Free Preparation Discussions
MENU
CompTIA Exam CAS-005 Topic 1 Question 12 Discussion
Topic #: 1
An analyst reviews a SIEM and generates the following report:
Only HOST002 is authorized for internet traffic. Which of the following statements is accurate?
Comprehensive and Detailed
Understanding the Security Event:
HOST002 is the only device authorized for internet traffic. However, the SIEM logs show that VM002 is making network connections to web.corp.local.
This indicates unauthorized access, which could be a sign of lateral movement or network infection.
This is a red flag for potential malware, unauthorized software, or a compromised host.
Why Option D is Correct:
Unusual network traffic patterns are often an indicator of a compromised system.
VM002 should not be communicating externally, but it is.
This suggests a possible breach or malware infection attempting to communicate with a command-and-control (C2) server.
Why Other Options Are Incorrect:
A (Misconfiguration): While a misconfiguration could explain the unauthorized connections, the pattern of activity suggests something more malicious.
B (Security incident on HOST002): The issue is not with HOST002. The suspicious activity is from VM002.
C (False positives): The repeated pattern of unauthorized connections makes false positives unlikely.
CompTIA SecurityX CAS-005 Official Study Guide: Chapter on SIEM & Incident Analysis
MITRE ATT&CK Tactics: Lateral Movement & Network-based Attacks
Sanjuana
10 days agoBrock
11 days agoAdolph
15 days agoKaty
16 days agoTerrilyn
20 days agoLorenza
1 months agoTerrilyn
1 months agoNieves
1 months agoGarry
2 days agoIlona
12 days ago