SY0-701 · Question #522
SY0-701 Question #522: Real Exam Question with Answer & Explanation
The correct answer is A: Determining the root cause of the incident. Root cause analysis is the defining activity of the post-incident review phase - after the incident has been contained and resolved, the team conducts a structured "lessons learned" or after-action review to understand why and how the incident occurred, which is precisely what de
Question
Which of the following activities is included in the post-incident review phase?
Options
- ADetermining the root cause of the incident
- BDeveloping steps to mitigate the risks of the incident
- CValidating the accuracy of the evidence collected during the investigation
- DReestablishing the compromised system's configuration and settings
Explanation
Root cause analysis is the defining activity of the post-incident review phase - after the incident has been contained and resolved, the team conducts a structured "lessons learned" or after-action review to understand why and how the incident occurred, which is precisely what determining root cause accomplishes.
- B is wrong because developing mitigation steps occurs during the containment and eradication phase, while the incident is still active.
- C is wrong because validating evidence accuracy happens during the investigation/analysis phase, while the incident is being worked.
- D is wrong because reestablishing compromised system configurations is recovery, which precedes the post-incident review.
Memory tip: Think of post-incident review as a retrospective - the dust has settled, systems are back online, and now the team asks "why did this happen and how do we prevent it?" Root cause = retrospective = post-incident.
Topics
Community Discussion
No community discussion yet for this question.