A security analyst notices that an IAM user from a cloud account has logged in from two different countries within a span of 10 minutes. Which type of detection mechanism is most likely to flag this activity as suspicious?
SIEM correlation rules can detect impossible travel by analyzing login events.
Why this answer
A correlation rule in a SIEM is designed to aggregate and analyze log data from multiple sources, such as cloud IAM logs, to detect anomalous patterns. The specific scenario of a user logging in from two geographically distant countries within 10 minutes is a classic example of an impossible travel time anomaly, which SIEM correlation rules are built to flag by comparing login timestamps and IP geolocation data.
Exam trap
Cisco often tests the distinction between detection mechanisms that analyze static configurations (CMDB, vulnerability scanners) versus those that analyze dynamic behavioral patterns (SIEM correlation rules), leading candidates to confuse a CMDB's asset inventory function with real-time anomaly detection.
How to eliminate wrong answers
Option A is wrong because a cloud configuration management database (CMDB) is a repository for storing metadata about IT assets and their relationships, not a real-time detection mechanism for user login anomalies. Option B is wrong because a vulnerability scanner is designed to identify security weaknesses in systems (e.g., missing patches, misconfigurations), not to analyze user behavior or login patterns. Option C is wrong because an agent-based intrusion detection system (IDS) monitors network traffic or host-level events for known attack signatures, but it does not typically correlate geolocation data from cloud IAM logs to detect impossible travel scenarios.