Has your organization established and documented incident alert thresholds that trigger appropriate response actions?
Explanation
Incident alert thresholds define the specific conditions or metrics that, when reached or exceeded, trigger a security incident response. These thresholds should be established for various security monitoring systems (e.g., SIEM, IDS/IPS) and cover different types of events such as failed login attempts, unusual network traffic patterns, or data exfiltration attempts.
Evidence of this control could include a documented incident response plan that clearly defines alert thresholds for different severity levels, configuration screenshots of security monitoring tools showing threshold settings, or runbooks that detail the specific metrics and conditions that trigger alerts and subsequent response actions.
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- Incident alert thresholds are established
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?

