Free Palo Alto Networks Cybersecurity-Apprentice Actual Exam Questions - Question 15 Discussion
corporate device to an unfamiliar IP address. Which of the following should the analyst do first in
response to the alert?
Probably D, but from a containment angle. If the traffic looks suspicious enough, cutting off the device quickly prevents any possible data leak or malware spread. You can do deeper analysis after isolating the device. Waiting too long risks damage. Blocking the IP might be too narrow if the attacker switches targets, so disabling the device is a safer first step until you know more.
Makes sense to gather more context before taking action. I’d go with B since analyzing logs helps confirm if the traffic is really harmful or just a false positive.
Maybe B, since jumping to block or disable without context can cause more harm.
It’s definitely not A or D since jumping straight to notifying the incident team or disabling the device can cause unnecessary disruptions. Between B and C, I’d go with B because you want to gather more info before blocking anything. Blocking might be too aggressive if it’s a false alarm, and you could end up cutting off legit traffic. Investigating first helps confirm if it's really suspicious or just some quirky app behavior. So yeah, analyzing logs and context first makes the most sense before taking any harsh actions.
Option B feels right to me because you want to make sure it’s not a false positive before taking any drastic steps. If you block or disable the device immediately, you might interrupt legitimate business processes. Plus, correlating with other logs can reveal if this is part of a bigger attack or just some harmless glitch. Waiting to notify the incident response team (A) without investigating seems premature since you need more context first. So, investigating first helps avoid knee-jerk reactions and gives you a clearer picture of what’s actually going on.
Makes sense to dig a bit deeper before making big moves. I’d go with B too, since jumping straight to blocking or disabling could cause unnecessary disruption if it’s just a false alarm. Gathering more info helps confirm if it’s really malicious or just a weird but harmless event.
B/C? I’d say start with B because jumping straight to blocking or disabling (like options C and D) might be too drastic before you know what’s actually going on. Also, A seems like skipping the important first step of investigating yourself before escalating. You want to gather more context first to avoid false positives or disrupting normal business traffic.