NIST 800-53 REV 5 • AUDIT AND ACCOUNTABILITY

AU-5(3)Configurable Traffic Volume Thresholds

Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and {{ insert: param, au-05.03_odp }} network traffic above those thresholds.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations have the capability to reject or delay the processing of network communications traffic if audit logging information about such traffic is determined to exceed the storage capacity of the system audit logging function. The rejection or delay response is triggered by the established organizational traffic volume thresholds that can be adjusted based on changes to audit log storage capacity.

Practitioner Notes

Set configurable thresholds for traffic volume that, when exceeded, trigger an alert. Sudden spikes in network traffic or log volume can indicate an attack or data exfiltration.

Example 1: On your firewall (Palo Alto, Fortinet), configure traffic threshold alerts. If outbound traffic to any single external IP exceeds 1 GB in an hour, or total outbound traffic spikes 200% above baseline, generate an alert. These can indicate data exfiltration.

Example 2: In your SIEM, create a baseline of normal log event volume per source. If any source suddenly generates 5x its normal volume, alert. In Splunk, use the anomalydetection command or the Machine Learning Toolkit to automatically identify volume anomalies.

More Audit and Accountability Controls

AU-1 Policy and Procedures AU-2 Event Logging AU-2(1) Compilation of Audit Records from Multiple Sources AU-2(2) Selection of Audit Events by Component