Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) — Question 146

A threat actor penetrated an organization's network. Using the 5-tuple approach, which data points should the analyst use to isolate the compromised host in a grouped set of logs?

Answer options

• A. event name, log source, time, source IP, and username
• B. event name, log source, time, source IP, and host name
• C. protocol, log source, source IP, destination IP, and host name
• D. protocol, source IP, source port destination IP, and destination port

Correct answer: D

Explanation

The correct answer is D because it utilizes the five-tuple approach, which includes source and destination IP addresses, source and destination ports, and the protocol. Options A, B, and C do not provide the necessary details about the ports, which are critical for accurately identifying network traffic related to the compromised host.