NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY
SI-4(5) — System-generated Alerts
Alert {{ insert: param, si-04.05_odp.01 }} when the following system-generated indications of compromise or potential compromise occur: {{ insert: param, si-04.05_odp.02 }}.
Supplemental Guidance
Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in [SI-4(12)](#si-4.12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats.
Practitioner Notes
Configure your monitoring systems to generate alerts when specific indicators of compromise or suspicious events occur — do not rely on humans scanning through logs manually.
Example 1: In your SIEM, create alert rules for high-priority events: account lockouts, privileged account usage outside business hours, new administrative accounts created, security software disabled, and connections to threat intelligence indicators. Route alerts to your security team's phone.
Example 2: Configure Microsoft Defender for Endpoint to send email and SMS alerts for high and critical severity detections. Integrate with your ticketing system (ServiceNow, Jira) so every alert automatically creates a tracking ticket that must be investigated and resolved.