Cisco
350-201 · Question #42
350-201 Question #42: Real Exam Question with Answer & Explanation
The correct answer is B: accessing the server with financial data. If you have admin then it is normal to jump through many RDPs for many tasks, an admin in a financial server would be more suspicious. Accessing multiple servers would probably raise many False Positive alerts and disabled accounts.
Security Monitoring
Question
A threat actor attacked an organization's Active Directory server from a remote location, and in a thirty-minute timeframe, stole the password for the administrator account and attempted to access 3 company servers. The threat actor successfully accessed the first server that contained sales data, but no files were downloaded. A second server was also accessed that contained marketing information and 11 files were downloaded. When the threat actor accessed the third server that contained corporate financial data, the session was disconnected, and the administrator's account was disabled. Which activity triggered the behavior analytics tool?
Options
- Aaccessing the Active Directory server
- Baccessing the server with financial data
- Caccessing multiple servers
- Ddownloading more than 10 files
Explanation
If you have admin then it is normal to jump through many RDPs for many tasks, an admin in a financial server would be more suspicious. Accessing multiple servers would probably raise many False Positive alerts and disabled accounts.
Topics
#Active Directory#DLP triggers#security monitoring#incident detection
Community Discussion
No community discussion yet for this question.