Skip to main content

This section of the ISM provides guidance on detecting cyber security incidents.

Cyber security events

A cyber security event is an occurrence of a system, service or network state indicating a possible breach of security policy, failure of safeguards or a previously unknown situation that may be relevant to security.

Cyber security incidents

A cyber security incident is an unwanted or unexpected cyber security event, or a series of such events, that have a significant probability of compromising business operations.

Cyber resilience

Cyber resilience is the ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents.

Detecting cyber security incidents

One of the core elements of detecting and investigating cyber security incidents is the availability of appropriate data sources. Fortunately, many data sources can be extracted from existing systems without requiring specialised capabilities.

The following table describes some of the data sources that organisations can use for detecting and investigating cyber security incidents.

Data Source


Domain Name System logs

Can assist in identifying attempts to resolve malicious domains or Internet Protocol (IP) addresses which can indicate an exploitation attempt or successful compromise.

Email server logs

Can assist in identifying users targeted with spear-phishing emails. Can also assist in identifying the initial vector of a compromise.

Operating system event logs

Can assist in tracking process execution, file/registry/network activity, authentication events, operating system created security alerts and other activity.

Virtual Private Network and remote access logs

Can assist in identifying unusual source addresses, times of access and logon/logoff times associated with malicious activity.

Web proxy logs

Can assist in identifying Hypertext Transfer Protocol-based vectors and malware communication traffic.

In addition, logs created by various security tools and appliances such as antivirus software, content filters and host-based or network-based intrusion detection or intrusion prevention systems can be captured and correlated alongside other data sources.

Intrusion detection and prevention policy

Establishing an intrusion detection and prevention policy can increase the likelihood of detecting, and subsequently preventing, malicious activity on networks and systems. In doing so, an intrusion detection and prevention policy will likely cover the following:

  • methods of network-based intrusion detection and prevention used
  • methods of host-based intrusion detection and prevention used
  • guidelines for reporting and responding to detected intrusions
  • resources assigned to intrusion detection and prevention activities.

Security Control: 0576; Revision: 7; Updated: Aug-19; Applicability: O, P, S, TS
An intrusion detection and prevention policy is developed and implemented.

Access to sufficient data sources and tools

Successful detection of cyber security incidents is often based around trained cyber security personnel with access to sufficient data sources complemented by tools supporting both manual and automated analysis. As such, it is important that during system design and development activities, functionality is added to systems to ensure that sufficient data sources can be provided to cyber security personnel to assist with the detection and remediation of cyber security incidents.

Security Control: 0120; Revision: 5; Updated: May-20; Applicability: O, P, S, TS
Cyber security personnel have access to sufficient data sources and tools to ensure that systems can be monitored for key indicators of compromise.

Further information

Further information on detecting cyber security incidents can be found in the event logging and auditing section of the Guidelines for System Monitoring.