Extended monitoring window
Definition
A defined period of heightened detection sensitivity following recovery, during which security operations maintain increased logging, alert thresholds, and analyst attention. Ends when all recurrence criteria are satisfied.
Related terms
- Baseline comparison
- Comparison of a recovered system's current state, including running processes, network connections, scheduled tasks, and file hashes, against a known-good reference state...
- Honeytoken
- A synthetic credential, document, or data record placed in a monitored location. Any attempt to use or access the honeytoken is an...
- Recovery validation
- The verification process that confirms a restored system is clean, correctly configured, and free from residual attacker access. Distinct from eradication, which...
- Recurrence
- Re-establishment of attacker access or re-execution of the same attack vector after the prior incident has been eradicated. Recurrence triggers the incident...
- Tripwire
- A deliberately placed artefact or detection rule designed to fire only if an attacker returns or residual malware reactivates. Examples include canary...
Explained in
- Validating Recovery and Monitoring for RecurrenceA defined period of heightened detection sensitivity following recovery, during which security operations maintain increased logging, alert thresholds, and ana...