CISSP · Question #1123
CISSP Question #1123: Real Exam Question with Answer & Explanation
The correct answer is D: Confirm alarm thresholds. The SIEM failed to generate alerts for repeated failed login attempts, indicating its alarm thresholds are not properly configured to detect this pattern of activity.
Question
A recent security audit is reporting several unsuccessful login attempts being repeated at specific times during the day on an Internet facing authentication server. No alerts have been generated by the security information and event management (SIEM) system. What PRIMARY action should be taken to improve SIEM performance?
Options
- AImplement role-based system monitoring
- BAudit firewall logs to identify the source of login attempts
- CEnhance logging detail
- DConfirm alarm thresholds
Explanation
The SIEM failed to generate alerts for repeated failed login attempts, indicating its alarm thresholds are not properly configured to detect this pattern of activity.
Common mistakes.
- A. Role-based system monitoring addresses access control and monitoring responsibilities, but does not directly address why the SIEM failed to generate alerts for detected login attempts.
- B. Auditing firewall logs is a reactive investigative step to find the attack source, not a corrective action to improve SIEM alerting performance going forward.
- C. Enhancing logging detail would increase the granularity of log data ingested by the SIEM, but the problem is not a lack of log data - it is that the SIEM's alert thresholds are not triggering on the existing data.
Concept tested. SIEM alarm threshold configuration and tuning
Reference. https://learn.microsoft.com/en-us/azure/sentinel/configure-analytics-rules
Topics
Community Discussion
No community discussion yet for this question.