Which of the following should the analyst do first to evaluate the potential impact of this security incident?

During an investigation, an analyst discovers the following rule in an executive’s email client:

The executive is not aware of this rule.

Which of the following should the analyst do first to evaluate the potential impact of this security incident?
A . Check the server logs to evaluate which emails were sent to <someaddress@domain,com>.
B . Use the SIEM to correlate logging events from the email server and the domain server.
C . Remove the rule from the email client and change the password.
D . Recommend that the management team implement SPF and DKIM.

View Answer

Answer: A

Explanation:

Checking the server logs to evaluate which emails were sent to <someaddress@domain,com> is the first action the analyst should do to evaluate the potential impact of this security incident. Server logs are records of events or activities that occur on a server, such as email transactions, web requests, or authentication attempts. Checking the server logs can help to determine how many emails were sent to <someaddress@domain,com>, when they were sent, who sent them, and what they contained. This can help to assess the scope and severity of the incident and plan further actions.

Reference: https://www.techopedia.com/definition/1308/server-log