Detection identifies that something is wrong. Analysis determines what is happening and which systems are affected.
Detection sources:
- SIEM alerts
- User reports
- Malware detection
- External notifications
Initial triage:
- Real incident or false positive?
- Severity level?
- Who needs notification?
Analysis activities:
- Collect volatile evidence quickly
- Examine logs from affected systems
- Identify indicators of compromise
- Determine attack timeline
- Find all affected systems
Document everything for evidence and lessons learned.