NIST 800-53 REV 5 • ACCESS CONTROL
AC-2(12) — Account Monitoring for Atypical Usage
Monitor system accounts for {{ insert: param, ac-02.12_odp.01 }} ; and Report atypical usage of system accounts to {{ insert: param, ac-02.12_odp.02 }}.
Supplemental Guidance
Atypical usage includes accessing systems at certain times of the day or from locations that are not consistent with the normal usage patterns of individuals. Monitoring for atypical usage may reveal rogue behavior by individuals or an attack in progress. Account monitoring may inadvertently create privacy risks since data collected to identify atypical usage may reveal previously unknown information about the behavior of individuals. Organizations assess and document privacy risks from monitoring accounts for atypical usage in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.
Practitioner Notes
This goes beyond basic monitoring — you need to watch for unusual account behavior. Someone logging in at 3 AM from a foreign country, or an account suddenly accessing files it has never touched before, should raise a flag.
Example 1: Enable Azure AD Identity Protection and review the Risky sign-ins and Risky users reports weekly. Configure automatic responses: medium risk requires MFA, high risk blocks sign-in and notifies the security team. These detections cover impossible travel, anonymous IP usage, and password spray attacks.
Example 2: In Splunk, create a saved search that flags any user account with more than 5 failed logon attempts (Event ID 4625) within 10 minutes, or any account accessing more than 50 unique files within an hour. Send these alerts to a dedicated Slack channel for your security team to triage.