Adverse Event Analysis (DE.AE)

Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents

Subcategories

A baseline of network operations and expected data flows for users and systems is established and managed

[Withdrawn: Incorporated into ID.AM-03]

Potentially adverse events are analyzed to better understand associated activities

Information is correlated from multiple sources

Malicious code is detected

[Withdrawn: Incorporated into DE.CM-01, DE.CM-09]

Incident alert thresholds are established

[Withdrawn: Moved to DE.AE-08]

Information on adverse events is provided to authorized staff and tools

Cyber threat intelligence and other contextual information are integrated into the analysis

Incidents are declared when adverse events meet the defined incident criteria

Frameworks and Controls

NIST Cybersecurity Framework V2.0