CAS-005 · Question #275
CAS-005 Question #275: Real Exam Question with Answer & Explanation
The correct answer is B: Extend log retention for all security and network devices to 180 days for all traffic. Extend log retention for all security and network devices to 180 days for all traffic The incident investigation was hampered because “logs were unavailable for various types of traffic,” which is a direct monitoring/forensics gap. Longer and more comprehensive retention is neede
Question
During a recent security event, access from the non-production environment to the production environment enabled unauthorized users to: - Install unapproved software - Make unplanned configuration changes During the investigation, the following findings were identified: - Several new users were added in bulk by the IAM team - Additional firewalls and routers were recently added - Vulnerability assessments have been disabled for more than 30 days - The application allow list has not been modified in two weeks - Logs were unavailable for various types of traffic - Endpoints have not been patched in over ten days Which of the following actions would most likely need to be taken to ensure proper monitoring? (Choose two.)
Options
- ADisable bulk user creations by the IAM team
- BExtend log retention for all security and network devices to 180 days for all traffic
- CReview the application allow list daily
- DRoutinely update all endpoints and network devices as soon as new patches/hot fixes are
- EEnsure all network and security devices are sending relevant data to the SIEM
- FConfigure firewall rules to only allow production-to-non-production traffic
Explanation
Extend log retention for all security and network devices to 180 days for all traffic The incident investigation was hampered because “logs were unavailable for various types of traffic,” which is a direct monitoring/forensics gap. Longer and more comprehensive retention is needed so security teams can reconstruct events and spot suspicious cross‑environment access. Ensure all network and security devices are sending relevant data to the SIEM Proper monitoring requires centralized, correlated visibility; without all firewalls, routers, and other security tools feeding events to the SIEM, lateral movement from non‑prod to prod can go undetected. Centralized logging from “all services and infrastructure components” is a core monitoring best practice.
Community Discussion
No community discussion yet for this question.