Detected events are analysed to understand attack targets and methods.

All security incidents are addressed in a consistent manner to improve security based on what has happened.

In the incident treatment process:

• the reported incident is confirmed (or found unnecessary to record)
• the type and cause of incident is documented
• the risks associated with the incident are documented
• the risks are re-evaluated and treated if that is necessary after the incident
• risk mitigation measures or a decision their acceptance is documented
• people who need to be informed of the results of the incident treatment are identified (including external ones)
• possible need for a post-incident analysis is determined

System logs often contain a wealth of information, much of which is irrelevant to security monitoring. In order to identify events relevant to security monitoring, consideration should be given to automatically copying appropriate message types to another log or to using appropriate utilities or audit tools to review and resolve files.

If it is difficult to identify the source of a security incident based on the primary treatment, a separate follow-up analysis is performed for the incident, in which the root cause is sought to be identified.

The organization shall define procedures for clearly sorting detected security events. Sorting must enable the prioritizing of events according to severity and potential impact.

Sorting is intended to enhance the investigation and evaluation of security events so that, for example, a response to a disruption can be initiated quickly.

Procedures can consist of common processes, technical tools, or algorithms that utilize machine learning. Procedures need to be reviewed regularly to ensure that they work and are appropriate for their needs.