The exam tests what a SIEM adds beyond simple log storage. The answer is always correlation. Any scenario where an attack is invisible in individual logs but detectable when events from multiple systems are combined is testing SIEM correlation.
Exam patterns that point to SIEM correlation:
- Failed login attempts distributed across multiple source IPs, each below the per-source threshold on individual servers
- Unusual VPN login on one system followed by anomalous file access on a different system
- Low-and-slow data transfer visible as anomalous only when aggregated over time
- Any scenario containing: "across multiple systems," "no single log showed it," or "only visible when combined"
SIEM log sources (memorize): servers, firewalls, VPN concentrators, switches, routers, SANs, cloud services. All ingested into one database; correlation finds relationships individual reviews cannot.
Also called SEM (Security Event Manager) — both terms may appear on the exam and refer to the same concept.
The exam specifically cites the IBM Security 2022 finding: organizations take an average of approximately 9 months to identify and contain a breach. This is the direct justification for the log archiving requirement.
The logic chain to memorize:
- Average breach dwell time before discovery: ~9 months
- Forensic investigation requires logs from before the discovery date
- A 90-day retention policy plus a 9-month dwell time = all initial compromise evidence is gone by discovery
- Therefore: retain logs for at least 9–12 months; regulated environments often require longer
Two archiving requirements — both exam-tested:
- Operational: forensic investigation of breaches discovered after the dwell period ends
- Legal/regulatory: HIPAA, PCI-DSS, SOX, state breach notification laws mandate specific retention periods
The exam trap: A question describes an organization with a 30- or 90-day retention policy, then asks what happens when a breach with a 9-month dwell time is investigated. The answer: the initial compromise evidence no longer exists; the full scope of the breach cannot be reconstructed.
The exam tests alert tuning from two angles: the definition, and the consequences of getting it wrong in either direction.
Too many alerts (false positives):
- Analysts receive hundreds of alerts per shift from harmless activity
- Develops into alert fatigue — analysts dismiss alerts reflexively without investigation
- Real threats are lost in the noise; the monitoring system becomes functionally useless
Too few alerts (false negatives):
- Thresholds are too permissive; actual attack patterns do not trigger alerts
- Organization believes monitoring is working while breaches occur undetected
- More dangerous because there is no awareness of the active incident
Alert tuning is an ongoing process because:
- New users and systems change what "normal" looks like
- Seasonal traffic patterns affect baseline behavior
- New attack techniques require new detection rules
- Accumulated baseline data improves threshold accuracy over time
The exam consistently presents sudden data transfer spikes as a primary monitoring indicator. When a scenario describes an anomalous outbound data volume — especially to an unknown external destination — the correct identification is potential data exfiltration.
Why data transfer is such a reliable security indicator:
- Exfiltration requires moving data from inside to an external attacker-controlled destination
- No attack can steal data without generating outbound transfer volume
- Normal operations produce predictable, baselined transfer volumes
- A significant deviation is difficult to explain legitimately at short notice
Exam scenarios to recognize:
- Database server normally transfers 5 GB/day; suddenly transfers 200 GB in 4 hours → exfiltration indicator
- File server spikes on a Friday evening to an external IP → classic exfiltration timing (low staffing)
- Application generates more transfer volume than user activity could plausibly produce → automated exfiltration
The prerequisite: Detecting this requires a baseline. Without knowing what normal transfer volume looks like, there is no anomaly to detect. SIEM data transfer measurement establishes the baseline; alert thresholds define the trigger; analysts investigate when it fires.