Q: 13
An employee who often travels abroad logs in from a first-seen country during non-working hours.
The SIEM tool generates an alert that the user is forwarding an increased amount of emails to an
external mail domain and then logs out. The investigation concludes that the external domain
belongs to a competitor. Which two behaviors triggered UEBA? (Choose two.)
Options
Discussion
Would option E actually count as a UEBA trigger or is it just part of the suspicious activity? Not totally sure.
Why does Cisco still make these questions so vague? B/D.
B and D. Saw a similar scenario mentioned in some exam report, both are classic UEBA triggers.
Probably B and D. The logins outside normal hours and from a first-seen country are clear UEBA triggers, since they flag deviations from usual behavior. Nice straightforward scenario for analyzing user risk patterns here.
Be respectful. No spam.
