An organization wants to ensure that their SIEM system is optimized for quick detection and analysis of security incidents. What is the BEST approach to achieve this goal?
Enable event correlation rules to identify related activities across multiple log sources.
Generate scheduled reports for manual review every 24 hours.
Increase the storage capacity to accommodate more log data.
Invest in a faster processing server to handle an increased volume of security data.
The correct answer is C. Correlating events across multiple sources involves the SIEM's capability to collect data from various systems and find patterns or anomalies that could indicate a security incident. It is most effective for quick detection and analysis because it filters out noise and false positives, highlighting the most critical issues that require attention. While increasing storage capacity or buying a faster processing server may seem beneficial, they do not directly contribute to the detection or analysis of security incidents and might only provide additional resource overheads. Scheduled reports are useful for routine checks but are not the best approach for immediate detection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are event correlation rules in a SIEM system?
Open an interactive chat with Bash
Why is correlating events more effective for detection than just increasing storage capacity?
Open an interactive chat with Bash
What is the role of a SIEM system in security incident detection?