Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

CompTIA Exam CAS-004 Topic 5 Question 49 Discussion

Actual exam question for CompTIA's CAS-004 exam
Question #: 49
Topic #: 5
[All CAS-004 Questions]

A SOC analyst received an alert about a potential compromise and is reviewing the following SIEM logs:

Which of the following is the most appropriate action for the SOC analyst to recommend?

Show Suggested Answer Hide Answer
Suggested Answer: B

The SIEM logs indicate suspicious behavior that could be a sign of a compromise, such as the launching of cmd.exe after Outlook.exe, which is atypical user behavior and could indicate that a machine has been compromised to perform lateral movement within the network. Isolating laptop314 from the network would contain the threat and prevent any potential spread to other systems while further investigation takes place.


Contribute your Thoughts:

Cammy
6 months ago
Isolating laptop314 from the network seems to prevent any further compromise immediately.
upvoted 0 times
...
Tien
6 months ago
Creating HIPS and NIPS rules seems more like a longer-term solution.
upvoted 0 times
...
Derick
6 months ago
Alerting JDoe feels risky. They might not act fast enough.
upvoted 0 times
...
Lai
6 months ago
I thought about that too, but disabling the account might be quicker.
upvoted 0 times
...
Aracelis
7 months ago
Yeah, I'm leaning towards isolating the laptop. What do you think?
upvoted 0 times
...
Buddy
7 months ago
Have you seen that SIEM logs question? Looks tricky.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77