Cisco
350-201(NEW-127Q) · Question #5
350-201(NEW-127Q) Question #5: Real Exam Question with Answer & Explanation
Sign in or unlock 350-201(NEW-127Q) to reveal the answer and full explanation for question #5. The question stem and answer options stay visible for context.
Incident Response and Management
Question
A security analyst detected that a group of internal hosts are initiating periodic port scanning activities to different network segments and that connections are then being initiated to the 10.1.4.5 host. The company SIEM also alerted several days ago that suspicious email was sent to company mailboxes with attached .doc file. The antivirus software installed on detected endpoints has no alerts. The security team has access to the logs of Cisco NGFW, IDS, ESA, StealthWatch, and ThreatGrid. Which two methods should be used to identify and quarantine the rest of the infected endpoints? (Choose two.)
Options
- AIdentify the endpoint that received suspicious email via ESA and perform a traffic analysis via StealthWatch followed by network block requests.
- BRequest the support of an external forensic investigator and investigate endpoints' suspicious activity in detail for further quarantine actions.
- CUpload the attached .doc file to ThreatGrid environment for deep understanding of suspicious activity.
- DCheck NGFW and IDS logs for related detections of possible C&C activity.
- ECheck the antivirus software logs according to the timeframe of alerts received from SIEM.
Unlock 350-201(NEW-127Q) to see the answer
You've previewed enough free 350-201(NEW-127Q) questions. Unlock 350-201(NEW-127Q) for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.
Topics
#Incident Response#Endpoint Detection#Security Tool Integration#Threat Investigation