CompTIA SecurityX (CAS-005) — Question 135

A security architect performs a baseline review on the SIEM. The findings indicate that multiple use cases are missing and coverage is limited for defense evasion techniques. Which of the following processes best describes what the architect should do?

Answer options

• A. Implement a TIP on the internal network to facilitate the creation of a use case.
• B. Perform a penetration test on critical devices and document IOCs for use cases.
• C. Create a list of use cases based on Snort detection rules.
• D. Use Sigma to build the logic of the use cases and testing on the SIEM.

Correct answer: D

Explanation

The correct answer is D because Sigma provides a framework for creating and testing detection rules that can be directly applied to the SIEM. Option A does not directly address the creation of use cases; instead, it suggests a tool that may not fully meet the requirement. Option B focuses on penetration testing, which is not the primary task of defining use cases. Option C limits the use cases to Snort detection rules, which may not cover all necessary scenarios.