### Step 2: Identification

This step involves detecting deviations from normal operations in the organization, understanding if a deviation represents a security incident, and determining how important the incident is.

The SANS incident response identification procedure includes the following elements:

-   **Setting up monitoring** for all sensitive IT systems and infrastructure.
-   **Analyzing events** from multiple sources including log files, error messages, and alerts from security tools.
-   **Identifying an incident** by correlating data from multiple sources, and reporting it as soon as possible.
-   **Notifying CSIRT members** and establishing communication with a designated command center (for example this could be senior management, IT operations)
-   strong{Assigning at least two incident responders to a live incident, one as the primary handler who assesses the incident and makes the decision, and the other to help investigate and gather evidence.
-   **Documenting everything** that incident responders are doing as part of the attack—answering the Who, What, Where, Why, and How questions.
-   **Threat prevention and detection capabilities** across all main attack vectors.