Log analysis is a core detection activity (C) within the incident management lifecycle. Logs provide evidence of abnormal activity, policy violations, or indicators of compromise that enable security teams to identify potential incidents. While logs may also be reviewed during post-incident analysis, their primary role in the lifecycle is to detect events and trigger incident response. Containment (B) focuses on limiting damage after an incident is confirmed, and planning (D) involves preparation activities such as procedures and roles. CISM emphasizes strong detection capabilities—including log monitoring, SIEM, and alerting—as essential to reducing mean time to detect (MTTD) and limiting business impact.