During a post-incident review, the security team identifies that early warning signs of the breach were visible in logs for 3 days before detection. What should be improved?

Correct answer: Alert threshold configuration and SIEM tuning

Option C is correct: the root cause of a 3-day detection gap in log data is almost always that alert thresholds are too high or SIEM correlation rules are not tuned to fire on the relevant indicators of compromise, so adjusting these directly addresses the failure. Option A is incorrect because ignoring a documented detection failure leaves the organization exposed to the same gap in future incidents, violating the purpose of a post-incident review. Option B is incorrect because more expensive tools do not solve a tuning problem; the existing infrastructure already captured the relevant log data but failed to generate timely alerts. Option D is incorrect because adding analysts does not fix the underlying automation gap; analysts cannot manually review every log line, and the solution must be technical tuning to surface alerts reliably.