ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 350-201 All Questions

View all questions & answers for the 350-201 exam
Go to Exam

Exam 350-201 topic 1 question 91 discussion

Actual exam question from Cisco's 350-201
Question #: 91
Topic #: 1
[All 350-201 Questions]

A SOC analyst is investigating a recent email delivered to a high-value user for a customer whose network their organization monitors. The email includes a suspicious attachment titled `Invoice RE: 0004489`. The hash of the file is gathered from the Cisco Email Security Appliance. After searching Open Source
Intelligence, no available history of this hash is found anywhere on the web. What is the next step in analyzing this attachment to allow the analyst to gather indicators of compromise?

  • A. Run and analyze the DLP Incident Summary Report from the Email Security Appliance
  • B. Ask the company to execute the payload for real time analysis
  • C. Investigate further in open source repositories using YARA to find matches
  • D. Obtain a copy of the file for detonation in a sandbox
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by DrVoIP at Feb. 18, 2023, 3:43 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
TrainingTeam
6 months, 2 weeks ago
Selected Answer: D
When an email attachment's hash has no history in open source intelligence databases, the next step is to obtain a copy of the file for analysis in a controlled environment, known as a sandbox. This allows the analyst to observe the behavior of the file without risking the security of the network or systems
upvoted 1 times
...
DrVoIP
2 years, 2 months ago
D. Obtain a copy of the file for detonation in a sandbox. Since no available history of the file hash was found anywhere on the web, the best next step would be to obtain a copy of the file and detonate it in a sandbox environment to gather indicators of compromise. This will help to determine whether the attachment is malicious or not and provide additional information for further investigation. Running and analyzing the DLP Incident Summary Report or investigating in open-source repositories using YARA may provide additional information but are not the best next step in this scenario. Asking the company to execute the payload for real-time analysis is not recommended as it could result in potential damage or loss of data. - ChatGPT
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago