Criteria are established for cybersecurity event detection (for example, what constitutes a cybersecurity event, where to look for cybersecurity events)
Context and Guidance: The organisation should define cybersecurity event detection criteria that specify what distinguishes cybersecurity events from the multitude of other events. These criteria should relate to the cybersecurity requirements of the IT, OT, and information assets important for the delivery of the function. They allow the organisation to focus valuable resources (people, tools, etc.) on events that may potentially affect the productivity of those assets. Regarding "where to look for cybersecurity events," be sure to consider potential events originating from third parties such as cloud resource providers.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RESPONSE-1a, RESPONSE-1b, RESPONSE-1c, RESPONSE-1f.