ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A security analyst for an e-commerce company hosted entirely on AWS reviews an Amazon GuardDuty finding that shows dozens of failed console logins followed by a successful login from an unfamiliar IP address. The incident response playbook states that any event classified as High severity must be escalated to the on-call incident commander within 15 minutes. Which action should the analyst take FIRST to comply with the organization's escalation procedure?
Notify local law enforcement about the suspected compromise because customer data might be at risk.
Begin a forensic acquisition of CloudTrail and system logs to gather more evidence before deciding on escalation.
Immediately disable the compromised IAM user and open an AWS Support case before contacting anyone internally.
Match the GuardDuty finding against the playbook's severity criteria to verify that it qualifies as a High-severity incident.
Escalation procedures depend on predefined criteria that map technical events to severity levels. Before any notification occurs, the responder must confirm that the event actually meets a playbook's High-severity threshold; otherwise, unnecessary alarms or delays can occur. Disabling the IAM user or starting a forensic acquisition may be appropriate later, but neither satisfies the immediate requirement to validate severity for timely escalation. Notifying law enforcement skips multiple internal steps and is only done after the incident commander authorizes it. Therefore, the first step is to compare the GuardDuty finding with the organization's escalation matrix and confirm that it qualifies as a High-severity incident, triggering the 15-minute escalation timer.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon GuardDuty and what does it do?
Open an interactive chat with Bash
What is an Incident Response Playbook?
Open an interactive chat with Bash
What are AWS IAM users, and why is disabling one relevant during a security incident?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Incident Response and Recovery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .