Certified Incident Handler (CIH) Practice Ecam

What tool did George use to search and analyze ICS log data?

• A. Flowmon
• B. Wireshark
• C. NetworkMiner
• D. Splunk Enterprise

The correct answer is: Splunk Enterprise

The selection of Splunk Enterprise as the tool used to search and analyze Industrial Control System (ICS) log data is correct because Splunk is a powerful platform designed for searching, monitoring, and analyzing machine-generated big data via a web-style interface. It excels at handling large volumes of log data, making it exceptionally suited for parsing and examining ICS logs, which can come from various devices, sensors, and applications. Splunk allows users to perform detailed queries, generate insights, and visualize the data, all of which are crucial when monitoring ICS environments for potential security incidents. It also offers advanced functionalities, such as real-time data analytics and the ability to correlate events from diverse sources, enhancing operational visibility within ICS networks. In contrast, while the other tools listed serve specific purposes, they do not match the comprehensive capabilities of Splunk for analyzing log data from ICS. Flowmon focuses primarily on network performance monitoring and security analytics but lacks the broader log management and search functionalities. Wireshark is primarily a network protocol analyzer, suitable for capturing and inspecting traffic, but it does not specialize in log management. NetworkMiner is a network forensic analysis tool, mainly for passive network sniffing and analysis, which may not provide the extensive log analytical capabilities that Splunk offers.