A user account with limited rights is shown in logs performing tasks requiring advanced permissions on a critical database. The account owner claims they did not recall doing this. Which measure would reveal how these advanced rights were granted?
Block incoming traffic from untrusted addresses and review relevant logs
Analyze event logs to spot mismatched tokens and identify unnoticed policy changes
Prompt users to reset their passwords
Deactivate login protections to simplify account testing
Analyzing logs for permission changes, token mappings, or security group assignments is critical when a user appears to act beyond their intended rights. This approach can uncover unauthorized elevation events, policy misconfigurations, or token misuse. Remedial steps like password resets or access restrictions are useful but do not answer the root question of how elevation occurred.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are mismatched tokens in event logs?
Open an interactive chat with Bash
How can policy changes lead to unauthorized actions?
Open an interactive chat with Bash
How do security tokens grant advanced permissions?