Scenario
A workstation triggers an EDR alert after a user opened a malicious attachment. The SOC must follow the incident response process, preserve evidence, and brief management on risk treatment options.
Your task: Choose the best incident response activity or risk term.
| Data Source | Use |
|---|---|
| Endpoint logs | Process and file activity |
| Firewall logs | Outbound connections |
| SIEM dashboard | Correlated alerts |
Evidence and Risk
Instructor Answer
- Preparation happens before incidents through playbooks, contacts, and training.
- Detection and analysis uses logs and alerts to determine what happened.
- Containment limits spread, such as isolating a host.
- Eradication removes the cause and closes the weakness.
- Recovery restores normal operations.
- Chain of custody documents evidence handling.
- ALE equals SLE multiplied by ARO.
- Insurance is a risk transfer strategy.