CompTIA Security+ (SY0-601) — Question 141

An organization is tuning SIEM rules based off of threat intelligence reports. Which of the following phases of the incident response process does this scenario represent?

Answer options

• A. Lessons learned
• B. Eradication
• C. Recovery
• D. Preparation

Correct answer: D

Explanation

The correct answer is D, Preparation, as tuning SIEM rules based on threat intelligence is a proactive measure taken before an incident occurs. Lessons learned (A) relates to analyzing past incidents, Eradication (B) involves removing threats post-incident, and Recovery (C) focuses on restoring systems after an incident, making them irrelevant in this context.