NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-5(2)Real-time Alerts

Provide an alert within {{ insert: param, au-05.02_odp.01 }} to {{ insert: param, au-05.02_odp.02 }} when the following audit failure events occur: {{ insert: param, au-05.02_odp.03 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).

Practitioner Notes

For critical events, generate real-time alerts — do not wait for the weekly log review. Security-relevant events that need immediate attention should trigger instant notification.

Example 1: In Microsoft Sentinel, create analytics rules that trigger near-real-time alerts for: multiple failed logon attempts (brute force), new Global Admin role activation, audit log tampering, and malware detection. Route alerts to your SOC team via email, Teams channel, and PagerDuty.

Example 2: In Splunk, create real-time alerts for critical events: Windows Event ID 1102 (Security Log Cleared), 4728/4732 (User added to privileged group), and 4670 (Permissions changed on a sensitive object). Use Splunk's Alert Actions to send to Slack, email, and your incident management platform.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component