A server administrator is investigating a breach and determines that an attacker modified the application log to obfuscate the attack vector. During the lessons
learned activity, the facilitator asks for a mitigation response to protect the integrity of the logs should a similar attack occur. Which of the following mitigations would
be MOST appropriate to fulfill the requirement?

A.
Host-based IDS

B.
Automated log analysis

C.
Enterprise SIEM

D.
Real-time event correlation