Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
Explanation
Some technologies or systems may generate logs that are difficult to parse or interpret automatically, requiring human review to identify anomalies or security incidents. Examples include specialized equipment, legacy systems, or applications with unique logging formats that automated SIEM tools cannot effectively process.
Evidence of compliance could include documented log review procedures, schedules showing when manual reviews occur, review findings/reports, or entries in a security operations tracking system showing completed manual log reviews with timestamps, reviewer names, and any findings.
Implementation Example
Regularly conduct manual reviews of log events for technologies that cannot be sufficiently monitored through automation
ID: DE.AE-02.292
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- Potentially adverse events are analyzed to better understand associated activities
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?
- Does your organization implement event correlation technology (such as SIEM) to aggregate and analyze security events from multiple sources?

