nerdexam
(ISC)2

CISSP · Question #772

Which of the following is the BEST reason to review audit logs periodically?

The correct answer is C. Identify anomalies in use patterns. Audit Log Review: Identifying Anomalies Periodically reviewing audit logs is best performed to identify anomalies in use patterns, because this is the primary security-driven purpose - detecting unusual behavior such as unauthorized access attempts, privilege escalation, or suspi

Submitted by parkjh· Mar 5, 2026Security Operations

Question

Which of the following is the BEST reason to review audit logs periodically?

Options

  • AVerify they are operating properly
  • BMonitor employee productivity
  • CIdentify anomalies in use patterns
  • DMeet compliance regulations

How the community answered

(20 responses)
  • A
    5% (1)
  • C
    85% (17)
  • D
    10% (2)

Explanation

Audit Log Review: Identifying Anomalies

Periodically reviewing audit logs is best performed to identify anomalies in use patterns, because this is the primary security-driven purpose - detecting unusual behavior such as unauthorized access attempts, privilege escalation, or suspicious activity that could indicate a breach or insider threat. While verifying logs are operating properly (A) is a valid technical task, it relates to log management health rather than the core security benefit of reviewing log content. Monitoring employee productivity (B) is an HR function, not a security objective, and using audit logs for this purpose raises ethical and legal concerns. Meeting compliance regulations (D) may be a byproduct of log reviews, but compliance is the business requirement that mandates logging - not the underlying reason why reviewing them provides security value.

Memory Tip: Think of audit logs as a security camera recording - you don't primarily watch the footage to ensure the camera works or satisfy an inspector; you watch it to spot something that looks wrong. "Anomalies = the 'aha' moment" is why you review.

Topics

#Audit logs#Security monitoring#Anomaly detection#Incident detection

Community Discussion

No community discussion yet for this question.

Full CISSP Practice