An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:
An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:
To address the issue of the log management system being overwhelmed with false positive alerts, the best recommendation is to establish criteria for reviewing alerts. This approach helps ensure that only relevant alerts are generated and reduces the number of false positives by filtering out non-critical alerts through well-defined rules and thresholds. This way, the log management system becomes more effective in identifying and alerting on actual security incidents.
B is the more sound answer here. The original question makes no mention of IDS
Why not B establish criteria for reviewing alerts.
D. fine tune the intrusion detection system (IDS).
B. Establish criteria for reviewing alerts. Establishing criteria for reviewing alerts helps to ensure that only relevant alerts are generated and that false positive alerts are reduced. This can be accomplished by creating rules and thresholds that filter out non-critical alerts or by configuring the system to trigger alerts only when certain conditions are met. By doing so, the log management system will be able to more effectively identify and alert on actual security incidents, reducing the number of false positives.
D. fine tune the intrusion detection system (IDS).
D is correct. CISA Review Manual (Digital Version), Chapter 5, Section 5.4.3
D. fine tune the intrusion detection system (IDS).
B. establish criteria for reviewing alerts.