an administrator uses data from a security information and event management (siem) system to identify potential malicious activity. which feature does the administrator utilize when implementing rules to interpret relationships between datapoints to diagnose incidents?
