nerdexam
GIAC

GCIH · Question #666

What is the definition of an event as it applies to incident handling?

The correct answer is A. Any observable occurrence in a system and/or network. NIST SP 800-61 defines an event as any observable occurrence in a system and/or network, intentionally broad to distinguish it from the narrower term 'incident'.

Incident Response & Cyber Kill Chain

Question

What is the definition of an event as it applies to incident handling?

Options

  • AAny observable occurrence in a system and/or network
  • BThe introduction of malicious code into your network
  • CSomething that triggers an alert from your Intrusion Detection System
  • DAn adverse occurrence in an information system and/or network or the threat of such an

How the community answered

(29 responses)
  • A
    90% (26)
  • B
    7% (2)
  • D
    3% (1)

Why each option

NIST SP 800-61 defines an event as any observable occurrence in a system and/or network, intentionally broad to distinguish it from the narrower term 'incident'.

AAny observable occurrence in a system and/or networkCorrect

NIST SP 800-61 establishes 'event' as the broadest category, covering any observable occurrence regardless of whether it is benign or malicious, which is the foundational definition used in formal incident handling programs. This broad scope ensures that all activity is captured for triage before determining whether an incident has taken place. Understanding this distinction is critical because not every event becomes an incident, and incident response resources are scoped only to adverse events that meet a defined threshold.

BThe introduction of malicious code into your network

The introduction of malicious code describes a specific type of security incident, which is a subset of events, not the definition of an event itself.

CSomething that triggers an alert from your Intrusion Detection System

An IDS alert is a mechanism for detecting a potential event but is not the definition of an event, since many events occur without triggering any alert.

DAn adverse occurrence in an information system and/or network or the threat of such an

An adverse occurrence in an information system more closely aligns with the NIST SP 800-61 definition of an 'incident', not the broader definition of an 'event'.

Concept tested: NIST SP 800-61 event vs incident terminology

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Topics

#incident handling terminology#event definition#IR fundamentals#NIST framework

Community Discussion

No community discussion yet for this question.

Full GCIH Practice