SNCF — Securing Networks with Firepower — Question 151

An analyst is investigating a potentially compromised endpoint within the network and pulls a host report for the endpoint in question to collect metrics and documentation. What information should be taken from this report for the investigation?

Answer options

• A. client applications by user, web applications, and user connections
• B. number of attacked machines, sources of the attack, and traffic patterns
• C. threat detections over time and application protocols transferring malware
• D. intrusion events, host connections, and user sessions

Correct answer: D

Explanation

The correct answer is D because intrusion events, host connections, and user sessions provide critical insights into the activity and status of the compromised endpoint. Options A, B, and C focus on different aspects that may not directly relate to the immediate investigation of an endpoint that is suspected to be compromised.