CompTIA Security+ (SY0-601) — Question 726

A security analyst is receiving several alerts per user and is trying to determine if various logins are malicious. The security analyst would like to create a baseline of normal operations and reduce noise. Which of the following actions should the security analyst perform?

Answer options

• A. Adjust the data flow from authentication sources to the SIEM.
• B. Disable email alerting and review the SIEM directly.
• C. Adjust the sensitivity levels of the SIEM correlation engine.
• D. Utilize behavioral analysis to enable the SIEM's learning mode.

Correct answer: D

Explanation

The correct answer is D because utilizing behavioral analysis allows the SIEM to learn and adapt to normal user behavior, which can help in identifying anomalies. Option A does not directly address the noise issue, while B would lead to missing critical alerts, and C may not effectively reduce the noise without understanding normal patterns.