CompTIA Security+ (SY0-601) — Question 101

A security analyst in a SOC has been tasked with onboarding a new network into the SIEM. Which of the following BEST describes the information that should feed into a SIEM solution in order to adequately support an investigation?

Answer options

• A. Logs from each device type and security layer to provide correlation of events
• B. Only firewall logs since that is where attackers will most likely try to breach the network
• C. Email and web-browsing logs because user behavior is often the cause of security breaches
• D. NetFlow because it is much more reliable to analyze than syslog and will be exportable from every device

Correct answer: A

Explanation

The correct answer is A because SIEM solutions require diverse logs from various devices and security layers to correlate events effectively, leading to better detection of security incidents. Options B, C, and D are too narrow in scope, focusing on only one aspect of logging, which would limit the SIEM's effectiveness in comprehensive investigations.