Does your organization utilize SIEM systems or similar tools to estimate, review, and refine the impact and scope of security incidents?
Explanation
Security Information and Event Management (SIEM) tools help organizations collect, analyze, and correlate security event data from multiple sources to identify potential security incidents and assess their impact.
These tools provide visibility into the scope of security incidents by aggregating logs from network devices, servers, applications, and security controls, enabling security teams to make informed decisions about incident response priorities and resource allocation.
Evidence of fulfillment could include documentation of your deployed SIEM solution (such as Splunk, IBM QRadar, or Microsoft Sentinel), screenshots of dashboards showing impact assessment capabilities, incident response playbooks that reference the use of SIEM data for scope estimation, or reports generated from these tools during previous incident analyses.
Implementation Example
Use SIEMs or other tools to estimate impact and scope, and review and refine the estimates
ID: DE.AE-04.297
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- The estimated impact and scope of adverse events are understood
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?

