You are an IT administrator for a large financial institution. You wish to ensure that threats are discovered as soon as possible. You install a Security Information and event management (SIEM) system to aid this process.

What aspect of this system will best help you discover theft of data by users illegally copying corporate files?

A. Sentiment analysis
B. packet capture
C. log collectors
D. User behavior analysis