comptia · CAS-004 · Q426 · multiple_choice · topic_1

A security analyst observes the following while looking through network traffic in a company's cloud log: //IMG// Whic…

A security analyst observes the following while looking through network traffic in a company's cloud log: //IMG// Which of the following steps should the security analyst take FIRST?

A.Quarantine 10.0.5.52 and run a malware scan against the host.
B.Access 10.0.5.52 via EDR and identify processes that have network connections.
C.Isolate 10.0.50.6 via security groups.
D.Investigate web logs on 10.0.50.6 to determine if this is normal traffic.

Explanation

Selected Answer: B Answers C & D: These don't seem correct to me. Why would anyone want to isolate or investigate the destination IP 10.0.50.6 when the logs clearly show that the port scan is being sourced from 10.0.5.52? Option A: Isolating before checking what's going on seems too drastic . FIRST, I'd check what specific process(es) are triggering these connections via EDR portal. Thanks to embedded tools like Deep visibility, this should take less than 2 minutes. Sorry to differ with everybody on this one, but clearly option B for me.

Reference: examtopics_top_comment

Practice with progress tracking

Start tracked practice Pricing