Which step in the incident response process researches an attacking host through logs in a SIEM?

Which step in the incident response process researches an attacking host through logs in a SIEM?
A . detection and analysis
B . preparation
C . eradication
D . containment

View Answer

Answer: A

Explanation:

Preparation –> Detection and Analysis –> Containment, Erradicaion and Recovery –> Post-Incident Activity

Detection and Analysis –> Profile networks and systems, Understand normal behaviors, Create a log retention policy, Perform event correlation. Maintain and use a knowledge base of information. Use Internet search engines for research. Run packet sniffers to collect additional data. Filter the data. Seek assistance from others. Keep all host clocks synchronized. Know the different types of attacks and attack vectors. Develop processes and procedures to recognize the signs of an incident. Understand the sources of precursors and indicators. Create appropriate incident documentation capabilities and processes. Create processes to effectively prioritize security incidents. Create processes to effectively communicate incident information (internal and external communications).

Ref: Cisco CyberOps Associate CBROPS 200-201 Official Cert Guide