An organization discovered that a stealth intrusion was not flagged by its detection platform despite confirming the incident in system logs. Which approach best identifies why the event was not recognized and addresses how to avoid missing similar activities?
Adjust rules to the highest sensitivity, triggering notifications for unusual events
Reconfigure thresholds and update software to improve detection scope
Deploy extra monitoring tools across the network to enhance detection coverage
Analyze detection tool logs for pattern correlations with the observed data to verify system logic
Verifying the detection tool’s logs alongside confirmed incident evidence is the most direct way to pinpoint gaps in alerts and correlation. Simply adding tools, adjusting sensitivity, or expanding thresholds might improve detection capacity but do not directly explain why the current system missed the specific intrusion. Understanding the mismatch between logs and detection is crucial to recognizing which rules or correlations need adjustment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is analyzing detection tool logs crucial in identifying missed intrusions?
Open an interactive chat with Bash
What is the role of correlation rules in detection platforms?
Open an interactive chat with Bash
How can system logs assist in diagnosing stealth intrusions?