312-50V13 · Question #369
312-50V13 Question #369: Real Exam Question with Answer & Explanation
The correct answer is C: Internet Firewall/Proxy log.. To analyze the severity of a PC connecting to a blacklisted C2 server, Internet Firewall/Proxy logs are most appropriate as they provide comprehensive details about external network communication.
Question
You are a security officer of a company. You had an alert from IDS that indicates that one PC on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before the alert. You are starting an investigation to roughly analyze the severity of the situation. Which of the following is appropriate to analyze?
Options
- AIDS log
- BEvent logs on domain controller
- CInternet Firewall/Proxy log.
- DEvent logs on the PC
Explanation
To analyze the severity of a PC connecting to a blacklisted C2 server, Internet Firewall/Proxy logs are most appropriate as they provide comprehensive details about external network communication.
Common mistakes.
- A. The IDS log already provided the alert, but it needs to be supplemented with more detailed network flow data to fully analyze the severity and scope of the connection.
- B. Event logs on the domain controller primarily track domain-related activities like user logins and policy changes, offering less direct insight into specific network connections to external malicious IPs.
- D. Event logs on the PC are important for endpoint forensics (e.g., malware execution, process activity), but firewall/proxy logs offer a more complete picture of the network communication itself, especially regarding external traffic to a C2 server.
Concept tested. Security incident response logging
Reference. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/log-analytics-windows#security-events
Topics
Community Discussion
No community discussion yet for this question.