Quiz: Security Information and Event Management (SIEM)

DataField.Dev

Quiz: Security Information and Event Management (SIEM)

Twenty-six self-check questions: multiple choice, true/false-with-justification, and short answer. Questions tagged [Sec+] or [CISSP] map to a certification objective (CISSP Domain 7, Security Operations; Security+ logging/monitoring objectives). Answers and brief explanations are at the end — write your answer before you expand the key.

Multiple choice

1. The single best one-sentence reason a SIEM is more than an expensive search engine is that it:

A. stores more logs than any single system could B. watches for defined patterns across sources and time and alerts on them automatically C. encrypts logs so attackers cannot read them D. replaces the need for firewalls and endpoint protection

2. [Sec+] Which log sources should a new SIEM program collect first, by detection value?

A. printer and IoT-device logs B. application debug logs C. identity/authentication and endpoint (EDR) logs D. load-balancer HTTP 200 responses

3. Normalization in a SIEM is best defined as:

A. compressing logs to save storage B. mapping fields from many source formats onto a single common schema C. deleting duplicate events D. encrypting events in transit

4. A rule that fires when "many failed logins for one account are followed within minutes by a success for that account" is an example of which correlation type?

A. single-event (atomic) B. threshold C. sequence / temporal D. allowlist

5. [CISSP] Which statement about alert fatigue is correct?

A. it is solved by buying a faster SIEM B. it only affects junior analysts C. it is a predictable systems failure in which excess (mostly false-positive) alerts cause real attacks to be missed D. it is eliminated by writing more detection rules

6. The best response to a correlation rule that is noisy but catches a real threat is to:

A. disable it to stop the noise B. tune it — narrow its conditions to exclude the benign case without losing the malicious one C. lower its threshold so it fires even more D. route all its alerts straight to the executive dashboard

7. [Sec+] A SOAR platform's primary job, relative to a SIEM, is to:

A. store logs more cheaply for longer B. normalize logs into a common schema C. orchestrate and automate the response to alerts via playbooks D. generate the raw events the SIEM ingests

8. A data lake, compared with a SIEM, is characterized by:

A. real-time correlation and alerting out of the box B. cheap, long-term storage of vast raw data with schema applied at read time C. a fixed schema enforced at write time, optimized for alerting D. an inability to store security logs

9. Which is the strongest reason to forward logs off the host to a central system?

A. it reduces disk usage on the host B. an attacker who compromises the host can clear or alter its local logs, but not the forwarded copy C. it makes queries run faster D. central logs do not need time synchronization

10. [CISSP] Why must all log sources synchronize to a common time source and normalize to UTC?

A. to satisfy a cosmetic formatting standard B. so events from different sources line up accurately for time-based correlation C. because logs cannot be stored without a timezone D. to reduce the volume of logs collected

11. "Fidelity, not coverage, is the currency of a SOC" means that the most valuable detection is one that:

A. alerts on the largest number of distinct threats B. catches real attacks while generating few false positives (high signal per alert) C. never fires at all, keeping the queue empty D. is written in the most query languages

12. [Sec+] Which of the following is a single-event (atomic) detection?

A. 50 failed logins from one source across many accounts in 5 minutes B. a failed-login burst followed by a success C. a Windows Security audit log being cleared (Event ID 1102) D. a host beaconing to an external IP at regular intervals

True / False — justify your answer

13. True or false: Because a vulnerability scanner the security team runs probes every host, its traffic can look identical to an attacker's reconnaissance, so allowlisting it is a reasonable alert-tuning step. Justify.

14. [Sec+] True or false: Collecting every available log at full fidelity is always the safest choice for a SIEM. Justify.

15. True or false: A correlation rule and a use case are the same thing. Justify.

16. True or false: Disabling a noisy detection rule and tuning it have the same effect on your security posture. Justify.

17. True or false: SPL and KQL are "pipeline" query languages, reading left-to-right / top-to-bottom with each command feeding the next. Justify.

18. [CISSP] True or false: The metrics MTTD and MTTR can be computed without any centralized logging. Justify.

19. True or false: An attacker clearing the Windows Security log is the kind of action that, by itself, makes a high-fidelity alert. Justify.

Short answer

20. [Sec+] In two sentences, distinguish parsing from normalization.

21. Name the five rungs of the correlation ladder from simplest to most powerful (single-event → behavioral) and give a one-phrase example of each.

22. Give the arithmetic for why a SOC of five analysts (≈20 alerts each per shift) misses true positives when fed 800 alerts/day at a 97% false-positive rate.

23. [CISSP] Explain why "logs are the ground truth" implies that a control which does its job but logs nothing is only "half a control."

24. Write the shape (the ordered operations) that SQL, SPL, and KQL all share when answering "count events by user for one source IP in the last hour, most first."

25. State the modern pattern for splitting logs between a SIEM and a data lake, and one benefit of each destination.

26. [Sec+] List three concrete techniques for reducing alert fatigue, and for one of them, name the benign case it removes and the malicious case it preserves.

Answer Key

Show answers and explanations

**1. B** — A SIEM's distinguishing value is automated correlation and alerting across sources/time, not mere storage or search. **2. C** — Identity/authentication and endpoint logs catch the most reliably-used attacker techniques (credential abuse, escalation, code execution) across the whole kill chain; they have the highest detection value per byte. [Sec+: logging/monitoring] **3. B** — Normalization maps disparate source fields onto one common schema (consistent names/formats); compression, dedup, and encryption are different operations. **4. C** — The ordered "failures then success within a window" is a sequence/temporal correlation. **5. C** — Alert fatigue is a measurable systems failure from too many (mostly false-positive) alerts, causing real attacks to be missed; more rules or faster hardware do not fix it. [CISSP D7] **6. B** — Tune (narrow) the rule to exclude the benign case while preserving the malicious one; disabling creates a blind spot, and lowering the threshold worsens noise. **7. C** — SOAR orchestrates/automates response (playbooks: enrich, contain, ticket); storage, schema, and event generation are other systems' jobs. [Sec+] **8. B** — A data lake is cheap, long-retention, schema-on-read storage of raw data; it does not correlate or alert in real time by itself. **9. B** — Centralization protects the *integrity of your evidence*: an attacker who owns the host can erase its local logs but not the copy already forwarded to a system they do not control. **10. B** — Correlation depends on events lining up in time; clock drift makes co-occurring events appear minutes apart and breaks time-windowed rules. UTC removes timezone ambiguity. [CISSP D7] **11. B** — High fidelity (real catches, few false positives) is what keeps a queue trustworthy and attacks findable; raw breadth of coverage without fidelity buries the signal. **12. C** — A log clear is inherently suspicious as a single event; A is threshold, B is sequence, D is behavioral/beaconing. **13. True** — A security-run scanner legitimately probes everything and will mimic reconnaissance; allowlisting its known source prevents predictable false positives. (Caveat: an allowlist is a hole — keep it narrow and reviewed.) **14. False** — "Collect everything" produces an expensive, noisy SIEM that gets ignored or defunded; collect by detection value and keep cheaper bulk copies in a data lake. [Sec+] **15. False** — A correlation rule is the logic that fires on a pattern; a use case is the named threat scenario it serves, including sources, severity, false-positive risk, and the analyst response. **16. False** — Disabling removes the rule's false positives but guarantees a false negative (a silent blind spot) for anything it would have caught; tuning narrows the rule without creating that blind spot. **17. True** — Both are pipeline languages: results flow through successive commands (separated by `|`), unlike SQL's lead-with-projection structure. (The operations are equivalent.) **18. False** — MTTD/MTTR require timestamped records of when activity occurred and when detection/response happened — i.e., centralized logs and alerts. Without them the metrics cannot be computed. [CISSP D7] **19. True** — Clearing the Security log (Event ID 1102) is an "Indicator Removal" behavior that is rarely legitimate outside controlled processes, so it makes a high-fidelity single-event detection. **20.** Parsing extracts the meaningful fields out of a raw log message; normalization then maps those fields onto a single common schema with consistent names and formats across all sources. [Sec+] **21.** (1) Single-event/atomic — *a log clear*; (2) threshold — *50 failed logins from one source in 5 min*; (3) sequence/temporal — *failures then a success*; (4) cross-source — *IDS alert then an outbound connection to a new IP*; (5) behavioral — *a service account logs in interactively for the first time*. **22.** 800 alerts × 3% true = ~24 true positives, buried in ~776 false positives; five analysts at ~20 each can investigate ~100 alerts total, so the ~24 true positives are statistically un-findable in that much noise — they are missed not from laziness but from volume. **23.** Because every detection, investigation, and timeline is reconstructed from logs; a control that prevents but records nothing gives you no evidence of how/when/how-far when it eventually fails (Theme 4), so you lose the ability to detect, investigate, and learn — half the value. **24.** Filter (action + source IP + time window) → aggregate (count by user) → sort (descending by count). SQL leads with the projection/`GROUP BY`; SPL/KQL express the same as a top-to-bottom pipeline. **25.** Send high-value, detection-relevant logs to the real-time SIEM and a fuller, cheaper copy of everything to a data lake. Benefit of SIEM: real-time correlation/alerting and fast investigation; benefit of data lake: cheap long retention for hunting, forensics, and compliance. **26.** Three of: tune thresholds/conditions; allowlist known-benign sources; aggregate/deduplicate; risk- score (risk-based alerting); suppress during scheduled windows. Example — raise a brute-force threshold and require a never-before-seen source IP: removes the benign "user mistyped a new password from their normal device" case; preserves the malicious "attacker sprays from a new IP and gets in" case. [Sec+]

Topics to review by question

Q1, Q4, Q12, Q21: correlation rules and the correlation ladder (§21.3).
Q2, Q14, Q25: collection priority and SIEM-vs-data-lake (§21.2, §21.6).
Q3, Q20: normalization and parsing (§21.2).
Q5, Q6, Q11, Q16, Q22, Q26: alert fatigue and tuning (§21.5).
Q7, Q8, Q25: SIEM vs. data lake vs. SOAR (§21.6).
Q9, Q10, Q19, Q23: logs as ground truth, off-host forwarding, time sync (§21.1).
Q13: allowlisting (§21.5). Q17, Q24: querying in SQL/SPL/KQL (§21.4).
Q18: metrics born in the SIEM, bridge to Chapter 36 (§21.6).