Q: 3
Which step in the incident response process researches an attacking host through logs in a SIEM?
Options
Discussion
Checking SIEM logs to investigate a host happens during detection and analysis. Option A matches what you'd do first after spotting suspicious activity. Saw similar on a practice test, pretty sure it's A.
Makes sense to pick A here, since checking the SIEM logs is all about detecting and analyzing the threat. You can't really contain until you've figured out what's happening. Pretty sure that's what Cisco wants, but feel free to jump in if you disagree.
A tbh, researching the logs in SIEM is part of figuring out what happened which falls under detection and analysis. Containment would come after you know enough to act. Pretty sure that's how Cisco breaks it down, but open if someone thinks different.
I don't think it's D. Investigating hosts in SIEM logs is classic detection and analysis (A), not containment, which comes after. Trap is thinking you'd go right to action just by reviewing logs-logs are for figuring out what's happening.
Why not D here if the logs directly trigger containment actions? Is it always just analysis?
A , D is tempting but log research is classic detection and analysis not containment.
C or D but leaning toward D. I remember from some official practice that containment sometimes needs reviewing SIEM logs to limit the threat. Not 100% though, maybe check the guide if you have it.
A or D... Cisco always flips the IR steps, but researching SIEM logs is classic detection and analysis (A) in their playbook. Never seen log research in containment. Anyone got official doc that says otherwise?
That's A for sure.
A not D. Looking at SIEM logs matches detection and analysis, not containment. It's easy to mix those up but containment's when you actually act on the findings.
Be respectful. No spam.
