Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

CompTIA Exam CAS-004 Topic 10 Question 43 Discussion

Actual exam question for CompTIA's CAS-004 exam
Question #: 43
Topic #: 10
[All CAS-004 Questions]

A company recently deployed a SIEM and began importing logs from a firewall, a file server, a domain controller a web server, and a laptop. A security analyst receives a series of SIEM alerts and prepares to respond. The following is the alert information:

Which of the following should the security analyst do FIRST?

Show Suggested Answer Hide Answer
Suggested Answer: C

Based on the SIEM alerts, the security analyst should first disable the jdoe account, as it is likely compromised by an attacker. The alerts show that the jdoe account successfully logged on to the abc-usa-fsl server, which is a file server, and then initiated SMB (445) traffic to the abc-web01 server, which is a web server. This indicates that the attacker may be trying to exfiltrate data from the file server to the web server. Disabling the jdoe account would help stop this unauthorized activity and prevent further damage.

Disabling Administrator on abc-usa-fsl, the local account is compromised, is not the first action to take, as it is not clear from the alerts if the local account is compromised or not. The alert shows that there was a successful logon event for Administrator on abc-usa-fsl, but it does not specify if it was a local or domain account, or if it was authorized or not. Moreover, disabling the local account would not stop the SMB traffic from jdoe to abc-web01.

Shutting down the abc-usa-fsl server, a plaintext credential is being used, is not the first action to take, as it is not clear from the alerts if a plaintext credential is being used or not. The alert shows that there was RDP (3389) traffic from abc-admin1-logon to abc-usa-fsl, but it does not specify if the credential was encrypted or not. Moreover, shutting down the file server would disrupt its normal operations and affect other users.

Shutting down abc-usa-fw01; the remote access VPN vulnerability is exploited, is not the first action to take, as it is not clear from the alerts if the remote access VPN vulnerability is exploited or not. The alert shows that there was FTP (21) traffic from abc-usa-dcl to abc-web01, but it does not specify if it was related to the VPN or not. Moreover, shutting down the firewall would expose the network to other threats and affect other services.Reference:What is SIEM? | Microsoft Security, What is a SIEM Alert? | Cofense


Contribute your Thoughts:

Tamar
8 months ago
Yeah, but what if the remote access VPN vulnerability is the more immediate threat? Shutting down that firewall could be the quickest way to mitigate the risk.
upvoted 0 times
...
Kris
8 months ago
Disabling the jdoe account seems like the safest bet here. If it's compromised, we need to cut off that access as quickly as possible.
upvoted 0 times
Tijuana
7 months ago
Agreed, let's take action on that first and then address the other issues.
upvoted 0 times
...
Susana
7 months ago
I still think dealing with the compromised jdoe account is top priority.
upvoted 0 times
...
Celestina
8 months ago
True, that could potentially lead to unauthorized access as well.
upvoted 0 times
...
Bulah
8 months ago
Let's also keep an eye on the plaintext credential being used on abc-usa-fsl.
upvoted 0 times
...
Franklyn
8 months ago
I think disabling the jdoe account is still the priority here.
upvoted 0 times
...
Charlesetta
8 months ago
But what about shutting down abc-usa-fw01? The VPN vulnerability could cause more damage.
upvoted 0 times
...
Shawna
8 months ago
I agree, disabling the jdoe account should be the first step.
upvoted 0 times
...
...
Sean
8 months ago
I agree. The question doesn't provide enough details about the specific vulnerabilities or indicators of compromise. We need more information to determine the appropriate response.
upvoted 0 times
...
Sommer
8 months ago
Hmm, this is a tricky one. I'm not sure if disabling the Administrator account or shutting down the server is the best first step. We need to understand the full context before taking any action.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77