CISSP · Question #1123
A recent security audit is reporting several unsuccessful login attempts being repeated at specific times during the day on an Internet facing authentication server. No alerts have been generated by t
The correct answer is D. Confirm alarm thresholds. The SIEM failed to generate alerts for repeated failed login attempts, indicating its alarm thresholds are not properly configured to detect this pattern of activity.
Question
Options
- AImplement role-based system monitoring
- BAudit firewall logs to identify the source of login attempts
- CEnhance logging detail
- DConfirm alarm thresholds
How the community answered
(26 responses)- A15% (4)
- B8% (2)
- C4% (1)
- D73% (19)
Why each option
The SIEM failed to generate alerts for repeated failed login attempts, indicating its alarm thresholds are not properly configured to detect this pattern of activity.
Role-based system monitoring addresses access control and monitoring responsibilities, but does not directly address why the SIEM failed to generate alerts for detected login attempts.
Auditing firewall logs is a reactive investigative step to find the attack source, not a corrective action to improve SIEM alerting performance going forward.
Enhancing logging detail would increase the granularity of log data ingested by the SIEM, but the problem is not a lack of log data - it is that the SIEM's alert thresholds are not triggering on the existing data.
If the SIEM is not generating alerts for repeated unsuccessful login attempts, the most likely cause is that the alarm thresholds are set too high or are misconfigured, meaning the defined trigger conditions are not being met by the observed activity. Confirming and adjusting alarm thresholds ensures the SIEM correctly identifies and alerts on brute-force or credential-stuffing patterns, which occur at specific intervals in this scenario. This is the primary corrective action to restore proper SIEM alerting functionality without changing the underlying data sources.
Concept tested: SIEM alarm threshold configuration and tuning
Source: https://learn.microsoft.com/en-us/azure/sentinel/configure-analytics-rules
Topics
Community Discussion
No community discussion yet for this question.