Incident Response Phases and SIEM Alerts | CompTIA Security+

Phase: Incident Identification and Assessment

Prev Question Next Question

Question

An incident response manager has started to gather all the facts related to a SIEM alert showing multiple systems may have been compromised.

The manager has gathered these facts: -> The breach is currently indicated on six user PCs -> One service account is potentially compromised -> Executive management has been notified In which of the following phases of the IRP is the manager currently working?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

D.

The incident response manager is currently working in the Identification phase of the Incident Response Plan (IRP).

In the Identification phase, the incident response team detects, verifies, and categorizes an incident. The goal of this phase is to identify the nature and scope of the incident, as well as any affected systems or data. The facts gathered by the incident response manager indicate that there has been a breach on six user PCs and one service account may be compromised. Executive management has also been notified of the incident, which is a key step in the Identification phase.

Once the incident has been identified, the next phase is Containment, where the incident response team will attempt to limit the damage by isolating affected systems and preventing the incident from spreading further. After that, the Eradication phase begins, where the team will remove the incident from the affected systems and restore them to normal operation. Finally, the Recovery phase involves restoring affected systems and data to their previous state and ensuring that the organization is prepared to prevent similar incidents in the future.

In summary, the incident response manager is currently working in the Identification phase of the IRP, where the goal is to detect, verify, and categorize the incident based on the facts gathered.