GIAC Security Leadership Certification (GSLC) — Question 41

What is a reason an organization would choose output-driven over input-driven SIEM collection?

Answer options

• A. Search performance
• B. Real-time alerting
• C. Attack detection
• D. Historical analytics

Correct answer: C

Explanation

The correct answer is C because output-driven SIEM focuses on detecting attacks effectively by prioritizing relevant data that indicates malicious activity. Options A, B, and D, while important, are not the primary reasons for choosing output-driven SIEM over input-driven approaches.