Cisco
350-201(NEW-127Q) · Question #102
350-201(NEW-127Q) Question #102: Real Exam Question with Answer & Explanation
Sign in or unlock 350-201(NEW-127Q) to reveal the answer and full explanation for question #102. The question stem and answer options stay visible for context.
Incident Response and Management
Question
A security analyst receives an escalation regarding an unidentified connection to the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a PowerShell process and a WMl root process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?
Options
- AReview the server backup and identify server content and data critically to assess the intrusion risk.
- BIsolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack.
- CIdentify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities.
- DPerform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious.
Unlock 350-201(NEW-127Q) to see the answer
You've previewed enough free 350-201(NEW-127Q) questions. Unlock 350-201(NEW-127Q) for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.
Topics
#Incident Response#Forensic Analysis#Malware Detection#Attack Indicators