Determining Incident
Question
An analyst is investigating an anomalous event reported by the SOC.
After reviewing the system logs, the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint.
Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.E.
The best data source to determine whether the unexpected addition of a user with root-level privileges on the endpoint constitutes an incident is the change request logs (Option D).
Change request logs contain information about any changes made to the system or network, including changes to user accounts and privileges. In this case, the addition of a user with root-level privileges is a significant change that requires investigation.
Patching logs (Option A) can help identify whether there are any missing patches that may have allowed an attacker to exploit a vulnerability and gain access to the system, but it is not directly related to the addition of a user with root-level privileges.
A threat feed (Option B) provides information about known threats and vulnerabilities, but it is not specific to the system being investigated and may not provide relevant information.
Backup logs (Option C) can help identify whether any changes were made to the system that were later reversed or restored, but they are not the best source of information for determining whether the addition of a user with root-level privileges constitutes an incident.
Finally, a data classification matrix (Option E) is used to classify data based on its sensitivity and criticality, and it is not directly relevant to this particular incident.
Therefore, the best data source to determine whether the unexpected addition of a user with root-level privileges on the endpoint constitutes an incident is the change request logs.
