A security analyst in a SOC has been tasked with onboarding a new network into the SIEM. Which of the following BEST describes the information that should feed into a SIEM solution in order to adequately support an investigation?
A.
Logs from each device type and security layer to provide correlation of events
B.
Only firewall logs since that is where attackers will most likely try to breach the network
C.
Email and web-browsing logs because user behavior is often the cause of security breaches
D.
NetFlow because it is much more reliable to analyze than syslog and will be exportable from every device
SIEM works best only if have "A. Logs from each device type and security layer to provide correlation of events ".
Firewall logs are not enough during IR process
I think it's A because SIEM needs massive amounts of information to be efficient.
B is wrong because it says ONLY firewall logs, which would not give you enough information to respond to the totality of a circumstance.
Do I want to only read Moskba Pravda for accurate reporting of the news, or so I want to read multiple sources so I can eliminate blind-spots created by subjective reporting?
A. Logs from each device type and security layer to provide correlation of events.
A SIEM is most effective when it can correlate data from multiple sources across different layers of the infrastructure. This includes logs from firewalls, intrusion detection and prevention systems, network devices, servers, endpoints, and any other critical components of the IT environment. The ability to cross-reference and analyze this diverse data helps identify patterns that could indicate a security incident, thus providing a comprehensive view of the security posture and aiding in investigations.
The Answer is B, It is not practical to ingest logs from each device. However, it is practical and standard to ingest firewall logs as they protect the network and are points of ingress. Ingesting logs from all devices is too much overhead and will become VERY expensive very quickly.
To adequately support an investigation, the SIEM (Security Information and Event Management) solution should be fed with logs from each device type and security layer within the network. This is because different devices and security layers generate logs that contain valuable information about events and activities within the network. By collecting and analyzing logs from various sources, the SIEM can correlate events and detect patterns or anomalies that may indicate potential security incidents or breaches.
The information that should feed into a SIEM solution to adequately support an investigation is logs from each device type and security layer to provide correlation of events. A SIEM (Security Information and Event Management) solution aggregates log data from various sources within a network, including firewalls, intrusion detection systems, servers, and endpoints, to provide a holistic view of security events. By aggregating and correlating logs from various devices and security layers, a SIEM solution can identify and alert on security threats and help security analysts investigate and respond to incidents. Therefore, the best answer is A. Logs from each device type and security layer to provide correlation of events.
"A" should be the right exam answer. In the real world, you might have to be a bit more picky which logs to choose, as you´d have limitations like EPS based licenses for your SIEM or limited hardware resources, so it´s not always the best solution to feed everything to your SIEM.
The strength of a SIEM is derived from the correlation of data from different sources. Correlating data from endpoints and the network should "adequately" assist in investigations.
Nah. Firewalls are also not the only way an attacker can access resources either.
upvoted 2 times
...
...
This section is not available anymore. Please use the main Exam Page.SY0-601 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Kashim
Highly Voted 2 years, 8 months agonobnarb
Highly Voted 2 years, 8 months agoLordJaraxxus
Most Recent 1 year, 3 months agoGrumpy_Old_Coot
1 year, 5 months agousoKhanya
1 year, 5 months agomd4946
1 year, 11 months agoOdisman1
1 year, 11 months agoChr0n
1 year, 9 months agoApplebeesWaiter1122
1 year, 11 months agoYawannawanka
2 years, 2 months agoSir_Learnalot
2 years, 8 months agoPicvet
2 years, 8 months agoDapsie
1 year, 1 month agoGino_Slim
2 years, 8 months ago