AU-6(2) — Automated Security Alerts

Set up automated alerts for security-relevant events so your team does not have to manually hunt through logs for problems. The system should tell you when something is wrong.

Example 1: In Microsoft Sentinel, enable the built-in analytics rules for common threats: brute force attacks, impossible travel sign-ins, and suspicious mailbox forwarding rules. Customize the severity levels and notification targets for your organization.

Example 2: In Splunk, create correlation searches that detect multi-stage attacks. For example: alert if Account A has 10+ failed logons (Event 4625) followed by a successful logon (Event 4624) from a different source IP within 30 minutes — this pattern suggests a successful brute force attack. Route these alerts to your SOC with high priority.