Free CCFA-200 Actual Exam Questions s - Question 5 Discussion
events, view detection activity, and analyze incidents. However, the employee should not have the ability
to make changes to policies or manage user roles. Which role is most appropriate for this user?
Maybe B fits better here since analysts usually do incident analysis and event monitoring but don’t handle policy or role changes. Read-only might be too restrictive for actual incident work.
I get why C is popular, but I think B could work too since analysts typically handle incident investigations without changing policies. The question says the employee needs to analyze incidents and monitor events, which sounds like a typical analyst job. If the SOC setup is standard, analysts usually don’t manage user roles or policies, so B fits the bill without restricting too much access. C might be too limiting if the employee needs to do more than just view data. So I’d go with B here based on typical role definitions.
C/D? Admins (D) clearly have too much power, so out. Between Analyst (B) and Read-Only Analyst (C), the key is no changes allowed, so C seems safer to avoid policy edits while still monitoring.
C imo. The key is no changes allowed, so Read-Only Analyst fits perfectly since it lets them analyze without risking policy or user edits. B might be too broad.
B/C? I get that the Read-Only Analyst (C) locks down changes, but the question says the new employee needs to analyze incidents, which might require some interaction beyond just viewing. Analysts (B) usually can investigate and respond but not manage policies or user roles—that's usually reserved for Admin or Policy Manager. So if the SOC setup is standard, B fits best to let them work on incidents without the risk of messing with policies or roles.
D imo, Administrator is definitely out since they can manage users and policies. Between B and C, the Read-Only Analyst (C) fits better because it explicitly blocks changes, matching the "no policy or user role edits" part.
C imo. The question says the user should monitor and analyze but not change anything. That sounds like a classic read-only role. B (Analyst) might let them do more than monitoring, maybe even tweak some alerts or settings, which we don’t want here. So C fits better by restricting any changes but still letting them view and investigate incidents properly.
B/C? Analyst usually lets you dig into incidents without changing policies, but Read-Only Analyst might be too limited if they need to interact with detection tools, not just view data.
Maybe C makes more sense here since it clearly restricts changes but still allows monitoring and analysis. B might let them tweak stuff, which we don’t want.
It’s B because Analysts are generally allowed to monitor and analyze incidents but don’t have permissions to change policies or manage user roles. The Read-Only Analyst (C) sounds too restrictive if the employee needs to actively analyze and respond to events, not just view them. So B strikes the right balance between access and control.
B tbh could also work since analysts typically handle monitoring and incident analysis without policy control. C is definitely more restrictive, but B fits the responsibilities too.
C