Which phase of the incident response lifecycle includes creating and validating alerts?
Which phase of the incident response lifecycle includes creating and validating alerts?
The phase of the incident response lifecycle that includes creating and validating alerts is Detection & Analysis. This phase involves identifying potential security incidents through monitoring and alerting mechanisms, and verifying the validity of these alerts to filter out false positives, ensuring that only genuine incidents are escalated for further action.
Security Guidance v4.0 > p.102 > 9.1.1 Incident Response Lifecycle: • Alerts [endpoint protection, network security monitoring creation, privilege escalation, other indicators of compromise (baseline and anomaly detection), and user behavior analytics • Validate alerts (reducing false positives) and escalation.