A security analyst notices repeated efforts from a remote host scanning domain controllers across different ports and sending unexpected process commands. The team needs to confirm whether these suspicious activities point to an active breach. Which choice best reveals the presence of malicious behavior?
Block all external ports to the domain controllers
Check for unpatched software on the servers
Correlate security and event data from diverse platforms to discover consistent unauthorized behavior
Review activities on a single domain controller to limit detection efforts
Correlating logs from multiple sources provides strong evidence of unauthorized patterns. By reviewing activities from endpoints, network devices, and user logs together, the team can detect chains of suspicious interactions pointing to malicious behavior. Blocking ports without proper analysis might disrupt normal functions, while focusing on one domain controller or outdated software versions overlooks additional suspicious traces that may appear in other logs or devices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to correlate logs from multiple sources?
Open an interactive chat with Bash
Why is blocking external ports without analysis not recommended?
Open an interactive chat with Bash
How does reviewing activities across a single domain controller limit detection?