ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CAS-004 All Questions

View all questions & answers for the CAS-004 exam
Go to Exam

Exam CAS-004 topic 1 question 383 discussion

Actual exam question from CompTIA's CAS-004
Question #: 383
Topic #: 1
[All CAS-004 Questions]

A company recently deployed a SIEM and began importing logs from a firewall, a file server, a domain controller, a web server, and a laptop. A security analyst receives a series of SIEM alerts and prepares to respond. The following is the alert information:



Which of the following should the security analyst do FIRST?

  • A. Disable Administrator on abc-usa-fs1; the local account is compromised.
  • B. Shut down the abc-usa-fs1 server; a plaintext credential is being used.
  • C. Disable the jdoe account; it is likely compromised.
  • D. Shut down abc-usa-fw01; the remote access VPN vulnerability is exploited.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by biggytech at Nov. 19, 2023, 11:56 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
041ba31
7 months ago
Selected Answer: C
The best course of action is to C. Disable the jdoe account; it is likely compromised. The alerts show successful logon events for the user jdoe on multiple systems in different geographical locations within a short timeframe, which is suspicious and indicative of a compromised account. Disabling the jdoe account will prevent further unauthorized access while the situation is investigated.
upvoted 3 times
...
Anarckii
1 year ago
Selected Answer: C
C. Disable the jdoe account; it is likely compromised.
upvoted 2 times
...
OdinAtlasSteel
1 year, 1 month ago
Selected Answer: C
C. Disable the jdoe account; it is likely compromised. Rationale: Multiple successful logon events involving the "jdoe" account across different systems within a short time frame indicate potential suspicious behavior. This repeated successful logon activity, especially across different servers (abc-usa-fs1, abc-ger-fs1, abc-web01), raises suspicions of a compromised account or potentially unauthorized access.
upvoted 3 times
...
[Removed]
1 year, 1 month ago
The answer is A. Here's Why: It looks like a file transfer (FTP) was logged by the abc-usa-fw01 firewall located in the USA to document a file transfer from file server ger-fs1 located in Germany to a Web (server?) abc-web01, then sometime later Web (server?) abc-web01 logged a Successful login by the Administrator account. Which would potentially give the Admin access to the data that was transferred. Furthermore, both of these events were marked as High Severity alerts by the SIEM, therefore, they should be investigated first.
upvoted 1 times
Anarckii
1 year ago
how does disabling the local account associate with the log that CLEARLY shows "jdoe"??
upvoted 1 times
...
...
biggytech
1 year, 1 month ago
Selected Answer: C
C is the right answer since we see the jdoe account exporting traffic via ftp
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel