SecFrame Explorer
3/3
// Level 3 · Controls

DETECT

NIST CSF 2.0 DETECT function — categories and subcategories.

DE.AEMedium

Adverse Event Analysis

Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents

DE.AE-01Medium

DE.AE-01

A baseline of network operations and expected data flows for users and systems is established and managed

DE.AE-02Medium

DE.AE-02

Potentially adverse events are analyzed to better understand associated activities

DE.AE-03Medium

DE.AE-03

Information is correlated from multiple sources

DE.AE-04Medium

DE.AE-04

The estimated impact and scope of adverse events are understood

DE.AE-05Medium

DE.AE-05

Incident alert thresholds are established

DE.AE-06Medium

DE.AE-06

Information on adverse events is provided to authorized staff and tools

DE.AE-07Medium

DE.AE-07

Cyber threat intelligence and other contextual information are integrated into the analysis

DE.AE-08Medium

DE.AE-08

Incidents are declared when adverse events meet the defined incident criteria

DE.CMMedium

Continuous Monitoring

Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events

DE.CM-01Medium

DE.CM-01

Networks and network services are monitored to find potentially adverse events

DE.CM-02Medium

DE.CM-02

The physical environment is monitored to find potentially adverse events

DE.CM-03Medium

DE.CM-03

Personnel activity and technology usage are monitored to find potentially adverse events

DE.CM-04Medium

DE.CM-04

Malicious code is detected

DE.CM-05Medium

DE.CM-05

Unauthorized mobile code is detected

DE.CM-06Medium

DE.CM-06

External service provider activities and services are monitored to find potentially adverse events

DE.CM-07Medium

DE.CM-07

Monitoring for unauthorized personnel, connections, devices, and software is performed

DE.CM-08Medium

DE.CM-08

Vulnerability scans are performed

DE.CM-09Medium

DE.CM-09

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

DE.DPMedium

Detection Processes

Detection Processes

DE.DP-01Medium

DE.DP-01

Roles and responsibilities for detection are well defined to ensure accountability

DE.DP-02Medium

DE.DP-02

Detection activities comply with all applicable requirements

DE.DP-03Medium

DE.DP-03

Detection processes are tested

DE.DP-04Medium

DE.DP-04

Event detection information is communicated

DE.DP-05Medium

DE.DP-05

Detection processes are continuously improved