Detection and Analysis: Identifying Real Incidents

The detection and analysis phase begins when a potential security incident is first identified and ends when the scope and impact are understood well enough to begin containment. The primary challenge in this phase is distinguishing true positives from false positives — an alert generated by malicious activity from an alert triggered by normal but unusual behavior. Effective detection requires properly configured tools, trained analysts, and documented baselines of normal activity.

Incidents are detected through multiple channels: SIEM alerts generated by correlation rules, EDR detections from behavioral analysis on endpoints, user reports (the most common initial detection for phishing), third-party notification (law enforcement, threat intelligence vendors, breach notification services), automated scanning (vulnerability scanners or CSPM finding anomalies), and threat hunting (proactive investigation). Each source has different reliability levels and provides different types of evidence.