An analyst has noticed unusual activities in the SIEM to a .cn domain name. Which of the following should the analyst use to identify the content of the traffic?
C
Packet capture would be the only choice that could identify the CONTENT of the traffic, if it were plaintext, A,B,and D would not be able to capture the content.
I think this is a packet capture, currently, this is the real practice in our organization. If there is suspicious traffic we capture it and analyze. It might be a legal issue if you are getting 3rd party services
Actually this should be A. You can't just go ahead and run packet captures on your network as there might me legal issues with that. This is just "unusual" network activity, so the first thing one would do is go through the logs.
NIST 800-61 does state that it's best to run a packet capture as soon as an incident is suspected: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf#page=39.
If the unusual activity is already detected by the SIEM, then the logs should contain the payload which can identify/give details regarding the content of the traffic. Otherwise, the answer is C.
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.CS0-001 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Jeend
2 years, 3 months agoplayerX
3 years, 3 months agoKuku55
4 years, 3 months agoxose
4 years, 8 months agoBlind_Hatred
4 years, 10 months agoMagicianRecon
4 years, 9 months agoBlind_Hatred
4 years, 10 months agoBlind_Hatred
4 years, 9 months agoTheThreatGuy
4 years, 10 months agos3curity1
4 years, 11 months ago