Adverse event analysis (DE.AE)
Now that we are pulling in information as far as signals from third-party vendors and collecting log files, we need to analyze them. This will require a person or a team to not only monitor the log files coming in but also tune tools to understand the log files being ingested.
If you have large, distributed data centers, this may also require that the deployment of log collectors is architected such that you never lose log files. This is necessary to protect your environment in the event of a network failure. If your network loses connectivity to the location where the log collector resides, you may also lose those logs. Let us take a look at this control family.
DE.AE-02
You must ensure that your devices are sending logs to a centralized log collector or a SIEM. A SIEM is used to collect logs and perform analysis on them. However, you may need to have a dedicated...
