Performing CyberOps Using Cisco Security Technologies (CBRCOR) — Question 79

An engineer notices that every Sunday night, there is a two-hour period with a large load of network activity. Upon further investigation, the engineer finds that the activity is from locations around the globe outside the organization's service area. What are the next steps the engineer must take?

Answer options

• A. Assign the issue to the incident handling provider because no suspicious activity has been observed during business hours.
• B. Review the SIEM and FirePower logs, block all traffic, and document the results of calling the call center.
• C. Define the access points using StealthWatch or SIEM logs, understand services being offered during the hours in question, and cross-correlate other source events.
• D. Treat it as a false positive, and accept the SIEM issue as valid to avoid alerts from triggering on weekends.

Correct answer: A

Explanation

The correct answer is A because it is a pragmatic approach to involve the incident handling provider when no issues are detected during business hours, implying a potential non-business related activity. Option B suggests blocking all traffic, which could disrupt legitimate services, while C focuses on technical analysis rather than immediate response. Option D dismisses the activity without investigation, which is not advisable.