Sign in Subscribe
Concepts

Who Accessed What and When

Andrios Robert

1 min read

The logs never lie. Every request, every change, every access—etched into a trail you can read if you know where to look. NIST 800-53 calls this the “Who Accessed What and When” requirement. It is the anchor for traceability, the mechanism that keeps systems honest and secure.

Under NIST 800-53, security control families like AU (Audit and Accountability) mandate that organizations track user activity with precision. “Who” means identifying the exact account or identity, even when that account belongs to a service or automated process. “What” defines the resource—file, database table, API endpoint, configuration—anything that can be touched or altered. “When” is the timestamp, synchronized to trusted time sources, recorded without gaps.

This is not optional logging. It is about ensuring you can reconstruct events after the fact, detect unauthorized actions in real time, and meet compliance audits without scrambling for missing data. Implementing it starts with centralizing logs from every component of your stack. Applications, databases, network devices, and authentication services must feed into a unified audit stream.

Identity correlation is essential. NIST 800-53 emphasizes linking actions to authenticated users across systems. This often means integrating with your identity provider and embedding session IDs or tokens into every log entry. Without this binding, your “who” becomes guesswork.

For “what,” make resource IDs explicit. Instead of vague entries like “updated record,” log “updated record ID 548 in table customer_info.” The more specific the resource, the stronger your forensic capabilities.

The “when” must be exact. Use UTC, sync with NTP, and ensure all systems log with consistent time formats. Skewed timestamps destroy your timeline and undermine compliance.

Automated monitoring and alerting close the loop. Audit trails are only useful if you can act on them. Map your alerts to key NIST 800-53 controls, then feed them into a SIEM or security response platform. This meets the requirement and strengthens your operational security.

You cannot fake audit readiness. And you cannot delay it. Build it into your architecture from day one and keep it clean.

See “Who Accessed What and When” in action—connect your stack to hoop.dev and watch full compliance-level audit trails go live in minutes.