nerdexam
Exams350-201Questions#16
Cisco

350-201 · Question #16

350-201 Question #16: Real Exam Question with Answer & Explanation

The correct answer is B: Include a step "Take a Snapshot" to capture the endpoint state to contain the threat for analysis. Taking a snapshot of an endpoint captures its state at the time of the threat, enabling analysts to perform forensic analysis asynchronously without blocking automated remediation.

Question

Refer to the exhibit. An engineer configured this SOAR solution workflow to identify account theft threats and privilege escalation, evaluate risk, and respond by resolving the threat. This solution is handling more threats than Security analysts have time to analyze. Without this analysis, the team cannot be proactive and anticipate attacks. Which action will accomplish this goal?

Exhibit

350-201 question #16 exhibit

Options

  • AExclude the step "BAN malicious IP" to allow analysts to conduct and track the remediation
  • BInclude a step "Take a Snapshot" to capture the endpoint state to contain the threat for analysis
  • CExclude the step "Check for GeoIP location" to allow analysts to analyze the location and the
  • DInclude a step "Reporting" to alert the security department of threats identified by the SOAR

Explanation

Taking a snapshot of an endpoint captures its state at the time of the threat, enabling analysts to perform forensic analysis asynchronously without blocking automated remediation.

Common mistakes.

  • A. Excluding 'BAN malicious IP' removes a key automated remediation step and shifts burden to analysts, increasing their workload rather than freeing time for proactive analysis.
  • C. Excluding 'Check for GeoIP location' removes an automated enrichment step and forces analysts to perform this lookup manually, which increases rather than reduces their workload.
  • D. Adding a 'Reporting' step only notifies the security department of threats already handled; it provides no forensic data for analysts to use in anticipating future attacks.

Concept tested. SOAR playbook design for forensic evidence preservation

Reference. https://www.cisco.com/c/en/us/products/security/what-is-soar.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-201 Practice