Exam SY0-601 topic 1 question 281 discussion

Answer: DNS DNS logs can contain a record for every query and response. It can show the IP addresses and domain names that your system should/shouldn't be communicating with, it can reveal malware calling out to its command-and-control server, or data transfers to non-company locations. This is one of the reasons why DNS logs are some of the most valuable logs to import into a SIEM system.

System logs contain logs from multiple source and therefore should provide all the impacted workstations.

The correct answer is 'B' and pray that your SysAdmins actually have DNS logging and NTP Clients enabled at the workstation level.

This explanation may helps DNS logs (Domain Name System logs): DNS logs record the domain name resolutions made by devices on the network. Since the analyst is trying to determine the number of company workstations impacted by traffic to a malicious server, DNS logs could be useful. If workstations are making DNS requests to the malicious command-and-control server, these logs can help identify the affected workstations.

DNS logs can provide valuable information in determining the number of company workstations that may be impacted by the issue. By analyzing the DNS logs, the analyst can identify the workstations that have made DNS requests or connections to the known malicious command-and-control server. This can help in estimating the scope of the impact and identifying potentially compromised workstations.

Perfect answer is B System logs do not provide info about network activities I suppose.

The q says "known" C2 server, byt some of them use only IP without domain. Also, DNS in not always config. to collest host logs. The BEST way would be the end point system logs. Mohttps://securityintelligence.comow-to-leverage-log-services-analyze-cc-traffic/st malware will use a Domain Name System (DNS) to resolve a C&C server address. The log files of your internal DNS server are a crucial source of information. Make sure they contain the client queries and, ideally, the answer that was returned. Not all malware will make use of DNS to reach the C&C servers; sometimes it will reach out directly via an IP address. Note that DNS traffic itself can also be used as a communication channel.

B. DNS logs can provide information about the number of company workstations that may be impacted by high traffic to a known, malicious command-and-control server. DNS logs can provide information on the domain names that are being resolved by the workstations in the network. If a workstation is communicating with a known, malicious command-and-control server, its DNS logs may show DNS queries and responses to the domain name associated with the server. By analyzing the DNS logs, an analyst can determine the number of workstations that are communicating with the malicious server and take appropriate actions to mitigate the issue. WAF logs (option A) may provide information on web traffic patterns and attacks, but they may not be directly related to identifying the workstations that are communicating with a malicious command-and-control server. System logs (option C) and application logs (option D) may provide information on events and activities occurring on individual workstations, but they may not provide a holistic view of the network and may not be directly related to identifying the workstations that are communicating with a malicious command-and-control server.

Are we assuming the C2 server has a domain name? It could just be a static IP address that doesn't communicate with a DNS server, which would likely make it C.

C. System logs can provide the analyst with the number of company workstations that may be impacted by this issue. System logs contain information about the activities and events taking place on a computer system, including traffic to and from malicious command-and-control servers. By reviewing the system logs, the analyst can determine the number of workstations that may have been impacted by the security incident.

DNS event logs can hold a variety of information that may supply useful security intelligence, such as: The types of queries a host has made to DNS. Hosts that are in communication with suspicious IP address ranges or domains.

Answer is C B is incorrect as we are dealing with a command-and-control server. System logs are vital for this.

DNS logs would contain that info. System logs don't necessarely.

System logs or Syslogs is correct.