Which function best describes the role of SIEM in real-time cyber defense?

• A. Aggregates logs, correlates events, and supports real-time detection and incident response.
• B. Primarily stores backup data offline for regulatory compliance.
• C. Routes traffic between networks to optimize performance.
• D. Replaces the need for endpoint security.

Answer: (A)

SIEM in real-time cyber defense centers on aggregating logs from diverse sources, correlating events across them, and enabling real-time detection and incident response. By collecting data from firewalls, IDS/IPS, endpoints, servers, and cloud services, SIEM normalizes information and runs correlation rules that reveal multi-step attacks or unusual patterns that individual sources might miss. When a correlation triggers, it generates alerts with rich context, helping analysts investigate and respond quickly. It also preserves historical data for investigations and compliance, but its primary value in real-time defense is turning disparate events into actionable alerts and coordinated responses. The other options describe offline backups, traffic routing, or replacing endpoint security—functions outside the SIEM’s role.