Exam CS0-002 topic 1 question 180 discussion

I believe this is A. A - file-integrity for the application shows files are being changed "that should not change"...so potentially a breach could be occurring. At a minimum it's worth investigating/escalating B - "a newly deployed application" meaning it's already in production, shouldn't need to go back to the Dev team C - the SIEM sounds as though it's already configured to monitor the appropriate files "that should not change" D - while it's possible some sort of "adapting" needs to take place it doesn't seem logical here to disregard the alert in case it was an actual issue

I am going with C on this one, since it is an onboarding asset some alerting configurations might need fine tuning. Verifying the root cause of the problem should be the first thing to do. I don't think alerting the incident team or developers without providing any useful information would help.

NEWLY DEPLOYED is the key here. The FIRST step the security analyst should complete to respond to the issue of numerous file-integrity monitoring alerts from a newly deployed application is: C. Check if temporary files are being monitored. This step involves investigating whether the file-integrity monitoring tool is configured to monitor temporary files generated by the newly deployed application. Sometimes, legitimate changes, such as those related to temporary files, can trigger false positives in file-integrity monitoring. By checking the configuration and monitoring settings, the analyst can determine if the alerts are indeed related to expected and harmless changes. If temporary files are being monitored, the configuration can be adjusted to exclude them from triggering alerts.

The analyst should check if temporary files are being monitored first to respond to the issue. Temporary files are files that are created and used by applications for various purposes, such as storing data temporarily or caching data for faster access. However, temporary files are not meant to be permanent and are usually deleted when they are no longer needed or when the application is closed. Therefore, monitoring temporary files can generate many alerts from the file-integrity monitoring tool that are not relevant or useful for security purposes. The analyst should check if temporary files are being monitored and exclude them from the monitoring scope to reduce the number of alerts and focus on the files that should not change.

C. Check if temporary files are being monitored. The first step the security analyst should take is to investigate the cause of the alerts. Checking if temporary files are being monitored is a crucial step in understanding whether the alerts are legitimate or if there is a misconfiguration in the file-integrity monitoring tool. Temporary files can often change and trigger alerts, so it's important to determine whether these files are expected to change as part of normal application behavior.

ChatGPT: When a security analyst discovers that the SIEM (Security Information and Event Management) system is generating an excessive number of alerts from a file-integrity monitoring tool regarding files from a newly deployed application that should not change, the first step to respond to this issue is typically to "investigate the cause of these alerts". Here's what the analyst should do as the FIRST step: Identify the Alerts: Determine which specific files or directories are generating the alerts. This may involve reviewing the alert logs, SIEM dashboards, or the output from the file-integrity monitoring tool.

Temporary files should not be included in monitoring.

C. Check if temporary files are being monitored. By checking if temporary files are being monitored, the analyst can verify whether the file integrity monitoring tool is generating legitimate alerts or if the alerts are triggered by temporary files that can change as part of the application's normal behavior. Temporary files are often created and modified during the operation of applications, and monitoring them might not be necessary for detecting security incidents. After confirming whether temporary files are indeed being monitored and assessing the significance of the alerts, the analyst can take appropriate action, such as notifying the incident response team or informing the development team if there is a genuine security concern or if the alerts are false positives. Dismissing the alert without proper investigation should not be the first course of action.

This question is a weird one. If the application has gone through testing and staging then if FIM had been misconfigured they all should have noticed. If we can rely on the fact, that the monitoring process is correct, then the only conclusion left is that the server has been compromised leaving A as the only viable answer

I think that this event must be researched; i going with C. Because; we must verify that event.

C. is for correct

I am using SIEM every day I am 100% sure this is C.

Verify = Check = C

A. Warn the incident response team that the server can be compromised. - I'm guessing this is a typo and likely says 'has' been compromised. We don't know this for certain so I think A is wrong. The SIEM detected, now we have to check and confirm what is happening. B. Open a ticket informing the development team about the alerts. -it's already deployed. No point for dev team here except to have them review after further investigation. C. Check if temporary files are being monitored. - many files changes everyday sounds like temp. files to me. D. Dismiss the alert, as the new application is still being adapted to the environment. - obviously no.

The description suggests that many files change many times per day, which is imo typical for temporary files. Additionally "newly deployed application" hints at a possible initial operational misconfiguration.

In my opinion A.

looks good to me