The Detection domain in the NIS baseline model requires entities to monitor networks, services, endpoints, and operational environments to identify potentially adverse events early. For implementation teams, detection must combine log acquisition, monitoring logic, triage workflow, and documented escalation.
Sources: ACN incident management guidance, ACN baseline obligations determination
Key takeaways
- DE controls are designed for early identification of events relevant to cybersecurity.
- Monitoring must include relevant logs and observable signals across networks and critical systems.
- Detection should integrate both proactive and reactive analysis modes.
- Detection outputs must feed incident-response and notification workflows with traceable evidence.
Sources: ACN incident management guidance, ACN baseline obligations determination
Detection operating model
1. Monitoring scope definition (DE.CM)
Define which networks, services, endpoints, and systems are monitored for potentially adverse events and anomalies.
2. Log and telemetry availability
Ensure logs needed for security-event monitoring are generated, retained, and available for analysis.
3. Detection logic and tuning
Apply detection logic (for example, signature-based and anomaly-oriented methods) and tune it based on false-positive/false-negative outcomes.
4. Triage and escalation process
Classify detected events, prioritize analysis, and escalate events that may indicate significant incidents.
5. Integration with incident management
Detection results should feed the response process, including evidence packaging for investigation and possible notification obligations.
Sources: ACN incident management guidance, ACN baseline obligations determination
Minimum evidence set for DE readiness
| DE area | Practical objective | Typical evidence |
|---|---|---|
| Monitoring scope | Clear coverage of relevant assets and services | Monitoring scope matrix, coverage register |
| Log readiness | Logs available for continuous monitoring | Log policy, retention settings, log source list |
| Detection quality | Effective and maintained detection logic | Detection ruleset, tuning records, alert quality reviews |
| Triage flow | Repeatable handling and prioritization | Triage SOP, escalation criteria, case logs |
| Response handoff | Evidence transfer to incident process | Investigation handoff records, event timelines |
Sources: ACN incident management guidance, ACN baseline obligations determination
90-day execution checklist
- Validate DE monitoring scope against critical systems and services.
- Reconcile log sources and retention settings for incident-relevant telemetry.
- Introduce recurring tuning for detection logic and alert quality.
- Formalize triage and escalation criteria for potentially significant incidents.
- Test handoff from detection to response with evidence and timeline integrity checks.
FAQ
Is log collection alone sufficient for DE compliance?
No. Detection requires monitored coverage, analysis logic, triage, and actionable escalation, not just raw log retention. Source: ACN incident management guidance
Should detection be only signature-based?
No. Guidance supports combining methods; rule and anomaly-based approaches can be integrated depending on risk and operating context. Source: ACN incident management guidance
How does DE connect to incident notification obligations?
Detection is upstream: events identified and escalated through DE can become incidents subject to response and, where applicable, notification obligations. Sources: ACN incident management guidance, ACN baseline obligations determination