A user does not follow their sign-in pattern and signs in from an unusual location. As an admin, what should you do in response to this alert for this user during this investigation?
A.
Add Two Factor Authentication to the Domain
B.
First, suspend the account and then investigate
C.
Enhance your security alerts for tracking sign-in patterns
D.
Investigate the account for unauthorized activity in the Login and Security Audit Log
I agree with B here. In this specific instance, where you've already confirmed suspicious activity and an unusual login location, the logs wouldn't provide any additional information that would change your immediate course of action. I think you are still missing some steps in between, but B makes the most sense to me.
I was going with the sensible choice to investigate on the logs, but as there is no "Login and Security Audit Log" in the admin console, I believe that "Suspend first" is the answer Google wants in this scenario: https://support.google.com/a/answer/2984349?hl=en
Personally I wouldn't suspend the CEO account on a business trip before checking for additional clues.
Option B. Please follow me:
This link includes precisely the scenario described here ("user does not follow their sign-in pattern and signs in from an unusual location") as an example of suspicion login:
https://support.google.com/a/answer/7102416?hl=en
As a first step, it instructs the admin to "Ask the user with the suspicious login if they remember signing in", which is not included as a possible answer in the alternatives.
Then, as a second step, it instructs admin to "follow the Administrator security checklist", which may be found here:
https://support.google.com/a/answer/2984349?hl=en
The very first step is "SUSPEND a user to prevent unauthorized access." followed by "Investigate the potentially unauthorized activity...".
At last, there's no such thing named "Login and Security Audit Log" in Google Workspace (not with this name).
I vote for Option B. Suspend first, investigate after.
Answer is B. Identifying and securing compromised accounts should start by temporarily suspending the suspected compromised user account to prevent unauthorized access, then investigating the potentially unauthorized activity and finally restoring the account.
https://support.google.com/a/answer/7102416?hl=en
Answer D : We already know that user signed in from an unusual location. Login Audit Log will provide the unsual IP address only. There is no "Security Audit Log" in the admin console.
Answer is C. Identifying and securing compromised accounts should start by temporarily suspending the suspected compromised user account to prevent unauthorized access, then investigating the potentially unauthorized activity and finally restoring the account.
https://support.google.com/a/answer/7102416?hl=en
Answer D : We already know that user signed in from an unusual location. Login Audit Log will provide the unsual IP address only. There is no "Security Audit Log" in the admin console.
Vote D. Remember we need to have the root cause analysis, then decide which action would take.
A: No. Adding 2FA is one of the following-up actions.
B: No. Suppose a CxO logging into the domain in the customer site just for the meeting (he obviously won't tell Workspace admin his schedule), of course Workspace admin won't suspend the CxO access immediately.
C: No. Again, this is the following-up action.
D: Yes. Knowing the root cause is the first step to take.
Option D (Investigate the account for unauthorized activity in the Login and Security Audit Log): This is the most appropriate response in the given scenario. As an admin, you should investigate the user account in question thoroughly. Check the Login and Security Audit Log to review all recent sign-in activity, IP addresses, geolocations, and any other relevant information. Look for any signs of unauthorized access or suspicious activities. If you find any suspicious activity, take appropriate actions, such as resetting passwords, revoking access, or communicating with the user to verify their identity.
Remember that security incidents require careful investigation and response. Once you've gathered sufficient information, you can take further actions, such as implementing additional security measures or adjusting security alerts based on the findings to prevent similar incidents in the future.
suspending is a drastic measure. what if u suspend the user duting a business meeting. Correct answer is A..reference https://support.google.com/a/answer/7102416?hl=en
upvoted 1 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
csavar
2 months, 4 weeks agoJessiePiper
6 months agoNico282
11 months, 1 week agoexamprof
11 months, 1 week agovirat_kohli
1 year agojcloud965
1 year agojcloud965
1 year agozanhsieh
1 year, 1 month agoryuhei
1 year, 3 months ago[Removed]
1 year, 3 months agowborquez
1 year, 3 months agoJane1234YIP
1 year, 3 months agoklu23
1 year, 4 months agoProsecute
1 year, 4 months ago[Removed]
1 year, 4 months ago