Question 182
Main Page
In a post-incident review, it’s discovered that alert thresholds were too low. What is the follow-up action?
A. Disable the SIEM
B. Delete old incidents
C. Adjust correlation rules and test new thresholds
D. Extend log retention to one year
Answer: Adjust correlation rules and test new thresholds
Alert logic must be tuned to balance sensitivity and noise; follow-up testing ensures appropriate response levels.