Question

Important documents were deleted from a network share. The security team was unable to trace this activity based on existing logs. Which of the following tools would have been the most helpful in tracking this activity?

A. Group Policy

B. Endpoint detection and response

C. File integrity monitoring

D. User behavior analytics

Answer 1

Endpoint detection and response (EDR), File integrity monitoring (FIM), and User behavior analytics (UBA) are the most helpful tools for tracking deleted documents from a network share. Therefore, the correct answer option is B)

Step-by-step explanation:

The most helpful tool in tracking the activity of deleted documents from a network share would be Endpoint detection and response (EDR). EDR is a security solution that monitors and detects suspicious behavior on endpoints, such as computers and servers. It can help track activities like deleted files and provide insights into the potential attacker's behavior.

File integrity monitoring (FIM) could also be useful in this situation. FIM tools monitor changes to files and folders, detecting any unauthorized modifications. If the deleted documents were modified before deletion, FIM could provide evidence of the tampering.

User behavior analytics (UBA) may help to identify any abnormal user activities leading to the deletion. UBA tools analyze user behavior patterns and detect anomalies that could indicate potential threats or malicious activities.