Framework Category
Adverse Event Analysis
Adverse Event Analysis focuses on understanding and assessing abnormal activities by analyzing events against a baseline of expected behavior.
It involves correlating data from multiple sources, evaluating impact and scope, integrating threat intelligence, and determining when events qualify as incidents based on defined thresholds.
Implementation Questions
DE.AE-01
A baseline of network operations and expected data flows for users and systems is established and managed
DE.AE-02
Potentially adverse events are analyzed to better understand associated activities
Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
Continuous monitoring of log events is essential for detecting security incidents in real-time. A Security Information and Event Management (SIEM) solution aggregates logs from various systems, correlates events, and alerts security teams to potential threats based on predefined rules or anomaly detection. This enables organizations to identify and respond to security incidents before they escalate into major breaches.
Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
Integrating threat intelligence into log analysis tools enhances detection capabilities by providing context about known malicious indicators, attack patterns, and threat actor behaviors. This allows security teams to prioritize alerts based on real-world threat data and identify sophisticated attacks that might otherwise go undetected.
Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
Some technologies or systems may generate logs that are difficult to parse or interpret automatically, requiring human review to identify anomalies or security incidents. Examples include specialized equipment, legacy systems, or applications with unique logging formats that automated SIEM tools cannot effectively process.
Does your organization utilize log analysis tools to generate actionable reports from log data?
Log analysis tools help organizations identify security incidents, system anomalies, and compliance issues by processing large volumes of log data into meaningful reports. These tools can detect patterns indicating potential security breaches, performance issues, or unusual user behaviors that might otherwise go unnoticed in raw logs.
DE.AE-03
Information is correlated from multiple sources
Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?
Centralizing logs on dedicated servers improves security monitoring capabilities by creating a single location for analysis, correlation, and alerting on security events. This approach protects log integrity by separating logs from the systems that generate them, making it harder for attackers to tamper with evidence of their activities. It also simplifies compliance requirements by standardizing log management and retention practices across the organization.
Does your organization implement event correlation technology (such as SIEM) to aggregate and analyze security events from multiple sources?
Event correlation technology like Security Information and Event Management (SIEM) systems helps organizations collect, aggregate, and analyze security events from various sources such as firewalls, intrusion detection systems, servers, and applications. This centralized approach enables security teams to identify patterns, detect anomalies, and respond to potential security incidents more effectively than reviewing logs from individual systems separately.As evidence, you could provide documentation showing your implemented SIEM solution (e.g., Splunk, IBM QRadar, Microsoft Sentinel), including screenshots of the dashboard, configuration details showing connected data sources, and sample correlation rules or alerts that have been established.
Does your organization actively use cyber threat intelligence to correlate events across multiple log sources?
This question assesses whether your organization leverages external or internal threat intelligence data to identify patterns, anomalies, and potential security incidents by correlating information across different log sources (such as firewall logs, IDS/IPS alerts, authentication logs, and endpoint security logs). Effective correlation helps security teams detect sophisticated attacks that might not be apparent when examining individual log sources in isolation.As evidence, you could provide documentation of your SIEM (Security Information and Event Management) implementation showing threat intelligence feeds integration, screenshots of correlation rules that incorporate threat intelligence data, or reports/dashboards demonstrating how events from multiple sources are correlated based on threat intelligence indicators.
DE.AE-04
The estimated impact and scope of adverse events are understood
Does your organization utilize SIEM systems or similar tools to estimate, review, and refine the impact and scope of security incidents?
Security Information and Event Management (SIEM) tools help organizations collect, analyze, and correlate security event data from multiple sources to identify potential security incidents and assess their impact. These tools provide visibility into the scope of security incidents by aggregating logs from network devices, servers, applications, and security controls, enabling security teams to make informed decisions about incident response priorities and resource allocation.
Does your organization allow individuals to create their own estimates of impact and scope for security assessments or risk evaluations?
This question evaluates whether your organization permits individuals to independently estimate the impact and scope of security issues or projects without standardized guidance or oversight. Allowing individuals to create their own estimates can lead to inconsistent risk assessments, subjective prioritization, and potentially overlooked security concerns due to varying expertise levels and perspectives.
DE.AE-06
Information on adverse events is provided to authorized staff and tools
Does your organization utilize cybersecurity software that generates alerts which are monitored and actioned by your security operations center (SOC) or incident response team?
This question assesses whether your organization has implemented automated security monitoring tools that can detect potential security incidents and generate alerts for timely response. Effective security monitoring requires both the technical capability to detect suspicious activities and the operational processes to review and respond to those alerts.
Do incident responders and authorized personnel have 24/7 access to log analysis findings?
This question assesses whether your organization provides continuous access to log analysis results for incident response team members and other authorized staff. Continuous access to log data is critical during security incidents when timely analysis can significantly reduce response time and limit potential damage. Without immediate access to these findings, incident responders may be unable to effectively investigate and mitigate security events, especially those occurring outside business hours.
Does your organization automatically generate and assign tickets in your ticketing system when specific security alerts are triggered?
Automatic ticket creation ensures that security alerts are promptly addressed by creating accountability through assignment and providing a trackable workflow. This practice helps prevent alerts from being overlooked during high-volume incidents and establishes a documented response history for each security event. The automation reduces response time and human error in the triage process.
Does your organization have a documented process for manually creating and assigning tickets in your ticketing system when technical staff discover potential security incidents or indicators of compromise?
This question assesses whether your organization has formalized the process of tracking and responding to potential security incidents through your ticketing system. When technical staff discover suspicious activities or indicators of compromise, having a standardized process ensures these observations are properly documented, assigned to appropriate personnel, and tracked to resolution rather than being overlooked or handled inconsistently.
DE.AE-07
Cyber threat intelligence and other contextual information are integrated into the analysis
Does your organization securely integrate cyber threat intelligence feeds into your detection systems and provide access to relevant personnel?
Cyber threat intelligence (CTI) feeds provide valuable information about emerging threats, vulnerabilities, and attack patterns that can help organizations detect and respond to security incidents more effectively. Properly integrating these feeds into detection technologies (like SIEM systems, EDR tools, or network monitoring solutions) enables automated alerting and faster response to known threats. Additionally, ensuring security personnel have access to this intelligence helps with threat hunting and incident analysis.
Does your organization have a process to securely share asset inventory information with security detection systems and personnel?
This question assesses whether your organization has established secure methods to provide asset inventory data to security monitoring tools, detection systems, and security personnel. Effective security monitoring requires visibility into what assets exist in your environment so that detection technologies can properly identify anomalies, unauthorized assets, or potential security incidents involving known assets.
Does your organization have a formal process to rapidly acquire, analyze, and respond to vulnerability disclosures affecting your technologies from suppliers, vendors, and third-party security advisories?
This question assesses whether your organization has established procedures to stay informed about new vulnerabilities that could affect your systems and applications. An effective vulnerability disclosure monitoring process helps identify security weaknesses promptly, allowing for timely remediation before they can be exploited by threat actors.
DE.AE-08
Incidents are declared when adverse events meet the defined incident criteria
Has your organization established and documented incident criteria that are used to determine when an activity should be declared as a security incident?
This question assesses whether your organization has defined clear parameters for classifying security events as incidents requiring formal response. Effective incident criteria should include thresholds for impact, urgency, and scope that help security teams consistently determine when to escalate an event to incident status based on both known characteristics and reasonable assumptions about the activity.
Does your incident response process account for known false positives when determining incident classification and response criteria?
This question assesses whether your organization has mechanisms to identify and manage false positive alerts within your security monitoring systems. False positives can consume valuable resources and create alert fatigue if not properly managed. Effective incident response processes should include criteria that help distinguish genuine security incidents from false alarms based on historical data and known system behaviors.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
