A security analyst notices repeated efforts from a remote host scanning domain controllers across different ports and sending unexpected process commands. The team needs to confirm whether these suspicious activities point to an active breach. Which choice best reveals the presence of malicious behavior?
Check for unpatched software on the servers
Correlate security and event data from diverse platforms to discover consistent unauthorized behavior
Block all external ports to the domain controllers
Review activities on a single domain controller to limit detection efforts
Correlating logs from multiple sources provides strong evidence of unauthorized patterns. By reviewing activities from endpoints, network devices, and user logs together, the team can detect chains of suspicious interactions pointing to malicious behavior. Blocking ports without proper analysis might disrupt normal functions, while focusing on one domain controller or outdated software versions overlooks additional suspicious traces that may appear in other logs or devices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is correlating logs from multiple sources important for detecting malicious activity?
Open an interactive chat with Bash
What is lateral movement in cybersecurity, and how can log correlation detect it?
Open an interactive chat with Bash
What types of platforms generate logs that can reveal unauthorized behavior?