Exam CS0-003 topic 1 question 181 discussion

From my understanding, it is the same SIEM on different systems. The clocks must be out of sync

NTP (Network Time Protocol) needs to be checked

NTP configuration is critical because even if data is normalized, if the timestamps between systems are out of sync, correlation won't work properly. Most SIEM tools rely heavily on accurate timestamps to tie events together, so time synchronization is often checked first.

Time synchronization ensures that computer systems have accurate system time and time-related information by synchronizing the system time with a reference time source, using Network Time Protocol (NTP), an atomic clock, or a global positioning system (GPS). Time synchronization is essential to establish a clear event order.

D: Data Normalization rules. Data normalization rules are crucial for SIEM functionality because they translate logs from various systems into a consistent format. This allows the SIEM to recognize and correlate events from different sources that might have different timestamps, log structures, or terminology

NTP stands for Network Time Protocol. It is used to synchronize the clocks of computer systems on a network, ensuring that they all have the correct time. While NTP is important for accurate timestamping of events, it is not typically the first thing to check when having difficulty correlating incidents across different systems in a SIEM. The primary concern in this scenario would be data normalization rules (Option D). Data normalization ensures that logs from different systems are formatted consistently, allowing the SIEM to correlate and analyze them effectively. Checking NTP configuration (Option B) is still important for accurate timestamping, but it usually comes after addressing data normalization issues.

Might be rather D : different systems = a lot of data variety not well normalized.