Exam CAS-004 topic 1 question 636 discussion

The most appropriate action for the SOC analyst to recommend is: A. Disabling account JDoe to prevent further lateral movement. The logs show a suspicious sequence of events that suggest lateral movement and possible compromise. Specifically, JDoe logs into multiple machines (laptop314, server112, and server113), launches potentially malicious processes (e.g., cmd.exe and rdp.exe), and accesses critical systems. The combination of actions, such as launching command-line interfaces and remote desktop tools, is indicative of potential malicious activity, like post-compromise behavior or an attacker moving through the network, and this will immediately stop the attacker (if JDoe's account has been compromised) from further moving laterally or interacting with other systems. While option B isolating the laptop could be part of the containment strategy, it addresses only one of the systems involved. The logs show that JDoe is also interacting with multiple servers. Disabling the account provides a broader solution that halts further activity on all systems, not just isolating one device.