RS.AN-1: Detection Notification Investigation
Detection notifications are only valuable if your team investigates them promptly and thoroughly. RS.AN-1 requires that you establish a process to review, triage, and investigate alerts from your security detection systems. This control ensures you don't miss critical threats buried in alert fatigue.
What this means
RS.AN-1 requires your organization to actively investigate notifications generated by detection systems (SIEM, IDS, EDR, and similar tools). Rather than collecting logs passively, you must have a documented process that ensures each alert receives appropriate attention based on severity and context. Investigations should be logged, tracked, and tied to documented outcomes so you can demonstrate due diligence to auditors and stakeholders.
How to comply
- 1.Document a formal notification investigation procedure that defines roles, timelines, and escalation paths for different alert severity levels
- 2.Establish alert classification criteria to prioritize high-confidence threats and reduce noise from low-value detections
- 3.Create a centralized log or ticketing system to track all notifications, investigations, and their outcomes
- 4.Define investigation templates that capture essential details: alert timestamp, source system, investigated action, findings, and resolution
- 5.Set maximum response times for each severity tier (e.g., critical within 1 hour, high within 4 hours)
- 6.Train security staff on the investigation procedure and ensure they understand when to escalate to incident response
- 7.Review investigation metrics monthly to identify patterns, tune detection rules, and improve alert quality
Evidence auditors look for
- Screenshot of alert investigation log or SIEM investigation tickets with documented findings
- Sample investigation report showing alert details, timeline, and closure justification
- Detection and response procedure document with investigation workflows and timelines
- Training records confirming staff completion of detection investigation training
- Metrics dashboard showing average investigation time, alert volume, and false-positive rates
- Escalation policy document defining severity levels and response times
- Email threads or chat logs showing investigation discussions and sign-offs
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch centralizes detection notifications from all your security tools into a single investigation queue, auto-categorizes alerts by severity, and tracks investigation status in real-time—eliminating missed alerts and reducing mean time to investigate by 60%.
See how GRCWatch handles this control automatically
Start free trial