A Security Operations Center (SOC) uses Security Information and Event Management (SIEM) with event correlation. Analysts notice that alerts for a specific malware signature have decreased sharply after a new firewall rule was deployed. However, endpoint scans still show infections on several hosts. What is the most likely explanation for the decrease in SIEM alerts?
The SIEM relies on network events for that signature; blocking C2 traffic stops the alerts but does not remediate existing infections.
Why this answer
The firewall rule specifically blocks command-and-control (C2) traffic, which is the network communication channel the malware uses to send data or receive instructions. Since the SIEM relies on network-based alerts (e.g., from intrusion detection systems or firewall logs) to detect this traffic, blocking the C2 traffic eliminates those network alerts. However, the malware remains on the endpoints because the firewall does not remove the infection; it only prevents outbound communication, so endpoint scans still detect the malware files or processes.
Exam trap
Cisco often tests the concept that blocking C2 traffic reduces network alerts but does not remediate endpoint infections, leading candidates to mistakenly think the firewall rule eliminated the malware entirely.
How to eliminate wrong answers
Option B is wrong because if SIEM correlation rules were accidentally disabled, the SIEM would stop generating alerts for all events, not just for this specific malware signature, and the sharp decrease would be broad, not isolated to one signature. Option C is wrong because the SIEM not receiving logs from the EDR tool would cause a loss of endpoint-based alerts, but the question states that endpoint scans still show infections, implying the EDR is still functioning and reporting; the decrease is in SIEM alerts, which are primarily network-based in this context. Option D is wrong because if the malware mutated into a different variant, it would evade detection by both network and endpoint tools, but endpoint scans still detect the infections, indicating the original signature is still present on the hosts.