Does your organization actively use cyber threat intelligence to correlate events across multiple log sources?
Explanation
Threat-informed log correlation is the subject, meaning whether you apply cyber threat intelligence to connect events across multiple log sources and surface incidents.
Effective correlation helps security teams detect sophisticated attacks that might not be apparent when examining individual log sources in isolation.As evidence, you could provide documentation of your SIEM (Security Information and Event Management) implementation showing threat intelligence feeds integration, screenshots of correlation rules that incorporate threat intelligence data, or reports/dashboards demonstrating how events from multiple sources are correlated based on threat intelligence indicators.
Implementation Example
Utilize cyber threat intelligence to help correlate events among log sources
ID: DE.AE-03.296
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- Information is correlated from multiple sources
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?

