CompTIA CySA+ (CS0-003) — Question 193

A SOC receives several alerts indicating user accounts are connecting to the company’s identity provider through non-secure communications. User credentials for accessing sensitive, business-critical systems could be exposed. Which of the following logs should the SOC use when determining malicious intent?

Answer options

• A. DNS
• B. tcpdump
• C. Directory
• D. IDS

Correct answer: D

Explanation

The correct answer is D, as Intrusion Detection System (IDS) logs are specifically designed to detect suspicious activities and potential intrusions, making them crucial for identifying malicious intent. While DNS logs (A) can provide insights into domain queries, tcpdump (B) captures packet data, and Directory logs (C) track user access, none are as effective as IDS logs in highlighting potential threats to user credentials.