Answer yes if your organisation has processes in place to frequently review and act upon events and alerts from security logs and monitoring tools. Please describe your processes for different types of security logs and events in the notes section.
Your organisation may have a variety of logging and monitoring mechanisms which generate alerts when a set of rules is triggered which indicates a potential security concern.
These alerts only provide an effective way to identify and respond to potential security incidents if they are triaged and acted upon in an appropriate way. This may be a combination of automated filtering and human review. Alerts which are deemed to be a potential indication of a security incident should be investigated.
Playbooks should be developed to define in detail the steps taken to triage, investigate, escalate and remediate security alerts as necessary. Different playbooks may be required for different types of alerts, depending on your specific technology.
Larger organisations choose to ingest all security alerts into a Security Incident and Event Management (SIEM) platform to help collate and correlate alerts from different systems and support investigation.
The UK National Cyber Security Centre (NCSC) has produced some useful guidance on implementing effective logging and monitoring.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.