Indicators of anomalous activity are established and maintained based on system logs, data flows, network baselines, cybersecurity events, and architecture and are monitored across the IT and OT environments
Context and Guidance: The organisation should define and monitor for indicators of anomalous activity that are relevant to its operations. Indicators are signs that an incident may have occurred or may be occurring now. These might include failed login attempts, new device connections, port scanning, large volume file transfers, and availability variances for a system. Indicators may not necessarily be malicious, but they deviate from the norm and warrant additional monitoring. Indicators of anomalous activity may also be identified through analysis of "near miss" cybersecurity events. These may include events internal to your organisation or those occurring externally at another organisation. Indicators may not necessarily be malicious, but they deviate from the norm and warrant additional monitoring.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: SITUATION-2d, SITUATION-2h, SITUATION-2i.