Has your organization established and documented incident criteria that are used to determine when an activity should be declared as a security incident?
Explanation
Knowing when an event becomes an incident is the focus: assessors want documented incident criteria that determine when activity should be formally declared a security incident. Effective incident criteria should include thresholds for impact, urgency, and scope that help security teams consistently determine when to escalate an event to incident status based on both known characteristics and reasonable assumptions about the activity.
Evidence could include a documented incident classification matrix or decision tree that outlines specific criteria for incident declaration, severity levels, and examples of what constitutes different types of security incidents. This document should be part of your incident response plan and accessible to all security team members.
Implementation Example
Apply incident criteria to known and assumed characteristics of activity in order to determine whether an incident should be declared
ID: DE.AE-08.306
Context
- Function
- DE: DETECT
- Category
- DE.AE: Adverse Event Analysis
- Sub-Category
- Incidents are declared when adverse events meet the defined incident criteria
Related questions
- Has your organization established and maintained a baseline of network operations and expected data flows for users and systems?
- Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?
- Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?
- Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?
- Does your organization utilize log analysis tools to generate actionable reports from log data?
- Does your organization centralize log data by continuously transferring logs from multiple sources to a consolidated set of log servers?

