A capability is established and maintained to aggregate, correlate, and analyze the outputs of cybersecurity monitoring activities and provide a near-real-time understanding of the cybersecurity state of the function

Aggregation of monitoring data typically involves the use of advanced monitoring tools, such as security information and event management (SIEM) systems, to aggregate system logs and network data to enable a more holistic analysis of the environment. While not a requirement for implementation of this practice, organizations may consider aggregation of monitoring data from across functions. Similar to aggregation within a function, sharing and analysis of monitoring data across functions within an organization provides more comprehensive awareness of the organization’s operational state and cybersecurity state. This may require implementation of methods to summarize or otherwise simplify the information presented to those reviewing aggregated audit logs (e.g., report reduction).

Related Practices · Progression: This practice is part of multiple practice progressions. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in the first progression include: SITUATION-3b, SITUATION-3f. · The practices in the second progression include: SITUATION-3c, SITUATION-3e, SITUATION-3f.