A security analyst at a financial services company is investigating an alert from a File Integrity Monitoring (FIM) system. The alert indicates that /etc/sudoers, a critical configuration file on a production Linux server, was modified outside of a scheduled maintenance window. The company's security policy requires that logs from all servers, network devices, and security tools are aggregated for centralized analysis. To determine which user account was responsible for this unauthorized change and the exact time it occurred, which of the following tools should the analyst use as their primary investigative platform?
Security Information and Event Management (SIEM)
Endpoint Detection and Response (EDR)
Domain Name Service (DNS) and Internet Protocol (IP) reputation tools
A Security Information and Event Management (SIEM) system is the best tool for this investigation. The scenario specifies that logs from all systems are aggregated for centralized analysis, which is the core function of a SIEM. An analyst would use the SIEM to query and correlate data from various sources-such as the server's OS logs, FIM alerts, and user authentication logs-to build a complete picture of the event, including the responsible user and the exact timestamp. While an Endpoint Detection and Response (EDR) solution on the server would likely generate the initial data about the file change, the SIEM is the primary platform for centralized investigation and cross-source correlation. Packet capture tools analyze network traffic and are not suited for monitoring on-host file changes. DNS and IP reputation tools are used for assessing external domains and IPs, not for internal investigations of this nature.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a SIEM and how does it work?
Open an interactive chat with Bash
What is a File Integrity Monitoring (FIM) system and why is it important?
Open an interactive chat with Bash
Why is the `/etc/sudoers` file critical, and what risks does unauthorized modification pose?