ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-002 All Questions

View all questions & answers for the CS0-002 exam
Go to Exam

Exam CS0-002 topic 1 question 291 discussion

Actual exam question from CompTIA's CS0-002
Question #: 291
Topic #: 1
[All CS0-002 Questions]

An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs; the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint. Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident?

  • A. Patching logs
  • B. Threat feed
  • C. Backup logs
  • D. Change requests
  • E. Data classification matrix
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by gnnggnnggnng at Feb. 3, 2023, 11:35 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Cock
Highly Voted 2 years, 2 months ago
Selected Answer: D
D. Change requests. Change requests will help the analyst determine if the addition of the user with root-level privileges was authorized or not. If there was no record of an authorized change request, it is highly likely that the event constitutes a security incident. Patching logs, threat feeds, backup logs, and data classification matrix are unlikely to provide relevant information for this specific scenario.
upvoted 5 times
...
db97
Highly Voted 2 years, 2 months ago
If there isn't a change request for the new user added with those privileges, then it's enough to be suspicious. D is the answer.
upvoted 5 times
2Fish
2 years, 1 month ago
Agreed. Out of the answers provided, D is the correct answer.
upvoted 1 times
...
...
gnnggnnggnng
Most Recent 2 years, 2 months ago
Selected Answer: D
D. Change requests is the best data source to help the analyst determine whether the unexpected addition of a user with root-level privileges on the endpoint constitutes an incident. The change requests would contain information about who made the change, when it was made, and why it was made, which would help the analyst to determine if the event was authorized or not.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago