Does your organization utilize cybersecurity software that generates alerts which are monitored and actioned by your security operations center (SOC) or incident response team?
Explanation
Active security monitoring is what's being assessed here: whether you run cybersecurity software that generates alerts which your SOC or incident response team monitors and acts on. Effective security monitoring requires both the technical capability to detect suspicious activities and the operational processes to review and respond to those alerts.
Evidence could include: documentation of your security monitoring architecture showing alert generation and routing; screenshots of your SIEM (Security Information and Event Management) dashboard showing active alerts; SOC procedures that outline alert handling processes; or metrics showing alert volumes, response times, and resolution rates.
Implementation Example
Use cybersecurity software to generate alerts and provide them to the security operations center (SOC), incident responders, and incident response tools
ID: DE.AE-06.299
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- Information on adverse events is provided to authorized staff and tools
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?

