Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

CompTIA CAS-005 Exam - Topic 1 Question 12 Discussion

Actual exam question for CompTIA's CAS-005 exam
Question #: 12
Topic #: 1
[All CAS-005 Questions]

An analyst reviews a SIEM and generates the following report:

Only HOST002 is authorized for internet traffic. Which of the following statements is accurate?

Show Suggested Answer Hide Answer
Suggested Answer: D

Comprehensive and Detailed

Understanding the Security Event:

HOST002 is the only device authorized for internet traffic. However, the SIEM logs show that VM002 is making network connections to web.corp.local.

This indicates unauthorized access, which could be a sign of lateral movement or network infection.

This is a red flag for potential malware, unauthorized software, or a compromised host.

Why Option D is Correct:

Unusual network traffic patterns are often an indicator of a compromised system.

VM002 should not be communicating externally, but it is.

This suggests a possible breach or malware infection attempting to communicate with a command-and-control (C2) server.

Why Other Options Are Incorrect:

A (Misconfiguration): While a misconfiguration could explain the unauthorized connections, the pattern of activity suggests something more malicious.

B (Security incident on HOST002): The issue is not with HOST002. The suspicious activity is from VM002.

C (False positives): The repeated pattern of unauthorized connections makes false positives unlikely.


CompTIA SecurityX CAS-005 Official Study Guide: Chapter on SIEM & Incident Analysis

MITRE ATT&CK Tactics: Lateral Movement & Network-based Attacks

by Belen at Mar 21, 2025, 03:55 AM

Limited Time Offer

25%

Off

Get Premium CAS-005 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lasandra
4 months ago
Unusual activity could mean a network infection, but let's not jump to conclusions.
upvoted 0 times
...
Johnetta
4 months ago
Totally agree, VM002 must be misconfigured!
upvoted 0 times
...
Marylin
4 months ago
HOST002 is the only one allowed for internet traffic.
upvoted 0 times
...
Paul
4 months ago
I think the SIEM might just be throwing false positives.
upvoted 0 times
...
Aileen
4 months ago
Wait, are we sure HOST002 is actually under attack?
upvoted 0 times
...
Dante
5 months ago
Option D sounds concerning; unusual activity could indicate a network infection. I just hope I remember the signs of such infections correctly from my studies.
upvoted 0 times
...
Jesusa
5 months ago
I feel like I've seen practice questions where false positives were a common issue with SIEMs. Option C might be relevant, but I wonder how often that happens in real scenarios.
upvoted 0 times
...
Dannie
5 months ago
I think option B could be a possibility too, especially if HOST002 is the only one allowed internet access. It might be under attack, but I need to double-check the definitions of security incidents.
upvoted 0 times
...
Rosenda
5 months ago
I remember studying about misconfigurations in network setups, so option A seems plausible, but I'm not entirely sure if that's the only issue.
upvoted 0 times
...
Andra
6 months ago
I'm not sure about option C - the SIEM platform is reporting the activity, so it doesn't seem like a false positive. Option D also seems less likely since the question states that only HOST002 is authorized.
upvoted 0 times
...
Hildegarde
6 months ago
Good point, Josephine. But option B also seems plausible - if HOST002 is under attack, that would be a serious security incident that needs to be declared.
upvoted 0 times
...
Josephine
6 months ago
I'm leaning towards option A, since the report indicates that VM002 is making unauthorized internet connections, which suggests a misconfiguration that needs to be addressed.
upvoted 0 times
...
Theodora
6 months ago
Okay, let's think this through step-by-step. The key information is that only HOST002 is authorized for internet traffic, so we need to determine which statement best reflects that.
upvoted 0 times
...
Phuong
6 months ago
This question seems straightforward, but I want to make sure I understand the details before selecting an answer.
upvoted 0 times
...
Sanjuana
12 months ago
Whoa, a network infection? That sounds serious! We better call in the cybersecurity experts to handle this one. I'll start stocking up on caffeine.
upvoted 0 times
Vivienne
11 months ago
I agree, let's notify the cybersecurity team immediately.
upvoted 0 times
...
Janae
11 months ago
We need to act fast and contain the infection before it spreads.
upvoted 0 times
...
...
Brock
12 months ago
Haha, the SIEM platform is probably just having a bad day. False positives happen all the time, right? Let's not jump to any conclusions just yet.
upvoted 0 times
...
Adolph
1 year ago
I'm not so sure about that. The report clearly states that only HOST002 is authorized for internet traffic, so the activity on VM002 is likely a security incident that needs to be investigated further.
upvoted 0 times
Sheridan
11 months ago
D) The network connection activity is unusual, and a network infection is highly possible.
upvoted 0 times
...
Kiley
11 months ago
C) The SIEM platform is reporting multiple false positives on the alerts.
upvoted 0 times
...
Sue
11 months ago
B) The HOST002 host is under attack, and a security incident should be declared.
upvoted 0 times
...
Gail
11 months ago
A) The VM002 host is misconfigured and needs to be revised by the network team.
upvoted 0 times
...
...
Katy
1 year ago
I agree with Terrilyn. Option A seems to be the most logical choice based on the information provided.
upvoted 0 times
...
Terrilyn
1 year ago
But the report clearly states only HOST002 is authorized for internet traffic.
upvoted 0 times
...
Lorenza
1 year ago
I disagree, I believe option D is more likely. There might be a network infection.
upvoted 0 times
...
Terrilyn
1 year ago
I think option A is correct. VM002 needs to be revised.
upvoted 0 times
...
Nieves
1 year ago
The VM002 host is definitely misconfigured. The network team needs to take a closer look and get that fixed ASAP.
upvoted 0 times
Jess
11 months ago
C) The SIEM platform is reporting multiple false positives on the alerts.
upvoted 0 times
...
Garry
12 months ago
B) The HOST002 host is under attack, and a security incident should be declared.
upvoted 0 times
...
Ilona
12 months ago
A) The VM002 host is misconfigured and needs to be revised by the network team.
upvoted 0 times
...
...

Save Cancel