Detect and report events.
Detect events on your network. An event is any observable occurrence on the network. You can detect events several ways, including through: * observations of breakdowns in processes or loss in productivity * observations such as alarms and alerts, notification from other organizations * the results of audits or assessments. After you detect an event, determine if it will affect organizational assets and/or has the potential to disrupt operations. This may require the start of the incident process. Example You are in charge of IT operations for your company. As part of your role, you should track events on your network. You should also be a collection point for your coworkers to send you suspected events. When you discover or receive a report of an event, you should tell the person who will need to act on the detected event.
CERT RMM V1.2 The monitoring, identification, and reporting of events are the foundation for incident identification and commence the incident life cycle. Events potentially affect the productivity of organizational assets and, in turn, associated services. These events must be captured and analyzed so that the organization can determine whether an event will become (or has become) an incident that requires organizational action. The extent to which an organization can identify events improves its ability to manage and control incidents and their potential effects.
CIS Controls v7.1 19.4
NIST SP 800-53 Rev 4 IR-6
NIST CSF v1.1 DE.CM-1, DE.CM-2, DE.CM-3, RS.CO-2
CERT RMM v1.2 IMC:SG2.SP1
IR.2.093.[a] the organization has a process for identifying methods for event detection; and
IR.2.093.[b] the organization can provide a process for reporting events so that they can be triaged, analyzed, and addressed.