Question 15
Domain 4: Security Operations, Monitoring, and Incident ResponseAn organization is configuring a SIEM for their cloud environment. Which data source provides the MOST comprehensive visibility into cloud resource access and configuration changes?
Correct answer: B
Explanation
Cloud audit logs and CloudTrail-equivalent services record API activity, resource access, and configuration changes across cloud services. They provide the broadest visibility because they capture who did what, when, and from where, which is the core evidence needed for SIEM monitoring in cloud environments.
Why each option is right or wrong
A. Application server logs only
B. Cloud audit logs and CloudTrail-equivalent services
Cloud audit logging is the native control-plane record of API activity in a cloud platform, so it captures both access events and configuration changes across services rather than only network or host telemetry. For example, AWS CloudTrail records management events for 90 days in Event history and can be delivered to S3/CloudWatch for longer retention, while Azure Activity Logs and Google Cloud Audit Logs similarly record administrative actions, making them the most complete source for SIEM correlation of who changed what, when, and from where.
C. Employee email logs
D. Physical access logs to data centers