CompTIA CySA+ (CS0-002) — Question 137

An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs; the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint. Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident?

Answer options

• A. Patching logs
• B. Threat feed
• C. Backup logs
• D. Change requests
• E. Data classification matrix

Correct answer: D

Explanation

The correct answer is D, as change requests provide a formal record of modifications to system settings and permissions, which can clarify whether the addition of the user was authorized. The other options, like patching logs and threat feeds, do not directly relate to user permission changes, while backup logs and data classification matrices do not address the specifics of user account modifications.