During an investigation of possible data exfiltration, a security analyst observes only perimeter NetFlow records in the SIEM. The suspect workstation runs Windows 11 and may have used a living-off-the-land tool (for example, certutil.exe) to upload several gigabytes of source code to an external HTTP server. To gain the most granular visibility into the outbound connections initiated by that specific host, which of the following additional log sources should the analyst configure and ingest into the SIEM?
Windows Filtering Platform (WFP) connection audit logs from the endpoint
Simple Network Management Protocol (SNMP) interface counters from the upstream router
DHCP lease assignment logs from the core network
Results from the organization's external vulnerability scans
Windows Filtering Platform (WFP) connection audit logs are generated on the endpoint (Event IDs 5156/5157). They record the process name, source and destination IP addresses and ports, and whether the connection was allowed or blocked. This per-process network visibility lets an analyst spot unusual uploads from unexpected binaries (such as certutil.exe). Vulnerability-scan results, DHCP leases, and SNMP interface counters provide useful context but do not show which local process opened each outbound session, so they would not directly confirm the suspected data exfiltration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What types of anomalies can be detected through host log collection?
Open an interactive chat with Bash
What is a baseline, and why is it important in log analysis?