NIST 800-53 REV 5 • INCIDENT RESPONSE

IR-4(13)Behavior Analysis

Analyze anomalous or suspected adversarial behavior in or related to {{ insert: param, ir-04.13_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

If the organization maintains a deception environment, an analysis of behaviors in that environment, including resources targeted by the adversary and timing of the incident or event, can provide insight into adversarial tactics, techniques, and procedures. External to a deception environment, the analysis of anomalous adversarial behavior (e.g., changes in system performance or usage patterns) or suspected behavior (e.g., changes in searches for the location of specific resources) can give the organization such insight.

Practitioner Notes

Sometimes you detect suspicious behavior before a clear incident occurs — unusual network traffic, abnormal login patterns, or unexpected system changes. This enhancement requires you to analyze that anomalous behavior proactively.

Example 1: Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel or Splunk UBA. These tools baseline normal behavior for users and devices, then flag anomalies like a user suddenly downloading gigabytes of data or logging in from an unusual location.

Example 2: Use network detection tools like Darktrace or Zeek to monitor for unusual network patterns — unexpected outbound connections, lateral movement between servers, or DNS queries to newly registered domains. Have your analysts investigate flagged behaviors daily.

More Incident Response Controls

IR-1 Policy and Procedures IR-2 Incident Response Training IR-2(1) Simulated Events IR-2(2) Automated Training Environments