Does your organization implement event correlation technology (such as SIEM) to aggregate and analyze security events from multiple sources?
Explanation
Event correlation technology like Security Information and Event Management (SIEM) systems helps organizations collect, aggregate, and analyze security events from various sources such as firewalls, intrusion detection systems, servers, and applications.
This centralized approach enables security teams to identify patterns, detect anomalies, and respond to potential security incidents more effectively than reviewing logs from individual systems separately.As evidence, you could provide documentation showing your implemented SIEM solution (e.g., Splunk, IBM QRadar, Microsoft Sentinel), including screenshots of the dashboard, configuration details showing connected data sources, and sample correlation rules or alerts that have been established.
Implementation Example
Use event correlation technology (e.g., SIEM) to collect information captured by multiple sources
ID: DE.AE-03.295
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- Information is correlated from multiple sources
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?

