Enterprise organizations with the most efficient and effective incident detection and response tend to establish best practice and synchronization in 5 distinct areas. Host monitoring tends to concentrate on Windows PCs, but may also include oversight of Macs, Linux, servers, and cloud-based workloads. Strong CERT programs collect, process, analyze and correlate external threat intelligence and then compare it to whats happening inside the firewall. User behavior monitoring is probably the most elementary right now, usually based upon customized dashboards/tools that pull data from Active Directory, Active Directory and system logs.”]
Source: https://www.csoonline.com/article/3020585/the-incident-response-fab-five.html