Question

Lucy is the SOC operator for her organization and is responsible for monitoring her organization's SIEM and other security devices. Her organization has both domestic and international sites, and many of their employees travel frequently.

While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization's New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time?
A. Heuristic
B. Behavior
C. Availability
D. Anomaly

Answer 1

Lucy should configure Anomaly detection rules or alerts to be aware of a similar situation sooner next time.

The Correct option is; C. Availability.

Step-by-step explanation:

In this scenario, Lucy should configure Anomaly detection rules or alerts to be aware of a similar situation sooner next time. Anomaly detection involves monitoring and comparing system behavior or data against an established baseline or expected patterns, and generating alerts when deviations are detected.

By configuring anomaly detection rules or alerts for the log sources from the New York branch, Lucy can receive notifications or alarms when there is a significant deviation from the expected behavior or when the log sources stop reporting.

This will enable her to take prompt action and investigate the issue to ensure the security of their organization's systems.

An example of an anomaly detection rule could be defining a threshold for the number of log entries received from the New York branch within a specified time period. If the number of log entries falls below this threshold or stops completely, an alert would be triggered, indicating a potential issue.