ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 350-201 All Questions

View all questions & answers for the 350-201 exam
Go to Exam

Exam 350-201 topic 1 question 46 discussion

Actual exam question from Cisco's 350-201
Question #: 46
Topic #: 1
[All 350-201 Questions]

A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?

  • A. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack
  • B. Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities
  • C. Review the server backup and identify server content and data criticality to assess the intrusion risk
  • D. Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by Bobster02 at Nov. 30, 2021, 6:13 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Bobster02
Highly Voted 2 years ago
Selected Answer: A
A. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack
upvoted 7 times
...
marceus
Most Recent 4 months, 2 weeks ago
Selected Answer: A
ChatGPT: In summary, isolating the server and performing forensic analysis is the first step in determining the nature of the threat and containing the potential attack.
upvoted 1 times
...
DrVoIP
10 months, 2 weeks ago
A. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack. The presence of unidentified connections, Powershell processes, and WMI tool processes, as well as a file in the system directory, suggest that the server may have been compromised. Isolating the server and performing forensic analysis of the file can help determine the type and vector of the possible attack and enable the organization to take appropriate actions to contain and remediate the incident. - ChatGPT
upvoted 1 times
...
Noxman
11 months, 2 weeks ago
Selected Answer: D
the statement says "the Accounting A1 server within a monitored zone" it is already isolated
upvoted 1 times
...
TOLU1985
1 year, 3 months ago
Selected Answer: A
well, if it was already escalated better answer is A
upvoted 1 times
...
jaciro11
1 year, 3 months ago
Selected Answer: A
The first thing ISOLATE !!
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel