CompTIA Security+ (SY0-601) — Question 462

During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the following tools will best assist the analyst?

Answer options

• A. A vulnerability scanner
• B. A NGFW
• C. The Windows Event Viewer
• D. A SIEM

Correct answer: D

Explanation

The correct answer is D, a SIEM, because it aggregates and correlates logs from various sources, allowing the analyst to identify patterns and sources of incidents effectively. A vulnerability scanner (A) is used for identifying vulnerabilities, not for log analysis. A NGFW (B) focuses on filtering traffic and may not provide detailed log correlation. The Windows Event Viewer (C) is limited to Windows logs and may not encompass the wider network context needed for this incident.