Detections
Analytics

800-53|SI-4(4)

Title

INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC

Description

The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.

Supplemental

Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

Reference Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

Parent Title: INFORMATION SYSTEM MONITORING

Family: SYSTEM AND INFORMATION INTEGRITY

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.5.4 Configure SNMP TrapsCiscoCIS Cisco NX-OS L2 v1.1.0
1.6.3 Configure Netflow on Strategic PortsCiscoCIS Cisco NX-OS L2 v1.1.0
2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'microsoft_azureCIS Microsoft Azure Foundations v2.1.0 L2
2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'microsoft_azureCIS Microsoft Azure Foundations v2.1.0 L2
3.1.3.3 Log OSPF Adjacency ChangesCiscoCIS Cisco NX-OS L1 v1.1.0
3.1.4.1 If VLAN interfaces have IP addreses, configure anti spoofing / ingress filtering protectionsCiscoCIS Cisco NX-OS L1 v1.1.0
3.2 Ensure intrusion prevention is enabled for untrusted interfacesCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
3.3.2 Configure Storm ControlCiscoCIS Cisco NX-OS L2 v1.1.0
3.4 Ensure logging is enabled on all firewall policiesFortiGateCIS Fortigate 7.0.x v1.3.0 L1
3.4.1 Configure LLDPCiscoCIS Cisco NX-OS L1 v1.1.0
3.7 Ensure VPC flow logging is enabled in all VPCsamazon_awsCIS Amazon Web Services Foundations L2 3.0.0
3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC NetworkGCPCIS Google Cloud Platform v3.0.0 L2
4.1.1 Detect Botnet connectionsFortiGateCIS Fortigate 7.0.x v1.3.0 L2
4.4.3 Ensure all Application Control related traffic is loggedFortiGateCIS Fortigate 7.0.x v1.3.0 L1
5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analyticsmicrosoft_azureCIS Microsoft Azure Foundations v2.1.0 L2
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profilesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profilesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
5.2.2.6 Enable Azure AD Identity Protection user risk policiesmicrosoft_azureCIS Microsoft 365 Foundations E5 L2 v3.1.0
5.2.2.7 Enable Azure AD Identity Protection sign-in risk policiesmicrosoft_azureCIS Microsoft 365 Foundations E5 L2 v3.1.0
5.3 Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flowsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
5.3 Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flowsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
5.5 Ensure all WildFire session information settings are enabledPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
5.5 Ensure all WildFire session information settings are enabledPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.1 Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3'Palo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.1 Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3'Palo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threatsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threatsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.7 Ensure a VPP is set to block attacks against critical and high vulnerabilities, and set to default on med, low, and info vulnsPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical/high, and set to default on medium, low, and infoPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical/high, and set to default on medium, low, and infoPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing trafficPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing trafficPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the InternetPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the InternetPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering ProfilePalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering ProfilePalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the InternetPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the InternetPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packetsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packetsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
7.4 Ensure that logging is enabled on built-in default security policiesPalo_AltoCIS Palo Alto Firewall 11 v1.0.0 L1
7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT)VMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
7.7 (L1) Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collectorVMwareCIS VMware ESXi 7.0 v1.4.0 L1
7.7 Ensure Virtual Disributed Switch Netflow traffic is sent to an authorized collectorVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
F5BI-AS-000031 - The BIG-IP ASM module supporting intermediary services for remote access communications traffic must ensure inbound traffic is monitored for compliance with remote access security policies.F5DISA F5 BIG-IP Application Security Manager 11.x STIG v1r1
F5BI-AS-000167 - The BIG-IP ASM module must be configured to detect code injection attacks launched against application objects including, at a minimum, application URLs and application code, when providing content filtering to virtual servers.F5DISA F5 BIG-IP Application Security Manager 11.x STIG v1r1