New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA CAS-005 Exam - Topic 1 Question 12 Discussion

Actual exam question for CompTIA's CAS-005 exam
Question #: 12
Topic #: 1
[All CAS-005 Questions]

An analyst reviews a SIEM and generates the following report:

Only HOST002 is authorized for internet traffic. Which of the following statements is accurate?

Show Suggested Answer Hide Answer
Suggested Answer: D

Comprehensive and Detailed

Understanding the Security Event:

HOST002 is the only device authorized for internet traffic. However, the SIEM logs show that VM002 is making network connections to web.corp.local.

This indicates unauthorized access, which could be a sign of lateral movement or network infection.

This is a red flag for potential malware, unauthorized software, or a compromised host.

Why Option D is Correct:

Unusual network traffic patterns are often an indicator of a compromised system.

VM002 should not be communicating externally, but it is.

This suggests a possible breach or malware infection attempting to communicate with a command-and-control (C2) server.

Why Other Options Are Incorrect:

A (Misconfiguration): While a misconfiguration could explain the unauthorized connections, the pattern of activity suggests something more malicious.

B (Security incident on HOST002): The issue is not with HOST002. The suspicious activity is from VM002.

C (False positives): The repeated pattern of unauthorized connections makes false positives unlikely.


CompTIA SecurityX CAS-005 Official Study Guide: Chapter on SIEM & Incident Analysis

MITRE ATT&CK Tactics: Lateral Movement & Network-based Attacks

by Belen at Mar 21, 2025, 03:55 AM

Limited Time Offer

25%

Off

Get Premium CAS-005 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lasandra
2 months ago
Unusual activity could mean a network infection, but let's not jump to conclusions.
upvoted 0 times
...
Johnetta
2 months ago
Totally agree, VM002 must be misconfigured!
upvoted 0 times
...
Marylin
2 months ago
HOST002 is the only one allowed for internet traffic.
upvoted 0 times
...
Paul
3 months ago
I think the SIEM might just be throwing false positives.
upvoted 0 times
...
Aileen
3 months ago
Wait, are we sure HOST002 is actually under attack?
upvoted 0 times
...
Dante
3 months ago
Option D sounds concerning; unusual activity could indicate a network infection. I just hope I remember the signs of such infections correctly from my studies.
upvoted 0 times
...
Jesusa
3 months ago
I feel like I've seen practice questions where false positives were a common issue with SIEMs. Option C might be relevant, but I wonder how often that happens in real scenarios.
upvoted 0 times
...
Dannie
4 months ago
I think option B could be a possibility too, especially if HOST002 is the only one allowed internet access. It might be under attack, but I need to double-check the definitions of security incidents.
upvoted 0 times
...
Rosenda
4 months ago
I remember studying about misconfigurations in network setups, so option A seems plausible, but I'm not entirely sure if that's the only issue.
upvoted 0 times
...
Andra
4 months ago
I'm not sure about option C - the SIEM platform is reporting the activity, so it doesn't seem like a false positive. Option D also seems less likely since the question states that only HOST002 is authorized.
upvoted 0 times
...
Hildegarde
4 months ago
Good point, Josephine. But option B also seems plausible - if HOST002 is under attack, that would be a serious security incident that needs to be declared.
upvoted 0 times
...
Josephine
4 months ago
I'm leaning towards option A, since the report indicates that VM002 is making unauthorized internet connections, which suggests a misconfiguration that needs to be addressed.
upvoted 0 times
...
Theodora
5 months ago
Okay, let's think this through step-by-step. The key information is that only HOST002 is authorized for internet traffic, so we need to determine which statement best reflects that.
upvoted 0 times
...
Phuong
5 months ago
This question seems straightforward, but I want to make sure I understand the details before selecting an answer.
upvoted 0 times
...
Sanjuana
10 months ago
Whoa, a network infection? That sounds serious! We better call in the cybersecurity experts to handle this one. I'll start stocking up on caffeine.
upvoted 0 times
Vivienne
9 months ago
I agree, let's notify the cybersecurity team immediately.
upvoted 0 times
...
Janae
9 months ago
We need to act fast and contain the infection before it spreads.
upvoted 0 times
...
...
Brock
10 months ago
Haha, the SIEM platform is probably just having a bad day. False positives happen all the time, right? Let's not jump to any conclusions just yet.
upvoted 0 times
...
Adolph
11 months ago
I'm not so sure about that. The report clearly states that only HOST002 is authorized for internet traffic, so the activity on VM002 is likely a security incident that needs to be investigated further.
upvoted 0 times
Sheridan
9 months ago
D) The network connection activity is unusual, and a network infection is highly possible.
upvoted 0 times
...
Kiley
9 months ago
C) The SIEM platform is reporting multiple false positives on the alerts.
upvoted 0 times
...
Sue
9 months ago
B) The HOST002 host is under attack, and a security incident should be declared.
upvoted 0 times
...
Gail
10 months ago
A) The VM002 host is misconfigured and needs to be revised by the network team.
upvoted 0 times
...
...
Katy
11 months ago
I agree with Terrilyn. Option A seems to be the most logical choice based on the information provided.
upvoted 0 times
...
Terrilyn
11 months ago
But the report clearly states only HOST002 is authorized for internet traffic.
upvoted 0 times
...
Lorenza
11 months ago
I disagree, I believe option D is more likely. There might be a network infection.
upvoted 0 times
...
Terrilyn
11 months ago
I think option A is correct. VM002 needs to be revised.
upvoted 0 times
...
Nieves
11 months ago
The VM002 host is definitely misconfigured. The network team needs to take a closer look and get that fixed ASAP.
upvoted 0 times
Jess
10 months ago
C) The SIEM platform is reporting multiple false positives on the alerts.
upvoted 0 times
...
Garry
10 months ago
B) The HOST002 host is under attack, and a security incident should be declared.
upvoted 0 times
...
Ilona
10 months ago
A) The VM002 host is misconfigured and needs to be revised by the network team.
upvoted 0 times
...
...

Save Cancel