CompTIA CySA+ CS0-003 (V3) Practice Question

A Security Information and Event Management (SIEM) system is the best tool for this investigation. The scenario specifies that logs from all systems are aggregated for centralized analysis, which is the core function of a SIEM. An analyst would use the SIEM to query and correlate data from various sources-such as the server's OS logs, FIM alerts, and user authentication logs-to build a complete picture of the event, including the responsible user and the exact timestamp. While an Endpoint Detection and Response (EDR) solution on the server would likely generate the initial data about the file change, the SIEM is the primary platform for centralized investigation and cross-source correlation. Packet capture tools analyze network traffic and are not suited for monitoring on-host file changes. DNS and IP reputation tools are used for assessing external domains and IPs, not for internal investigations of this nature.