Indicators of anomalous activity are evaluated and updated periodically and according to defined triggers, such as system changes and external events
Context and Guidance: Indicators of anomalous activity are reviewed for effectiveness and updated as needed by monitoring staff to ensure they are still meeting the defined monitoring requirements and stakeholder information needs. The review and update should be conducted at a frequency set by the organisation that ensures indicators are up to date based on the organisation’s risk information. For example, organisations can monitor publicly available sources (e.g., National Vulnerability Database (NVD), CISA Central, and CERT/CC) to gain information on new vulnerabilities and exploits to identify new potential indicators of anomalous activity.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: SITUATION-2d, SITUATION-2h, SITUATION-2i.