Function: Event detection (through alerting and/or hunting) (724ef355-21f4-5a11-92f5-c5ac725f6820)
The systematic and often directed searching for anomaly activity inside and outside of network boundaries based upon external and internal information and trends. To assist the constituency with analyzing its data from sensors and other sources to draw conclusions about its environment and situation. For example, if an anti-virus sensor sends an alert of a suspicious file, the team may analyze the system configuration, the sensor configuration, the file that was alerted, the user activity at the time, and more, to draw a conclusion about the severity of the observation. This function may receive significant input from the Security Event Management service area. The observations from sensors that are used to detect events may be shared among multiple services. CSIRT teams also need to determine the current situational picture based upon specific pieces of information about threats. This activity may sometimes be called “threat hunting.” Typically, threat hunting involves either preparing the environment to detect specific threat activity, or searching for specific threat activity that may already be present.