🔥 3-day streak
Professional Security Operations Engineer4 / 241
Question 4 of 241

As a Security Operations Engineer, you maintain a coverage dashboard that shows all 4,200 corporate endpoints reporting EDR telemetry into your SIEM. Alert volumes look healthy and log freshness is under 5 minutes fleet-wide. However, during a recent incident, a detection for credential dumping (LSASS access) never fired on the compromised host, even though the same rule fired reliably on other hosts. The host was actively sending process and network events at the time. What is the MOST likely observability gap to investigate first?

Reviewed for accuracy · Report an issueNext question