CompTIA CySA+ (CS0-003) — Question 87

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?

Answer options

• A. If appropriate logging levels are set
• B. NTP configuration on each system
• C. Behavioral correlation settings
• D. Data normalization rules

Correct answer: B

Explanation

The correct answer is B because accurate time synchronization across systems is crucial for correlating events correctly. Without proper NTP configuration, timestamps may be inconsistent, making it difficult to relate incidents. The other options, while important, do not address the fundamental issue of time discrepancies that affect incident correlation.