Question

A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log.

```
×tamp: 2023-11-16 14:30:45
Event: Suspicious Network Activity
Source IP: 192.168.1.15
Destination IP: 104.16.249.5
Protocol: TCP
Description: Established connection to a known malicious IP address.
```

A. True
B. False

Answer 1

The SIEM log shows a connection from a compromised laptop to a known malicious IP address, indicating potential communication with a command and control server or unauthorized data transfer. The incident requires further investigation by the security analyst to understand the full scope of the breach.

Step-by-step explanation:

The SIEM log indicates that there was suspicious network activity on the compromised laptop. Specifically, the log details a network connection at a certain timestamp, initiated from an internal IP address (192.168.1.15), and targeted towards an external IP address (104.16.249.5) that is flagged as malicious. This means that the laptop established a TCP connection with a known malicious IP address, which could imply that the attacker has successfully connected to an external command and control server, or that data exfiltration may have occurred.

The security analyst will need to take this information and correlate it with other logs and evidence to complete the incident investigation, tracking the lateral movement and identifying any data that may have been compromised or extracted from the network. Understanding the entirety of the attacker's actions is crucial to mitigate the breach and prevent future incidents.