CompTIA Security+ (SY0-601) — Question 257

Multiple beaconing activities to a malicious domain have been observed. The malicious domain is hosting malware from various endpoints on the network. Which of the following technologies would be BEST to correlate the activities between the different endpoints?

Answer options

• A. Firewall
• B. SIEM
• C. IPS
• D. Protocol analyzer

Correct answer: B

Explanation

A SIEM (Security Information and Event Management) system is designed to aggregate and analyze security data from various sources, making it the best choice for correlating activities across different endpoints. While a firewall can block unwanted traffic, and an IPS can prevent intrusions, neither is specifically built for the comprehensive analysis of correlated events like a SIEM. A protocol analyzer captures traffic but does not provide the same level of event correlation.