All posts
ConceptsOctober 16, 20251 min read

Who Accessed What and When

The logs never lie. Every request, every change, every access—etched into a trail you can read if you know where to look. NIST 800-53 calls this the “Who Accessed What and When” requirement. It is the anchor for traceability, the mechanism that keeps systems honest and secure. Under NIST 800-53, security control families like AU (Audit and Accountability) mandate that organizations track user activity with precision. “Who” means identifying the exact account or identity, even when that account

Free White Paper

Accessed What: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The logs never lie. Every request, every change, every access—etched into a trail you can read if you know where to look. NIST 800-53 calls this the “Who Accessed What and When” requirement. It is the anchor for traceability, the mechanism that keeps systems honest and secure.

Under NIST 800-53, security control families like AU (Audit and Accountability) mandate that organizations track user activity with precision. “Who” means identifying the exact account or identity, even when that account belongs to a service or automated process. “What” defines the resource—file, database table, API endpoint, configuration—anything that can be touched or altered. “When” is the timestamp, synchronized to trusted time sources, recorded without gaps.

This is not optional logging. It is about ensuring you can reconstruct events after the fact, detect unauthorized actions in real time, and meet compliance audits without scrambling for missing data. Implementing it starts with centralizing logs from every component of your stack. Applications, databases, network devices, and authentication services must feed into a unified audit stream.

Identity correlation is essential. NIST 800-53 emphasizes linking actions to authenticated users across systems. This often means integrating with your identity provider and embedding session IDs or tokens into every log entry. Without this binding, your “who” becomes guesswork.

Continue reading? Get the full guide.

Accessed What: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

For “what,” make resource IDs explicit. Instead of vague entries like “updated record,” log “updated record ID 548 in table customer_info.” The more specific the resource, the stronger your forensic capabilities.

The “when” must be exact. Use UTC, sync with NTP, and ensure all systems log with consistent time formats. Skewed timestamps destroy your timeline and undermine compliance.

Automated monitoring and alerting close the loop. Audit trails are only useful if you can act on them. Map your alerts to key NIST 800-53 controls, then feed them into a SIEM or security response platform. This meets the requirement and strengthens your operational security.

You cannot fake audit readiness. And you cannot delay it. Build it into your architecture from day one and keep it clean.

See “Who Accessed What and When” in action—connect your stack to hoop.dev and watch full compliance-level audit trails go live in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts