Analyze and triage events to support event resolution and incident declaration.
Analyze events to determine what to do. Categorize, prioritize, or group events to determine how to handle the event. You can take different actions in response to an event: * declare an incident from the event * escalate it to someone outside the organization * close the event because it does not have a large consequence on the organization. Example You are in charge of IT operations for your company. As part of your role, you are the collection point for events. You should analyze all events to determine what actions to take. Through analysis, you should determine: * the type and extent of an event (e.g., physical versus technical) * whether the event is related to other events (to determine if they are part of a larger issue, problem, or incident) * in what order events should be addressed.
CERT RMM V1.2 The triage of event reports is an analysis activity that helps the organization to gather additional information for event resolution and to assist in incident declaration, handling, and response. Triage consists of categorizing, correlating, prioritizing, and analyzing events. Through triage, the organization determines the type and extent of an event (e.g., physical versus technical), whether the event correlates to other events (to determine if they are symptomatic of a larger issue, problem, or incident), and in what order events should be addressed or assigned for incident declaration, handling, and response. Triage also helps the organization to determine if the event needs to be escalated to other organizational or external staff (outside of the incident management staff) for additional analysis and resolution. Some events will never proceed to incident declaration the organization determines these events to be inconsequential. For events that the organization deems as low priority or of low impact or consequence, the triage process results in closure of the event and no further actions are performed. Events that exit the triage process warranting additional attention may be referred to additional analysis processes for resolution or declared as an incident and subsequently referred to incident response processes for resolution. These events may be declared as incidents during triage, through further event analysis, through the application of incident declaration criteria, or during the development of response strategies, depending on the organization’s incident criteria, the nature and timing of the event(s), and the consequences of the event that the organization is currently experiencing or that is imminent.
NIST SP 800-53 Rev 4 IR-4(3)
CERT RMM v1.2 IMC:SG2.SP4
IR.2.094.[a] the organization analyzes events;
IR.2.094.[b] the organization performs correlation analysis on events;
IR.2.094.[c] the organization assigns a disposition to events;
IR.2.094.[d] the organization provides a process for reporting events so that they can be triaged, analyzed, and addressed; and
IR.2.094.[e] the organization escalates events to the appropriate stakeholders, as needed.