The organization shall review and analyse detected events to understand attack targets and methods.
The organization shall implement automated mechanisms where feasible to review and analyse detected events.
Guidance
Consider reviewing your logs regularly to identify anomalies or abnormal events.
All security incidents are addressed in a consistent manner to improve security based on what has happened.
In the incident treatment process:
System logs often contain a wealth of information, much of which is irrelevant to security monitoring. In order to identify events relevant to security monitoring, consideration should be given to automatically copying appropriate message types to another log or to using appropriate utilities or audit tools to review and resolve files.
If it is difficult to identify the source of a security incident based on the primary treatment, a separate follow-up analysis is performed for the incident, in which the root cause is sought to be identified.
The organization shall define procedures for clearly sorting detected security events. Sorting must enable the prioritizing of events according to severity and potential impact.
Sorting is intended to enhance the investigation and evaluation of security events so that, for example, a response to a disruption can be initiated quickly.
Procedures can consist of common processes, technical tools, or algorithms that utilize machine learning. Procedures need to be reviewed regularly to ensure that they work and are appropriate for their needs.