ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam SY0-701 All Questions

View all questions & answers for the SY0-701 exam
Go to Exam

Exam SY0-701 topic 1 question 191 discussion

Actual exam question from CompTIA's SY0-701
Question #: 191
Topic #: 1
[All SY0-701 Questions]

A security analyst is investigating a workstation that is suspected of outbound communication to a command-and-control server. During the investigation, the analyst discovered that logs on the endpoint were deleted. Which of the following logs would the analyst most likely look at next?

  • A. IPS
  • B. Firewall
  • C. AСL
  • D. Windows security
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by a4e15bd at Aug. 8, 2024, 2:12 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Kingamj
Highly Voted 10 months, 2 weeks ago
Selected Answer: B
Since the logs on the endpoint were deleted, the security analyst would likely turn to firewall logs. Firewall logs can provide information about network traffic, including outbound connections that may indicate communication with a command-and-control server. These logs can help the analyst identify suspicious traffic patterns or unauthorized communication that bypassed endpoint defenses.
upvoted 5 times
...
Glacier88
Most Recent 10 months ago
Selected Answer: B
While the endpoint logs themselves are deleted, the firewall logs might still provide valuable information. Firewalls typically record network traffic, including outbound connections, which could help the analyst identify the destination of the suspicious communication. By examining the firewall logs, the analyst might be able to determine the IP address of the command-and-control server and gather other relevant information about the incident.
upvoted 1 times
...
1edea48
10 months, 3 weeks ago
This isn't correct. The answer has to be C. In the question, it specifically states that the logs on the endpoint were deleted. That tells me that someone had access to those logs, which means there might have very well been tampering on the endpoint. The ACL has the ability to show us who was able to access those logs and when they were deleted.
upvoted 2 times
850bc48
9 months, 1 week ago
I agree with this, if there's an issue at the endpoint, why wouldn't I check the access logs associated.
upvoted 1 times
3dk1
7 months, 3 weeks ago
To add onto this, what am I going to see in the ACL? A compromised user? At least the firewall will give us information about the command-and-control servers traffic and attack vector.
upvoted 2 times
...
...
...
a4e15bd
10 months, 3 weeks ago
B. Firewall
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel