CompTIA CySA+ (CS0-001) — Question 263

A security analyst is reviewing logs and discovers that a company-owned computer issued to an employee is generating many alerts and warnings. The analyst continues to review the log events and discovers that a non-company-owned device from a different, unknown IP address is generating the same events. The analyst informs the manager of these findings, and the manager explains that these activities are already known and part of an ongoing events. Given this scenario, which of the following roles are the analyst, the employee, and the manager filling?

Answer options

• A. The analyst is red team. The employee is blue team. The manager is white team.
• B. The analyst is white team. The employee is red team. The manager is blue team.
• C. The analyst is red team. The employee is white team. The manager is blue team.
• D. The analyst is blue team. The employee is red team. The manager is white team.

Correct answer: D

Explanation

In this scenario, the analyst is part of the blue team as they are defending against threats and monitoring the logs for alerts. The employee is considered part of the red team since their actions are triggering alerts, possibly indicating malicious behavior. The manager, who is aware of ongoing events and their context, fits the role of the white team, overseeing and coordinating the response.