Certified Ethical Hacker (CEH v11) — Question 134

You are a security officer of a company. You had an alert from IDS that indicates that one PC on your Intranet is connected to a blacklisted IP address (C2 Server) on the Internet. The IP address was blacklisted just before the alert. You are starting an investigation to roughly analyze the severity of the situation. Which of the following is appropriate to analyze?

Answer options

• A. IDS log
• B. Event logs on domain controller
• C. Internet Firewall/Proxy log.
• D. Event logs on the PC

Correct answer: C

Explanation

The correct answer is C because analyzing the Internet Firewall/Proxy log will provide insights into the traffic going to and from the blacklisted IP address, helping to understand the nature and extent of the connection. While the IDS log (A) can show alerts, it may not give complete context about the network traffic. Event logs on the domain controller (B) and the PC (D) may not directly relate to the external connection to the blacklisted IP.