Do your detection technologies automatically report confirmed security incidents to appropriate personnel or systems?
Explanation
Automated incident reporting ensures that security events are promptly escalated without manual intervention, reducing response time and minimizing potential damage. This capability is critical for maintaining continuous security monitoring and enabling rapid incident response, especially during off-hours or when security staff are unavailable.
Evidence could include screenshots of alert configuration settings from your SIEM or EDR platform showing automatic notification workflows, documentation of integration between detection systems and ticketing/notification systems, or logs demonstrating that confirmed incidents triggered automatic reports to designated recipients.
Implementation Example
Detection technologies automatically report confirmed incidents
ID: RS.MA-01.308
Context
- Function
- RS: RESPOND
- Category
- RS.MA: Incident Management
- Sub-Category
- The incident response plan is executed in coordination with relevant third parties once an incident is declared
Related questions
- Does your organization have a formal agreement with an external incident response provider that can be engaged when needed?
- Does your organization assign a designated incident lead for each security incident?
- Does your organization have a process to activate additional cybersecurity plans (such as business continuity and disaster recovery) during incident response when needed?
- Does your organization have a process to initially screen and validate incident reports to determine if they are cybersecurity-related and require incident response procedures?
- Does your organization have documented criteria for estimating the severity of security incidents?
- Does your organization have a process to categorize security incidents by type (e.g., data breach, ransomware, DDoS, account compromise)?

