DE.AE-2: Event Analysis — Understand Your Security Threats
Event analysis is your frontline defense against undetected breaches. NIST DE.AE-2 requires you to systematically analyze detected events to identify attack targets and methods before they cause damage. This guide shows SMBs how to build effective event analysis capabilities without enterprise budgets.
What this means
DE.AE-2 requires organizations to examine security events in detail to understand what attackers targeted, how they attacked, and what methods they used. This goes beyond simple alerting—it means investigating the context, scope, and intent behind detected anomalies. Effective event analysis reveals attack patterns, identifies compromised assets, and informs threat response prioritization.
How to comply
- 1.Establish event detection mechanisms (logs, alerts, SIEM, EDR) across networks, endpoints, and applications
- 2.Define a structured process for analyzing detected events: severity assessment, timeline reconstruction, affected systems identification
- 3.Document analysis findings including attack target, attack method, lateral movement, and data access attempts
- 4.Correlate individual events to identify multi-stage attacks and adversary tactics
- 5.Maintain event analysis records for forensics, threat intelligence, and compliance audits
- 6.Train incident responders on analysis techniques and threat actor behavior patterns
- 7.Regularly review and update detection rules based on analysis outcomes
Evidence auditors look for
- Incident response playbooks documenting event analysis procedures and decision trees
- SIEM or log aggregation system configured with analysis dashboards and investigation workflows
- Security event analysis records showing detected events, analysis steps, findings, and conclusions
- Threat intelligence reports summarizing attack methods and targets observed in your environment
- Detection tuning documentation showing rules refined based on event analysis insights
- Training materials and attendance records for incident analysis and threat assessment
- Forensic reports from investigated security events with detailed attack chain analysis
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch centralizes event logs, alert ingestion, and investigation workflows so your team can analyze security events faster and automatically document findings for compliance audits.
See how GRCWatch handles this control automatically
Start free trial