A security analyst in a soc has been tasked with onboarding - CompTIA Security+ SY0-701
Question
A security analyst in a SOC has been tasked with onboarding a new network into the SIEM. Which of the following BEST describes the information that should feed into a SIEM solution in order to adequately support an investigation?
Answers
-
correct
-
-
-
Explanation
Corrects Answer A. Logs from each device type and security layer to provide correlation of events
The best approach for feeding data into a SIEM (Security Information and Event Management) solution is to gather logs from each device type and security layer within the network. This comprehensive set of logs allows for the correlation of events across various devices (e.g., firewalls, routers, switches, servers, endpoints, and security appliances) and provides a complete picture of network activities. By collecting logs from different sources, the SIEM can more effectively detect, analyze, and respond to security incidents, as it has broader context and visibility across the entire network environment.
Reasons the other options are incorrect:
- Only firewall logs: Relying only on firewall logs would miss crucial data from other network devices (e.g., servers, endpoints, or other security layers) that could provide important context for a full investigation. Attackers may breach through other vectors that don't immediately involve the firewall.
- Email and web-browsing logs: While email and web-browsing logs are valuable for identifying user behavior and potential malicious activity (like phishing attacks), they do not provide sufficient coverage of the entire network, especially when correlating events from different device types. Limiting to these logs could result in a partial view of the situation.
- NetFlow: NetFlow provides valuable insight into network traffic patterns and can be useful for network performance analysis or detecting anomalies, but it is not as comprehensive for security investigations as logs from multiple device types and security layers. Relying solely on NetFlow would overlook critical event logs such as those from security appliances, application servers, and endpoint protections.
No Payment Cards Needed
