Framework Category
Adverse Event Analysis
Adverse Event Analysis focuses on understanding and assessing abnormal activities by analyzing events against a baseline of expected behavior.
It involves correlating data from multiple sources, evaluating impact and scope, integrating threat intelligence, and determining when events qualify as incidents based on defined thresholds.
Implementation Questions
DE.AE-01
A baseline of network operations and expected data flows for users and systems is established and managed
DE.AE-02
Potentially adverse events are analyzed to better understand associated activities
Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
Continuous monitoring of log events is essential for detecting security incidents in real-time. A Security Information and Event Management (SIEM) solution aggregates logs from various systems, correlates events, and alerts security teams to potential threats based on predefined rules or anomaly detection. This enables organizations to identify and respond to security incidents before they escalate into major breaches.
Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
Integrating threat intelligence into log analysis tools enhances detection capabilities by providing context about known malicious indicators, attack patterns, and threat actor behaviors. This allows security teams to prioritize alerts based on real-world threat data and identify sophisticated attacks that might otherwise go undetected.
Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
Some technologies or systems may generate logs that are difficult to parse or interpret automatically, requiring human review to identify anomalies or security incidents. Examples include specialized equipment, legacy systems, or applications with unique logging formats that automated SIEM tools cannot effectively process.
Does your organization utilize log analysis tools to generate actionable reports from log data?
Log analysis tools help organizations identify security incidents, system anomalies, and compliance issues by processing large volumes of log data into meaningful reports. These tools can detect patterns indicating potential security breaches, performance issues, or unusual user behaviors that might otherwise go unnoticed in raw logs.
DE.AE-03
Information is correlated from multiple sources
Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?
Centralizing logs on dedicated servers improves security monitoring capabilities by creating a single location for analysis, correlation, and alerting on security events.
Does your organization implement event correlation technology (such as SIEM) to aggregate and analyze security events from multiple sources?
Event correlation technology like Security Information and Event Management (SIEM) systems helps organizations collect, aggregate, and analyze security events from various sources such as firewalls, intrusion detection systems, servers, and applications.
Does your organization actively use cyber threat intelligence to correlate events across multiple log sources?
Threat-informed log correlation is the subject, meaning whether you apply cyber threat intelligence to connect events across multiple log sources and surface incidents.
DE.AE-04
The estimated impact and scope of adverse events are understood
Does your organization utilize SIEM systems or similar tools to estimate, review, and refine the impact and scope of security incidents?
Security Information and Event Management (SIEM) tools help organizations collect, analyze, and correlate security event data from multiple sources to identify potential security incidents and assess their impact.
Does your organization allow individuals to create their own estimates of impact and scope for security assessments or risk evaluations?
Consistency in how impact and scope are sized is the concern here, specifically whether individuals are allowed to produce their own estimates for assessments without standardized guidance or oversight. Allowing individuals to create their own estimates can lead to inconsistent risk assessments, subjective prioritization, and potentially overlooked security concerns due to varying expertise levels and perspectives.
DE.AE-06
Information on adverse events is provided to authorized staff and tools
Does your organization utilize cybersecurity software that generates alerts which are monitored and actioned by your security operations center (SOC) or incident response team?
Active security monitoring is what's being assessed here: whether you run cybersecurity software that generates alerts which your SOC or incident response team monitors and acts on. Effective security monitoring requires both the technical capability to detect suspicious activities and the operational processes to review and respond to those alerts.
Do incident responders and authorized personnel have 24/7 access to log analysis findings?
Around-the-clock visibility is the issue: whether incident responders and other authorized staff can reach log analysis findings at any hour, every day.
Does your organization automatically generate and assign tickets in your ticketing system when specific security alerts are triggered?
Automatic ticket creation ensures that security alerts are promptly addressed by creating accountability through assignment and providing a trackable workflow. This practice helps prevent alerts from being overlooked during high-volume incidents and establishes a documented response history for each security event. The automation reduces response time and human error in the triage process.
Does your organization have a documented process for manually creating and assigning tickets in your ticketing system when technical staff discover potential security incidents or indicators of compromise?
Incident ticketing is the focus: whether you have a documented process for manually creating and assigning tickets when staff spot potential security incidents or indicators of compromise.
DE.AE-07
Cyber threat intelligence and other contextual information are integrated into the analysis
Does your organization securely integrate cyber threat intelligence feeds into your detection systems and provide access to relevant personnel?
Cyber threat intelligence (CTI) feeds provide valuable information about emerging threats, vulnerabilities, and attack patterns that can help organizations detect and respond to security incidents more effectively.
Does your organization have a process to securely share asset inventory information with security detection systems and personnel?
Feeding asset data to your defenses is the concern here, namely whether you have a secure process for sharing asset inventory information with detection systems and security staff. Effective security monitoring requires visibility into what assets exist in your environment so that detection technologies can properly identify anomalies, unauthorized assets, or potential security incidents involving known assets.
Does your organization have a formal process to rapidly acquire, analyze, and respond to vulnerability disclosures affecting your technologies from suppliers, vendors, and third-party security advisories?
Reacting to vulnerability disclosures is the focus here: assessors want a formal process to rapidly acquire, analyze, and respond to advisories affecting your technologies from suppliers and third parties. An effective vulnerability disclosure monitoring process helps identify security weaknesses promptly, allowing for timely remediation before they can be exploited by threat actors.
DE.AE-08
Incidents are declared when adverse events meet the defined incident criteria
Has your organization established and documented incident criteria that are used to determine when an activity should be declared as a security incident?
Knowing when an event becomes an incident is the focus: assessors want documented incident criteria that determine when activity should be formally declared a security incident. Effective incident criteria should include thresholds for impact, urgency, and scope that help security teams consistently determine when to escalate an event to incident status based on both known characteristics and reasonable assumptions about the activity.
Does your incident response process account for known false positives when determining incident classification and response criteria?
Handling of known false positives is what this examines: whether your incident response process factors them in when classifying incidents and setting response criteria. False positives can consume valuable resources and create alert fatigue if not properly managed. Effective incident response processes should include criteria that help distinguish genuine security incidents from false alarms based on historical data and known system behaviors.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

