During a post-incident investigation at an energy company, analysts are tasked with identifying coordinated malicious...

The correct answer is D because IBM QRadar is built around real-time ingestion, normalization, and correlation of events and flows from many different sources, then presenting those results through a unified investigative interface. The CHFI v11 blueprint includes centralized logging, SIEM solutions, and event correlation approaches, so the exam expects candidates to identify tools that can combine diverse evidence streams into actionable security findings. IBM documentation states that QRadar consolidates log source and network flow data, performs immediate normalization and correlation, and provides dashboards, offenses, log activity, and network activity views for analysts. That lines up closely with the scenario’s need for real-time, cross-source analysis. ELK can aggregate and visualize data effectively, but the question stresses built-in correlation of activity across sources as it occurs. OSSEC is host-focused, and EventLog Analyzer is more centered on log monitoring and analysis rather than the broader SIEM-style cross-source correlation platform described here. For CHFI-style tool selection, a requirement for unified, real-time event correlation across network and system telemetry points most directly to IBM QRadar.