nerdexam
Cisco

350-201(NEW-127Q) · Question #82

350-201(NEW-127Q) Question #82: Real Exam Question with Answer & Explanation

The correct answer is B. Immediately disable the user account associated with the failed login attempts to prevent further unauthorized access.. Option B is correct because a pattern of Event ID 4625 failures signals an active, ongoing brute-force or credential-stuffing attack - the attacker is still trying to get in. Immediate account disablement is a containment action that stops the active threat before it succeeds, wh

Incident Response and Threat Management

Question

Refer to the exhibit. In a corporate environment, a cybersecurity analyst is responsible for monitoring Windows server audit logs for security incidents. During routine log analysis, the analyst identifies series of security events on a Windows server. Which event should cybersecurity analyst focus on first? Exhibit: Event ID 4625 (Failed Login Attempt) Event ID 7045 (Service Installation) Event ID 4663 (File/Folder Access) Event ID 5156 (Firewall Rule)

Options

  • AAnalyze the file/folder access as per Event ID 4663 to identify the user's intent and assess if sensitive data has been compromised.
  • BImmediately disable the user account associated with the failed login attempts to prevent further unauthorized access.
  • CReview and document the newly created firewall rule as per Event ID 5156 to ensure it complies with the organization's security policies.
  • DInvestigate the service installed as per Event ID 7045 to determine the origin and purpose, and, if suspicious, remove it.

Explanation

Option B is correct because a pattern of Event ID 4625 failures signals an active, ongoing brute-force or credential-stuffing attack - the attacker is still trying to get in. Immediate account disablement is a containment action that stops the active threat before it succeeds, which takes priority over all other investigative steps.

Why the distractors fall short:

  • A (4663 – File Access): This is a forensic step - useful for understanding what data was touched, but it doesn't stop anything in progress.
  • C (5156 – Firewall Rule): Reviewing firewall compliance is the lowest urgency here; a permitted connection rule is not inherently malicious.
  • D (7045 – Service Installation): This is the trickiest distractor - new service installs can indicate persistence or malware and deserve urgent investigation. However, the question frames failed logins as an active, ongoing attack, making immediate containment the priority; service investigation follows once the attacker is locked out.

Memory tip: Use the IR mantra "Stop → Scope → Study" - first stop the active threat (B), then scope what was changed/installed (D), then study what was accessed or permitted (A, C). Failed logins = someone is still at the door; disable the lock first.

Topics

#Windows Event Log Analysis#Incident Response Prioritization#Active Threat Detection#Security Event Triage

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-201(NEW-127Q) Practice