Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
Explanation
Continuous monitoring of log events is essential for detecting security incidents in real-time. A Security Information and Event Management (SIEM) solution aggregates logs from various systems, correlates events, and alerts security teams to potential threats based on predefined rules or anomaly detection. This enables organizations to identify and respond to security incidents before they escalate into major breaches.
Evidence could include screenshots of your SIEM dashboard showing active monitoring, documentation of implemented alert rules, or reports generated from your monitoring solution that demonstrate ongoing surveillance of security events.
Implementation Example
Use security information and event management (SIEM) or other tools to continuously monitor log events for known malicious and suspicious activity
ID: DE.AE-02.290
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- Potentially adverse events are analyzed to better understand associated activities
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?
- Does your organization implement event correlation technology (such as SIEM) to aggregate and analyze security events from multiple sources?

