Cisco 350-201 Exam - Topic 9 Question 29 Discussion

Actual exam question for Cisco's 350-201 exam

Question #: 29
Topic #: 9

A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?

AIsolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack

BIdentify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities

CReview the server backup and identify server content and data criticality to assess the intrusion risk

DPerform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious

Show Suggested Answer

Suggested Answer: C

by Amber at May 04, 2022, 03:28 AM

Limited Time Offer

25%

6 months ago

Ah, I think I've got it. The scripts are likely in the <ORACLE_HOME>/user_projects/domains/mydomain/bin/jta-scripts directory. That makes the most sense to me.

upvoted 0 times

...