nerdexam
Cisco

350-201(NEW-127Q) · Question #16

350-201(NEW-127Q) Question #16: Real Exam Question with Answer & Explanation

The correct answer is B. Cross-correlate with other events and identify services offered during affected times.. Option B is correct because when an engineer cannot determine if unusual activity is legitimate, the proper investigative step is to gather more context - cross-correlating with other events helps identify patterns, and checking which services were active during affected times ca

Threat Detection and Response

Question

A security engineer discovered an unusual network activity that repeats weekly, only on weekends. Further analysis shows that the activity spreads to countries where the organization does not provide services. An engineer could not determine if unusual activity is legitimate. Which set of actions should the security engineer take?

Options

  • AMark as false-positive and exclude similar events from security tools to avoid false alerts.
  • BCross-correlate with other events and identify services offered during affected times.
  • CCommunicate with employees to determine the cause of unusual traffic.
  • DBlock all traffic and document the results.

Explanation

Option B is correct because when an engineer cannot determine if unusual activity is legitimate, the proper investigative step is to gather more context - cross-correlating with other events helps identify patterns, and checking which services were active during affected times can explain the traffic. This is the principle of investigate before acting.

Why the others are wrong:

  • A is dangerous: marking unknown activity as a false-positive without investigation could allow a real threat (like data exfiltration or C2 beaconing) to go undetected and permanently excluded from monitoring.
  • C is insufficient alone: employee communication might help, but weekend traffic spreading internationally is unlikely to be explained by asking employees - and it bypasses technical investigation.
  • D is an overreaction: blocking all traffic without understanding the cause could cause widespread business disruption and violates the principle of proportional response before root cause analysis.

Memory tip: Think of B as the "CSI approach" - detectives correlate evidence before drawing conclusions. The weekly, international pattern screams "scheduled job or exfiltration" - both of which require correlation with logs, services, and timelines to confirm, not assumptions.

Topics

#Incident Investigation#Threat Analysis#Event Correlation#Security Response

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-201(NEW-127Q) Practice