Requirement text: IR.2.094: Analyze and triage events to support event resolution and incident
declaration.
DISCUSSION FROM SOURCE: CERT RMM V1.2
The triage of event reports is an analysis activity that helps the organization to gather
additional information for event resolution and to assist in incident declaration, handling,
and response. Triage consists of categorizing, correlating, prioritizing, and analyzing events.
Through triage, the organization determines the type and extent of an event (e.g., physical
versus technical), whether the event correlates to other events (to determine if they are
symptomatic of a larger issue, problem, or incident), and in what order events should be
addressed or assigned for incident declaration, handling, and response. Triage also helps the
organization to determine if the event needs to be escalated to other organizational or
external staff (outside of the incident management staff) for additional analysis and
resolution.
Some events will never proceed to incident declaration; the organization determines these
events to be inconsequential. For events that the organization deems as low priority or of
low impact or consequence, the triage process results in closure of the event and no further
actions are performed.
Events that exit the triage process warranting additional attention may be referred to
additional analysis processes for resolution or declared as an incident and subsequently
referred to incident response processes for resolution. These events may be declared as
incidents during triage, through further event analysis, through the application of incident
declaration criteria, or during the development of response strategies, depending on the
organization’s incident criteria, the nature and timing of the event(s), and the consequences
of the event that the organization is currently experiencing or that is imminent.
CMMC CLARIFICATION
Analyze events to determine what to do. Categorize, prioritize, or group events to determine
how to handle the event. You can take different actions in response to an event:
• declare an incident from the event;
• escalate it to someone outside the organization; and
• close the event because it does not have a large consequence on the organization.
Example
You are in charge of IT operations for your company. As part of your role, you are the
collection point for events. You should analyze all events to determine what actions to take.
Through analysis, you should determine:
• the type and extent of an event (e.g., physical versus technical);
• whether the event is related to other events (to determine if they are part of a larger
issue, problem, or incident); and
• in what order events should be addressed.
Analysis also helps the organization determine whether to escalate the event to external
staff. If so, the external staff can perform analysis and resolution.
References
• CERT RMM v1.2 IMC:SG2.SP4
• NIST SP 800-53 Rev 4 IR-4(3)