A security analyst is investigating a suspected advanced persistent threat (APT) that has been operating within the corporate network for several months. The analyst needs to correlate disparate event logs from firewalls, domain controllers, and endpoint security solutions to identify the full scope and timeline of the attack. Which of the following tools is BEST suited for this type of analysis?
A Security Information and Event Management (SIEM) system is the best tool for this scenario. SIEMs are specifically designed to collect, aggregate, and correlate log data from a wide variety of sources across an organization. This allows analysts to identify trends, patterns, and anomalies over extended periods, which is essential for detecting low-and-slow attacks like APTs. While EDRs provide deep endpoint visibility and packet capture tools analyze network traffic, only a SIEM provides the centralized, cross-source log correlation needed for this type of investigation. A vulnerability scanner is used for proactive scanning of security weaknesses, not for analyzing event logs of an active incident.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does SIEM stand for and what are its main components?
Open an interactive chat with Bash
How does a SIEM system correlate event logs to detect threats?
Open an interactive chat with Bash
What are some benefits of using a SIEM system over manual log analysis?