A security analyst is configuring a SIEM to help the operations team spot early indicators of compromise. The analyst wants the SIEM to raise alerts whenever server CPU utilization, user login times, or outbound network volume stray significantly from their normal patterns. Which of the following actions will BEST enable the SIEM to identify such anomalies quickly?
Implement geofencing rules to block traffic from high-risk countries.
Schedule quarterly vulnerability scans of all critical assets.
Document an incident-response runbook for common attack scenarios.
Build behavior baselines for systems, users, and network activity.
Creating behavior baselines (usage thresholds) for systems, users, and network traffic lets the SIEM compare real-time data against what is considered normal. Deviations that exceed the threshold appear as anomalies, prompting rapid investigation. Runbooks, periodic vulnerability scans, and geofencing rules improve overall security but do not, by themselves, teach the SIEM what normal looks like or facilitate anomaly detection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are usage benchmarks in cybersecurity?
Open an interactive chat with Bash
How are deviations from benchmarks detected?
Open an interactive chat with Bash
Why are benchmarks important for security incident management?