A security engineer is setting up security information and event management (SIEM). Which of the following log sources should the engineer include that will contain indicators of a possible web server compromise? (Choose two.)
A security engineer is setting up security information and event management (SIEM). Which of the following log sources should the engineer include that will contain indicators of a possible web server compromise? (Choose two.)
B. Web server logs Explanation: Web server logs contain critical information such as client requests, HTTP status codes, and errors, which can indicate potential web server compromises, such as suspicious requests, unusual traffic, or malicious activity targeting the server. D. Proxy logs Explanation: Proxy logs capture details about web traffic flowing through the proxy server, including requests made to external websites. These logs can reveal abnormal traffic patterns or requests to suspicious domains, indicating a possible web server compromise. Why the other options are less suitable: A. NetFlow logs: NetFlow logs provide summary information about network traffic flows but not web server interactions or compromises. C. Domain controller logs: These logs track authentication and user account activity in a domain environment, not web server activity. E. FTP logs: FTP logs track file transfers, not web server compromises.