiscoDISA STIG Cisco IOS XE Switch NDM v2r8
DB2X-00-007700 - DB2 must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.IBM_DB2DBDISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-007700 - DB2 must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.UnixDISA STIG IBM DB2 v10.5 LUW v2r1 OS Linux
DB2X-00-007700 - DB2 must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.WindowsDISA STIG IBM DB2 v10.5 LUW v2r1 OS Windows
DKER-EE-003340 - Log aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events.UnixDISA STIG Docker Enterprise 2.x Linux/Unix v2r1
Ensure email logging is configured for critical to emergencyCisco_FirepowerTenable Cisco Firepower Threat Defense Best Practices Audit
EP11-00-008100 - The EDB Postgres Advanced Server must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.PostgreSQLDBEDB PostgreSQL Advanced Server v11 DB Audit v2r2
Extreme : Enable SNMP TrapsExtreme_ExtremeXOSTNS Extreme ExtremeXOS Best Practice Audit
FGFW-ND-000115 - The FortiGate device must generate an immediate real-time alert of all audit failure events requiring real-time alerts.FortiGateDISA Fortigate Firewall NDM STIG v1r4
FNFG-FW-000105 - If communication with the central audit server is lost, the FortiGate firewall must generate a real-time alert to, at a minimum, the SCA and ISSO.FortiGateDISA Fortigate Firewall STIG v1r3
IBM i : Auditing End Action (QAUDENDACN) - '*NOTIFY or *PWRDWNSYS'AS/400IBM System i Security Reference for V7R1 and V6R1
IBM i : Auditing End Action (QAUDENDACN) - '*NOTIFY or *PWRDWNSYS'AS/400IBM System i Security Reference for V7R3
IBM i : Auditing End Action (QAUDENDACN) - '*NOTIFY or *PWRDWNSYS'AS/400IBM System i Security Reference for V7R2
IBM i : Auditing End Action (QAUDENDACN) - '*NOTIFY'AS/400IBM iSeries Security Reference v5r4
JUEX-NM-000420 - The Juniper EX switch must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts.JuniperDISA Juniper EX Series Network Device Management v1r4