Exam SY0-601 topic 1 question 199 discussion

D is the answer

Answer: Utilize behavioral analysis to enable the SIEM's learning mode. UBA or User Behavior Analytics and is a threat detection analysis technology that uses AI to understand how users normally behave and then find anomalous activities, which deviate from their normal behavior and may be indicative of a threat. For this scenario, the SIEM will first learn what is normal behavior then when a baseline is created, it will know if any of the logins are malicious. Likely determined by when and where the logins are occurring and if it's different from the baseline. This should hopefully reduce the amount of alerts occurring.

The security analyst should perform action D: Utilize behavioral analysis to enable the SIEM’s learning mode. This approach allows the Security Information and Event Management (SIEM) system to learn what is considered normal behavior for each user and thus reduce the number of false positives. It can help in creating a baseline of normal operations and reduce noise. The other options might not be as effective: A: Adjusting the data flow from authentication sources to the SIEM might not reduce the number of alerts per user. B: Disabling email alerting and reviewing the SIEM directly would not necessarily reduce the number of alerts. C: Adjusting the sensitivity levels of the SIEM correlation engine could potentially miss some malicious logins. Remember, it’s always important to maintain a balance between security and usability. Too many false positives can lead to alert fatigue, while too few can miss important events.

I convinced myself with the google bard explanation in this case: The SIEM correlation engine is responsible for analyzing the data collected from various sources and generating alerts. By adjusting the sensitivity levels of the correlation engine, the security analyst can fine-tune the alerts generated and create a baseline of normal operations. This will reduce the noise and help the analyst identify malicious logins. So C is IMO

B is correct, and let me explain as it took me a while but this is one of those rare times that the given answer is right: "The security analyst would like to create a baseline of normal operations and reduce noise" B. Disable email alerting and review the SIEM directly. Disable email alerting = reduce noise Review the SIEM directly = create a baseline of normal operations Turning off the annoying emails will allow one to focus and create a baseline manually. All of the other answers do not turn off noise and therefore are wrong. A. Adjust the data flow from authentication sources to the SIEM. C. Adjust the sensitivity levels of the SIEM correlation engine. D. Utilize behavioral analysis to enable the SIEM's learning mode.

Utilizing behavioral analysis and enabling the SIEM's learning mode allows the system to learn the normal patterns of user behavior and system activity over a period of time. During the learning mode, the SIEM observes and collects data on user logins, system events, and other activities to build a baseline of what is considered normal behavior. This baseline is used to identify deviations and anomalies that might indicate potential malicious activities or security incidents. By enabling the learning mode, the SIEM can distinguish between regular user activities and abnormal behavior, reducing the number of false positive alerts and focusing on potentially malicious events. This approach helps the security analyst to better identify and prioritize real security threats and respond more effectively to security incidents.

C. Adjust the sensitivity levels of the SIEM correlation engine. By adjusting the sensitivity levels of the SIEM correlation engine, the security analyst can fine-tune the alerts generated by the SIEM and create a baseline of normal operations. This will reduce the noise and help the analyst identify malicious logins. The analyst can adjust the sensitivity levels based on the organization's security policies and the threat landscape. This approach allows the analyst to improve the accuracy of the SIEM and reduce false positives, which can save time and resources in the long run. Adjusting the data flow from authentication sources to the SIEM (option A) or disabling email alerting and reviewing the SIEM directly (option B) may not necessarily help the analyst create a baseline of normal operations or reduce noise. Utilizing behavioral analysis to enable the SIEM's learning mode (option D) can be a good approach, but it may require additional time and effort to configure and train the SIEM.

Any suggestions for questions after 200?

Option A (adjusting the data flow from authentication sources to the SIEM) may be useful in improving the accuracy of the SIEM alerts, but it will not necessarily reduce noise or help create a baseline. Option B (disabling email alerting and reviewing the SIEM directly) may reduce noise, but it may also lead to important alerts being missed or delayed, which is not ideal in a security context. Option D (utilizing behavioral analysis to enable the SIEM's learning mode) may be useful in creating a baseline of normal operations, but it may not necessarily reduce noise, and it may take time for the SIEM to learn the normal behavior. Therefore, the best option is to adjust the sensitivity levels of the SIEM correlation engine. By doing so, the security analyst can fine-tune the correlation engine to detect malicious activity while also reducing the number of false positives. This will help to create a more accurate and meaningful set of alerts, reducing noise and helping to create a baseline of normal operations.

Key: "create a baseline of normal operations"

This is confusing again. But I believe the answer C. The security analyst should adjust the sensitivity levels of the SIEM correlation engine to reduce the number of alerts and create a baseline of normal operations. A SIEM, or security information and event management, system aggregates and analyzes log data from various sources in real-time. The correlation engine is the component of the SIEM that processes the log data and identifies potential security incidents. By adjusting the sensitivity levels of the correlation engine, the security analyst can control the number and types of alerts that are generated. This can help reduce the number of false positives and create a baseline of normal operations, allowing the security analyst to focus on investigating only the most relevant alerts. Disabling email alerting and reviewing the SIEM directly, adjusting the data flow from authentication sources, and utilizing behavioral analysis are not directly related to reducing the number of alerts or creating a baseline of normal operations.

the model answer is with no sense. it should be D, to set a baseline, using the behavior is the best way to go

This might help answer why is D: https://www.ibm.com/topics/siem (AI learning and behavior analysis)