SY0-501 Question #334: Real Exam Question with Answer & Explanation

Question

A security analyst notices anomalous activity coming from several workstations in the organizations. Upon identifying and containing the issue, which of the following should the security analyst do NEXT?

Options

• ADocument and lock the workstations in a secure area to establish chain of custody
• BNotify the IT department that the workstations are to be reimaged and the data restored for
• CNotify the IT department that the workstations may be reconnected to the network for the
• DDocument findings and processes in the after-action and lessons learned report

Explanation

After identifying and containing a security incident, the next crucial step in the incident response lifecycle is to document all findings and processes to create an after-action report and capture lessons learned.

Common mistakes.

• A. Documenting and securing workstations for chain of custody is typically performed during the identification and containment phases to preserve evidence, not as the next step after containment is complete.
• B. Reimaging workstations and restoring data are part of the eradication and recovery phases, which occur after containment but prior to the finalization of the after-action report, which covers the entire incident.
• C. Reconnecting workstations to the network is a recovery activity that should only happen after eradication, validation, and ensuring systems are completely clean and secure, making it a later step in the incident response process.

Concept tested. Incident Response Lifecycle: Post-Incident Activities

Reference. https://learn.microsoft.com/en-us/azure/security/fundamentals/incident-response-overview#incident-response-phases

No community discussion yet for this question.