800-53|SI-4(4)

Title

INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC

Description

The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.

Supplemental

Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

Reference Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

Parent Title: INFORMATION SYSTEM MONITORING

Family: SYSTEM AND INFORMATION INTEGRITY

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'microsoft_azureCIS Microsoft Azure Foundations v2.1.0 L2
2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'microsoft_azureCIS Microsoft Azure Foundations v2.1.0 L2
3.4 Ensure logging is enabled on all firewall policiesFortiGateCIS Fortigate 7.0.x Level 1 v1.2.0
3.7 Ensure VPC flow logging is enabled in all VPCsamazon_awsCIS Amazon Web Services Foundations L2 3.0.0
3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC NetworkGCPCIS Google Cloud Platform v3.0.0 L2
4.1.1 Detect Botnet connectionsFortiGateCIS Fortigate 7.0.x Level 2 v1.2.0
4.4.3 Ensure all Application Control related traffic is loggedFortiGateCIS Fortigate 7.0.x Level 1 v1.2.0
5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analyticsmicrosoft_azureCIS Microsoft Azure Foundations v2.1.0 L2
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profilesPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
5.2 Ensure forwarding is enabled for all applications and file types in WildFire file blocking profilesPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
5.2.2.6 Enable Azure AD Identity Protection user risk policiesmicrosoft_azureCIS Microsoft 365 Foundations E5 L2 v3.0.0
5.2.2.7 Enable Azure AD Identity Protection sign-in risk policiesmicrosoft_azureCIS Microsoft 365 Foundations E5 L2 v3.0.0
5.3 Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flowsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
5.3 Ensure a WildFire file blocking profile is enabled for all security policies allowing Internet traffic flowsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
5.5 Ensure all WildFire session information settings are enabledPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
5.5 Ensure all WildFire session information settings are enabledPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.1 Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3'Palo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.1 Ensure at least one antivirus profile is set to block on all decoders except 'imap' and 'pop3'Palo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threatsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.3 Ensure an anti-spyware profile is configured to block on all spyware severity levels, categories, and threatsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.4 Ensure DNS sinkholing is configured on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.5 Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in usePalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.7 Ensure a VPP is set to block attacks against critical and high vulnerabilities, and set to default on med, low, and info vulnsPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical/high, and set to default on medium, low, and infoPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.7 Ensure a Vulnerability Protection Profile is set to block attacks against critical/high, and set to default on medium, low, and infoPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing trafficPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.8 Ensure a secure Vulnerability Protection Profile is applied to all security rules allowing trafficPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the InternetPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the InternetPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering ProfilePalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering ProfilePalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the InternetPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the InternetPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packetsPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
6.19 Ensure all zones have Zone Protection Profiles that drop specially crafted packetsPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
7.4 Ensure that logging is enabled on built-in default security policiesPalo_AltoCIS Palo Alto Firewall 11 v1.0.0 L1
7.6 Ensure port groups are not configured to VLAN 4095 except for Virtual Guest Tagging (VGT)VMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
7.7 (L1) Ensure Virtual Distributed Switch Netflow traffic is sent to an authorized collectorVMwareCIS VMware ESXi 7.0 v1.4.0 L1
7.7 Ensure Virtual Disributed Switch Netflow traffic is sent to an authorized collectorVMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
F5BI-AS-000239 - The BIG-IP ASM module must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.F5DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-LT-000239 - The BIG-IP Core implementation must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.F5DISA F5 BIG-IP Local Traffic Manager STIG v2r3
JUSX-AG-000144 - The Juniper SRX Services Gateway Firewall must continuously monitor all inbound communications traffic for unusual/unauthorized activities or conditions.JuniperDISA Juniper SRX Services Gateway ALG v2r1
JUSX-AG-000145 - The Juniper SRX Services Gateway Firewall must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.JuniperDISA Juniper SRX Services Gateway ALG v2r1
PANW-AG-000115 - The Palo Alto Networks security platform must continuously monitor inbound communications traffic crossing internal security boundaries.Palo_AltoDISA STIG Palo Alto ALG v2r4
PANW-AG-000116 - The Palo Alto Networks security platform must continuously monitor outbound communications traffic crossing internal security boundaries.Palo_AltoDISA STIG Palo Alto ALG v2r4
PANW-IP-000049 - The Palo Alto Networks security platform must continuously monitor inbound communications traffic for unusual/unauthorized activities or conditions.Palo_AltoDISA STIG Palo Alto IDPS v2r3
PANW-IP-000050 - The Palo Alto Networks security platform must continuously monitor outbound communications traffic for unusual/unauthorized activities or conditions.Palo_AltoDISA STIG Palo Alto IDPS v2r3
SYMP-AG-000640 - Reverse proxy Symantec ProxySG providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.BlueCoatDISA Symantec ProxySG Benchmark ALG v1r3