NIST 800-53 r5 · Controls catalogue · Family SI
SI-4System Monitoring
Monitor the system to detect: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, si-04_odp.01 }} ; and Unauthorized local, network, and remote connections; Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, si-04_odp.02 }}; Invoke internal monitoring capabilities or deploy monitoring devices: Strategically within the system to collect organization-determined essential information; and At ad hoc locations within the system to track specific types of transactions of interest to the organization; Analyze detected events and anomalies; Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; Obtain legal opinion regarding system monitoring activities; and Provide {{ insert: param, si-04_odp.03 }} to {{ insert: param, si-04_odp.04 }} {{ insert: param, si-04_odp.05 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (1)
- aws-config-cloudwatch-alarm-action-check Critical CloudWatch alarms have at least one action AWS::CloudWatch::Alarm partial
ATT&CK techniques this control mitigates (373)
- T1001 Data Obfuscation Command And Control
- T1001.001 Junk Data Command And Control
- T1001.002 Steganography Command And Control
- T1001.003 Protocol or Service Impersonation Command And Control
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1005 Data from Local System Collection
- T1008 Fallback Channels Command And Control
- T1011 Exfiltration Over Other Network Medium Exfiltration
- T1011.001 Exfiltration Over Bluetooth Exfiltration
- T1020.001 Traffic Duplication Exfiltration
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1021.008 Direct Cloud VM Connections Lateral Movement
- T1025 Data from Removable Media Collection
- T1027 Obfuscated Files or Information Stealth
- T1027.002 Software Packing Stealth
- T1027.007 Dynamic API Resolution Stealth
- T1027.008 Stripped Payloads Stealth
- T1027.009 Embedded Payloads Stealth
- T1027.010 Command Obfuscation Stealth
- T1027.011 Fileless Storage Stealth
- T1027.012 LNK Icon Smuggling Stealth
- T1029 Scheduled Transfer Exfiltration
- T1030 Data Transfer Size Limits Exfiltration
- T1036 Masquerading Stealth
- T1036.001 Invalid Code Signature Stealth
- T1036.003 Rename Legitimate Utilities Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.007 Double File Extension Stealth
- T1036.008 Masquerade File Type Stealth
- T1036.010 Masquerade Account Name Stealth
- T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
- T1037.002 Login Hook Persistence, Privilege Escalation
- T1037.003 Network Logon Script Persistence, Privilege Escalation
- T1037.004 RC Scripts Persistence, Privilege Escalation
- T1037.005 Startup Items Persistence, Privilege Escalation
- T1040 Network Sniffing Credential Access, Discovery
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 14,126 | Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior. |
CWE-352 | Cross-Site Request Forgery (CSRF) | 10,337 | Detects anomalous request patterns consistent with cross-site request forgery. |
CWE-284 | Improper Access Control | 4,832 | Directly detects unauthorized local/network/remote connections and system use that result from improper access control. |
CWE-287 | Improper Authentication | 4,730 | Detects unauthorized use and connections stemming from authentication bypass or failure. |
CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | 4,689 | Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring. |
CWE-400 | Uncontrolled Resource Consumption | 3,324 | Monitors for resource exhaustion and denial-of-service patterns that indicate uncontrolled consumption. |
CWE-918 | Server-Side Request Forgery (SSRF) | 2,872 | Detects server-side request forgery through monitoring of unexpected outbound connections. |
CWE-611 | Improper Restriction of XML External Entity Reference | 1,490 | Identifies XML external entity processing via monitoring of unusual file/network access or resource usage. |
CWE-693 | Protection Mechanism Failure | 476 | Reveals failures or bypasses of existing protection mechanisms via event and anomaly analysis. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-61882 KEV | 9.3 | 9.8 | 0.8938 | good |
CVE-2025-10035 KEV | 7.3 | 10.0 | 0.5520 | partial |
CVE-2025-71243 | 7.1 | 9.8 | 0.8541 | partial |
CVE-2025-20333 KEV | 5.5 | 9.9 | 0.2514 | partial |
CVE-2026-26980 | 5.1 | 9.4 | 0.5431 | partial |
CVE-2026-29058 | 5.0 | 9.8 | 0.5086 | partial |
CVE-2025-25256 | 4.8 | 9.8 | 0.4659 | partial |
CVE-2022-3180 | 3.4 | 9.8 | 0.2352 | partial |
CVE-2025-7526 | 2.1 | 9.8 | 0.0164 | partial |
CVE-2026-22897 | 2.0 | 9.8 | 0.0039 | partial |
CVE-2026-25070 | 2.0 | 9.8 | 0.0028 | partial |
CVE-2025-25067 | 2.0 | 9.8 | 0.0092 | partial |
CVE-2025-4320 | 2.0 | 10.0 | 0.0010 | good |
CVE-2025-66259 | 2.0 | 9.8 | 0.0047 | partial |
CVE-2026-23696 | 2.0 | 9.9 | 0.0007 | partial |
CVE-2025-57515 | 2.0 | 9.8 | 0.0027 | partial |
CVE-2025-1564 | 2.0 | 9.8 | 0.0019 | partial |
CVE-2024-55160 | 2.0 | 9.8 | 0.0011 | partial |
CVE-2025-62025 | 2.0 | 9.8 | 0.0010 | partial |
CVE-2022-23851 | 2.0 | 9.8 | 0.0010 | partial |
CVE-2026-31040 | 2.0 | 9.8 | 0.0012 | partial |
CVE-2026-27650 | 2.0 | 9.8 | 0.0007 | good |
CVE-2026-32194 | 2.0 | 9.8 | 0.0012 | partial |
CVE-2026-32191 | 2.0 | 9.8 | 0.0012 | partial |
CVE-2026-31536 | 2.0 | 9.8 | 0.0005 | partial |