ISC 2 Credentials CISSP Question # 21 Topic 3 Discussion

The primary action that should be taken to improve SIEM performance in a situation where several unsuccessful login attempts are reported by a security audit but not by the SIEM system is to confirm alarm thresholds. A SIEM system is a tool that collects, correlates, analyzes, and reports on security events and incidents from various sources, such as logs, sensors, or agents. A SIEM system can also generate alerts or alarms based on predefined rules or thresholds that indicate a potential security issue or violation. However, if the SIEM system is not configured properly, it may miss some important events or incidents, or generate too many false positives or negatives. Therefore, it is important to confirm that the alarm thresholds are set appropriately, based on the risk appetite, the baseline behavior, and the security objectives of the organization. The alarm thresholds should be neither too high nor too low, to avoid missing or ignoring real threats, or overwhelming or desensitizing the security analysts. References: CISSP All-in-One Exam Guide, Chapter 7: Security Operations, Section: Security Information and Event Management, pp. 837-838.