Question 20

Question

SIMULATION An organization's website was maliciously altered. INSTRUCTIONS Review information in each tab to select the source IP the analyst should be concerned about, the indicator of compromise, and the two appropriate corrective actions. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_254_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_255_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_256_img_1.jpg https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Analyst+_CS0-003/page_256_img_2.jpg

Nina T. · Answer

Nah, it's not the internal IP. The external 41.21.18.102 logged in as sjames and changed the index.html, so that's your source and IoC. Deleting the account and changing its password are the right actions, internal IP's just normal server traffic imo.

MorganL · Answer

Not 10.7.34.82, it's 41.21.18.102 for the source IP here.

CalmArchitect4698 · Answer

Not quite the internal address. The suspicious activity comes from 41.21.18.102, which logs in as sjames and alters index.html. The two key steps are changing that account's password and deleting it, since internal IPs just reflect normal ops. Seen this logic in other CySA+ practice sets, pretty sure that's right.

Vikram R. · Answer

41.21.18.102 as the source IP, modified index.html is the indicator, and you need to change then delete the sjames account. Internal IP is just local traffic so doesn’t look relevant here.

PracticalMentor6598 · Answer

Looks like this only flips if the sjames account was disabled not deleted, but in this scenario deleting it plus changing the password is safest. Source IP's gotta be 41.21.18.102 since it's the only external login right before index.html was touched, at least in similar exam cases I've seen.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE