ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

A security team ingests authentication, application, and network intrusion logs into its SIEM but still misses multi-stage attacks in which an external host performs a rapid series of failed logins and, minutes later, successfully runs a high-privilege command on an application server. Which SIEM capability should they implement first to automatically generate a single alert when both conditions occur within a 10-minute window from the same source IP?

Enable log normalization so that messages from different devices use a common schema.
Create a field-based correlation rule that chains failed login events and high-privilege commands from the same source IP within a defined time window.
Extend the SIEM's log retention to one year to ensure historical data is always available.
Design a real-time dashboard that displays authentication and intrusion events side by side.

Report Issue

Answer Description

Detecting complex, multi-step attacks requires the SIEM to recognise relationships among events that are dispersed across different log sources and over time. Creating a correlation rule (often called a correlation search or rule-based correlation) lets analysts define logic that matches a pattern-such as several failed logins followed by a privileged action from the same IP within ten minutes-and produces one consolidated alert. Simple log normalization only harmonizes field names and formats; it does not by itself link separate events. Long-term retention and dashboard visualizations improve storage and situational awareness but likewise do not perform the analytic linkage needed to surface the attack chain. Therefore, configuring a field-based correlation rule in the SIEM is the correct action.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.