CCI-004146

Analyze anomalous or suspected adversarial behavior in or related to organization-defined environments or resources.

Implementation Guidance

Determine if anomalous or suspected adversarial behavior in or related to [IR-04(13)_ODP; environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined] are analyzed.

Validation Procedures

Examine: [SELECT FROM: Incident response policy; procedures addressing system monitoring tools and techniques; incident response plan; system monitoring logs or records; system monitoring tools and techniques documentation; system configuration settings and associated documentation; security plan; system component inventory; network diagram; system protocols documentation; list of acceptable thresholds for false positives and false negatives; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with information security responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational processes for detecting anomalous behavior].

The controls below (if any) were marked by NIST as being related to CCI-004146.