Does your organization have a documented process for reconstructing the chronological sequence of security incidents, including all affected assets and resources?
Explanation
Reconstructing what happened and when is the concern here, specifically whether you have a documented process to rebuild the chronological sequence of an incident across all affected assets. Proper incident timeline reconstruction helps identify which systems were compromised first, how the attack propagated through your environment, and what data or resources may have been accessed or modified during each phase of the incident.
Evidence of fulfillment could include incident response playbooks with timeline reconstruction procedures, sample incident reports showing chronological analysis, tools used for log correlation and timeline visualization (such as SIEM reports or forensic analysis outputs), or documentation from a previous incident showing the sequence of events with affected assets clearly mapped.
Implementation Example
Determine the sequence of events that occurred during the incident and which assets and resources were involved in each event
ID: RS.AN-03.321
Context
- Function
- RS: RESPOND
- Category
- RS.AN: Incident Analysis
- Sub-Category
- Analysis is performed to establish what has taken place during an incident and the root cause of the incident
Related questions
- Does your organization have a documented process for investigating notifications from security detection systems?
- Does your organization have a formal process to assess and document the impact of security incidents?
- Does your incident response process include identification and analysis of vulnerabilities, threats, and threat actors involved in security incidents?
- Does your organization conduct root cause analysis to identify systemic issues when investigating security incidents?
- Does your organization utilize cyber deception technologies to gather intelligence on attacker behavior and tactics?
- Does your organization categorize security incidents according to established incident response plans?

