The concepts of events, alerts, and incidents are integrated into the identification processes of a well-functioning security operations center:

• An event is a change to the expected behavior of an:
  • Information system
  • Process
  • Environment
  • Workflow
  • Person
• An alert is provided by an information security monitoring system such as a SIEM to identify an event or combination of events
• An incident is a malicious event that has some level of business impact and must be remediated