Which is the primary goal of reviewing audit logs regularly?

A.  Detect unauthorized activities

B.  Improve system performance

C.  Verify data integrity

D.  Facilitate disaster recovery

Answer:  A

Explanation:
A. Detect unauthorized activities
The primary security value of an audit log is its ability to provide an Audit Trail.

The Mechanism: Audit logs record "who, what, where, and when." By reviewing these logs—often through an automated SIEM (Security Information and Event Management) system—administrators can identify patterns that indicate a breach, such as multiple failed login attempts followed by a success, or unauthorized access to sensitive files.

Accountability: Logs ensure Non-repudiation. When a specific user's credentials are used to modify a file, the audit log acts as evidence linking that action to that user. Without a regular review process, an attacker could remain hidden within a network for months (increased "dwell time").

B. Improve system performance
While it is true that logs (specifically System Logs or Application Logs) can track CPU usage, memory leaks, or slow database queries, this is an operational benefit, not a security goal.

The Distinction: Performance tuning is a task for System Administrators to ensure efficiency. The Audit log's primary mission is to ensure security and compliance. In the context of the CISSP exam, always prioritize the answer that addresses Risk and Security over operational convenience.

C. Verify data integrity
Data integrity is usually verified through Hashing (like MD5 or SHA-256) or Digital Signatures.

The Limitation: An audit log might tell you who changed a file, but it doesn't necessarily tell you if the data inside that file is currently accurate or hasn't been corrupted. While logs can provide a history of changes, they are not the primary technical control for ensuring that data remains unaltered.

D. Facilitate disaster recovery
Logs play a supporting role in disaster recovery, but they are not the primary tool.

The Use Case: During a disaster, you would use a Disaster Recovery Plan (DRP) and Backups to restore the system. You might use audit logs after the recovery to conduct a forensic investigation to find out why the disaster happened (if it was a security-related event), but the logs themselves do not help you "rebuild" the system.

Key Takeaway for the CISSP Exam
Log Management Principles:

• Audit Trails: Essential for accountability and detection.
• Log Protection: Audit logs must be protected from deletion or modification (often sent to a centralized, write-once server) to prevent an attacker from "covering their tracks."
• Due Care: Regularly reviewing logs is a sign of "Due Care" and is often a legal or regulatory requirement (e.g., PCI DSS, HIPAA).