300-215 · Question #141
300-215 Question #141: Real Exam Question with Answer & Explanation
The correct answer is C: Create a Cisco Secure Network Analytics notification rule to further investigate port scanning. Creating a Cisco Secure Network Analytics notification rule helps validate and scope the internal port-scanning behavior (who is scanning, targets, rate, and duration) so the activity can be tracked and contained. Blocking Tor nodes on an NGFW and restricting SQL access to only t
Question
A security analyst receives a notification from SIEM that an internal host has active connections to Tor exit nodes. The analyst investigates SIEM events related to the workstation and identifies that the host scans networks for servers with an opened TCP port 1433. An antivirus scan of the workstation does not determine any suspicious activity. Which two actions must the analyst take to mitigate this behavior? (Choose two.)
Options
- AConfigure SIEM alert rules to perform quick response and mitigation.
- BDeploy EDR and SOAR for automatic quarantine of actions from suspicious hosts.
- CCreate a Cisco Secure Network Analytics notification rule to further investigate port scanning
- DBlock Tor nodes via an NGFW and restrict access to SQL only from trusted sources.
- EBlock any connection to TCP port 1433 from external sources.
Explanation
Creating a Cisco Secure Network Analytics notification rule helps validate and scope the internal port-scanning behavior (who is scanning, targets, rate, and duration) so the activity can be tracked and contained. Blocking Tor nodes on an NGFW and restricting SQL access to only trusted sources immediately reduces the host’s ability to use anonymized outbound channels and prevents opportunistic lateral movement toward SQL services on TCP 1433.
Topics
Community Discussion
No community discussion yet for this question.