A security analyst is reviewing intrusion detection system logs and must correlate them with recorded network traffic to determine the scope of a suspected breach. Which of the following data will be MOST useful for matching the IDS alert timestamps to the captured traffic?
Device configuration settings from the network management system
User account changes logged in the authentication server records
Application error messages captured by the system's event logs
Traffic flow metadata collected from network devices such as switches and routers
Traffic-flow metadata-such as timestamps, source and destination IP addresses, and port numbers-directly aligns network conversations with IDS alert times, making it the most effective data set for correlation. Logs of user account changes, device configuration files, and application error messages provide context but do not map cleanly to specific network sessions, so they are less helpful for time-based traffic correlation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is traffic flow metadata?
Open an interactive chat with Bash
How does traffic flow metadata help correlate IDS alerts?
Open an interactive chat with Bash
Why are user account changes or application error logs less useful in this scenario?