A security analyst is configuring a SIEM to help the operations team spot early indicators of compromise. The analyst wants the SIEM to raise alerts whenever server CPU utilization, user login times, or outbound network volume stray significantly from their normal patterns. Which of the following actions will BEST enable the SIEM to identify such anomalies quickly?
Schedule quarterly vulnerability scans of all critical assets.
Build behavior baselines for systems, users, and network activity.
Implement geofencing rules to block traffic from high-risk countries.
Document an incident-response runbook for common attack scenarios.
Creating behavior baselines (usage thresholds) for systems, users, and network traffic lets the SIEM compare real-time data against what is considered normal. Deviations that exceed the threshold appear as anomalies, prompting rapid investigation. Runbooks, periodic vulnerability scans, and geofencing rules improve overall security but do not, by themselves, teach the SIEM what normal looks like or facilitate anomaly detection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a SIEM and how does it help in detecting anomalies?
Open an interactive chat with Bash
How are behavior baselines created for anomaly detection?