Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

CompTIA Exam CAS-004 Topic 10 Question 47 Discussion

Actual exam question for CompTIA's CAS-004 exam
Question #: 47
Topic #: 10
[All CAS-004 Questions]

A SOC analyst received an alert about a potential compromise and is reviewing the following SIEM logs:

Which of the following is the most appropriate action for the SOC analyst to recommend?

Show Suggested Answer Hide Answer
Suggested Answer: B

The SIEM logs indicate suspicious behavior that could be a sign of a compromise, such as the launching of cmd.exe after Outlook.exe, which is atypical user behavior and could indicate that a machine has been compromised to perform lateral movement within the network. Isolating laptop314 from the network would contain the threat and prevent any potential spread to other systems while further investigation takes place.


by Derick at Apr 14, 2024, 06:00 PM

Limited Time Offer

25%

Off

Get Premium CAS-004 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Nina
11 months ago
Creating HIPS and NIPS rules to prevent logins could also be a good proactive measure to secure the system.
upvoted 0 times
...
Bambi
11 months ago
But what about isolating laptop314 from the network? Wouldn't that also prevent any further damage?
upvoted 0 times
...
Josphine
11 months ago
I agree with User1, disabling the account would stop the potential compromise from spreading.
upvoted 0 times
...
Carma
11 months ago
I think the most appropriate action is to disable account JDoe to prevent further lateral movement.
upvoted 0 times
...
Edelmira
11 months ago
Yes, that could be another effective action to take in this situation.
upvoted 0 times
...
Nobuko
11 months ago
But shouldn't we also disable account JDoe to prevent further lateral movement?
upvoted 0 times
...
Isaiah
11 months ago
I agree, that would help contain the potential compromise.
upvoted 0 times
...
Gianna
12 months ago
I think the analyst should isolate laptop314 from the network.
upvoted 0 times
...
Bok
1 years ago
Creating HIPS and NIPS rules? That's overkill. We don't even know the extent of the compromise yet. Let's not jump the gun and make things worse, shall we?
upvoted 0 times
...
Xochitl
1 years ago
You know, I'm kinda leaning towards the HIPS and NIPS approach too. It's like building a cybersecurity force field around the whole system, and who doesn't love a good force field?
upvoted 0 times
...
Armando
1 years ago
I don't know, guys. Alerting the user seems like a reasonable first step. They might be able to provide more context or even help us identify the source of the issue.
upvoted 0 times
...
Sanjuana
1 years ago
Hold up, what about creating those HIPS and NIPS rules? Seems like a pretty proactive move to me. I mean, if we can shut down those login attempts before they even happen, that's gotta be the way to go, right?
upvoted 0 times
...
Vallie
1 years ago
Haha, yeah, like that IT guy who once tried to 'fix' a virus by just unplugging the whole office. That worked out really well, I'm sure.
upvoted 0 times
...
Kanisha
1 years ago
Nah, I'm not feeling the 'alert JDoe' option. What if the dude's in on it? Then he'll just change his password and keep doing his thing. I say we go for the disable account and isolate laptop combo - cover all our bases, you know?
upvoted 0 times
...
Izetta
1 years ago
Yeah, I agree. We should probably start with the least intrusive option and see where that takes us. No need to go full-on security lockdown mode just yet.
upvoted 0 times
...
Melita
1 years ago
Personally, I think the best move is to alert JDoe about the potential compromise. I mean, the guy's account is involved, he should know what's going on, right? Plus, it might help us figure out what the heck is happening on that laptop.
upvoted 0 times
...
Grover
1 years ago
Hmm, this is a tough call. I'd be tempted to go with isolating the laptop, you know, just to be on the safe side. But then again, that might tip off the bad guys and they could try something even sneakier. Decisions, decisions...
upvoted 0 times
...
Raina
1 years ago
Whoa, looks like we've got a real tricky one here! I mean, disabling the account, isolating the laptop, warning the user - it's like a choose your own adventure game, but with cybersecurity stakes!
upvoted 0 times
Hobert
11 months ago
I agree, let's make sure JDoe is aware.
upvoted 0 times
...
Ronald
11 months ago
But maybe alerting JDoe about the potential account compromise could be a good idea too.
upvoted 0 times
...
Chau
12 months ago
Let's go with isolating laptop314 from the network.
upvoted 0 times
...
Fallon
1 years ago
D) Creating HIPS and NIPS rules to prevent logins
upvoted 0 times
...
Chaya
1 years ago
C) Alerting JDoe about the potential account compromise
upvoted 0 times
...
Bea
1 years ago
B) Isolating laptop314 from the network
upvoted 0 times
...
Rosendo
1 years ago
A) Disabling account JDoe to prevent further lateral movement
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77