Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 76

A SOC team is informed that a UK-based user will be traveling between three countries over the next 60 days. Having the names of the 3 destination countries and the user's working hours, what must the analyst do next to detect an abnormal behavior?

Answer options

• A. Create a rule triggered by 3 failed VPN connection attempts in an 8-hour period
• B. Create a rule triggered by 1 successful VPN connection from any nondestination country
• C. Create a rule triggered by multiple successful VPN connections from the destination countries
• D. Analyze the logs from all countries related to this user during the traveling period

Correct answer: B

Explanation

The correct answer is B because monitoring for a successful VPN connection from a non-destination country indicates potential unauthorized access. The other options either focus on failed connections or successful connections from the destination countries, which do not help in identifying abnormal behavior related to the user's travel plans.