Does your organization have a documented process for manually creating and assigning tickets in your ticketing system when technical staff discover potential security incidents or indicators of compromise?
Explanation
Incident ticketing is the focus: whether you have a documented process for manually creating and assigning tickets when staff spot potential security incidents or indicators of compromise.
When technical staff discover suspicious activities or indicators of compromise, having a standardized process ensures these observations are properly documented, assigned to appropriate personnel, and tracked to resolution rather than being overlooked or handled inconsistently.
Evidence could include a documented procedure for security incident ticketing, screenshots of ticket templates specifically designed for security incidents, or examples of redacted security incident tickets showing the workflow from creation to resolution.
Implementation Example
Manually create and assign tickets in the organization's ticketing system when technical staff discover indicators of compromise
ID: DE.AE-06.302
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- Information on adverse events is provided to authorized staff and tools
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?

