312-39 · Question #36
312-39 Question #36: Real Exam Question with Answer & Explanation
The correct answer is A. Security logs. Security logs are the primary source for auditing access and changes to protected objects, including files and folders, when file auditing is enabled. In Windows environments, this typically maps to “Object Access” auditing, which can record who accessed a file, what type of acce
Question
Options
- ASecurity logs
- BAuthentication logs
- CFirewall logs
- DNetwork logs
Explanation
Security logs are the primary source for auditing access and changes to protected objects, including files and folders, when file auditing is enabled. In Windows environments, this typically maps to “Object Access” auditing, which can record who accessed a file, what type of access was attempted (read, write, delete), and when it occurred. For a SOC analyst investigating unauthorized modifications, the goal is attribution (which user/account), timing (outside business hours), and action (write/modify/delete). Authentication logs show who logged in and from where, but they don’t reliably indicate which file was modified unless correlated with object access events. Firewall and general network logs can help confirm remote access paths or suspicious connections, but they won’t provide authoritative “who modified which file” evidence. In practice, the SOC would validate that file/folder auditing is enabled on the file server and that relevant events are being collected centrally. Then they correlate file access/modify events with sign-in activity, source device, and any privilege escalation indicators. Because the question specifically asks for determining “who accessed the files and when modifications occurred,” Security logs are the most direct and forensically valuable option.
Community Discussion
No community discussion yet for this question.