Exam SY0-701 topic 1 question 58 discussion

Answer is A because you need to conduct an analysis to find out what the source of the incident was.

In the Analysis phase, the team examines logs, network traffic, artifacts, and other relevant data to determine: The root cause of the incident How the incident occurred The systems and data affected Indicators of Compromise (IOCs) Possible paths for remediation and prevention

It can't be "Lessons learned" because we're still investigating. "During an Investigation"

This q tripped me up for a long time until i looked up the IRP stages. If you look it up you'll see that "Lessons learned" includes finding out what the source of the incident was. There is no such "analysis" stage in IRP. Correct answer here is B

Emphasis on "During an investigation". During an incident response, analysis refers to the process of investigating and understanding the source of the incident, including determining how the incident occurred, identifying the root cause, and gathering the necessary evidence to support further actions. This is a key part of incident response where the team works to fully comprehend the nature of the incident and its origins. "Lessons learned" is an activity that takes place after the incident has been resolved.

A. Analysis In the incident response process, analysis involves examining evidence and data to determine the cause and source of an incident. This phase helps the incident response team understand how the incident occurred, who or what caused it, and the extent of its impact.

Going with A. The problem with B is that it is post incident, this question is "During an investigation". I agree that you will investigate the root cause in the Lessons Learned portion as well, but this is at the END, not during.

Lessons Learned - Review severe incidents to determine the root cause, whether they were avoidable, and how to avoid them in the future. Analysis - determine if an incident has actually occurred and assign it a priority level.

I think lessons learned is the right answer. Lesson's learned deals with post recovery(not during the investigation) and meets with everyone that was affected by the incident to get feedback and learn ways to improve to prevent this from happening next time. Analysis deals with the incident while the incident is happening, not after.

From CompTIA Security Guide Analysis - After the detection process reports one or more indicators, in the analysis process, the first responder investigates the data to determine whether a genuine incident has been identified and what level of priority it should be assigned. Conversely, the report might be categorized as a false positive and dismissed. Lessons Learned - The lessons learned process reviews severe security incidents to determine their root cause, whether they were avoidable, and how to avoid them in the future. The lessons learned process should invoke root cause analysis or the effort to determine how the incident was able to occur. A lot of models have been developed to structure root cause analysis. One is the “Five Whys” model. This starts with a statement of the problem and then poses successive “Why” questions to drill down to root causes. So, to understand the source of incident, or root cause, in in LESSONS LEARNED.

B, post incident

GPT!!!

A. Analysis During an investigation, the incident response team engages in the process of understanding the source of an incident through analysis. This involves examining the data and evidence collected to determine how the incident occurred, its origin, and its impact. Therefore, the correct answer is: A. Analysis