Understanding the Security Event:
HOST002 is the only device authorized for internet traffic. However, theSIEM logs show that VM002 is making network connections to web.corp.local.
This indicatesunauthorized access, which could bea sign of lateral movement or network infection.
This is ared flagfor potential malware, unauthorized software, or a compromised host.
Why Option D is Correct:
Unusual network traffic patternsare often an indicator of acompromised system.
VM002 should not be communicating externally, but it is.
This suggests a possiblebreach or malware infectionattempting to communicate with a command-and-control (C2) server.
Why Other Options Are Incorrect:
A (Misconfiguration):While a misconfiguration could explain the unauthorized connections, the pattern of activity suggests something more malicious.
B (Security incident on HOST002):The issue is not with HOST002. The suspicious activity isfrom VM002.
C (False positives):The repeated pattern of unauthorized connections makes false positivesunlikely.
[Reference:, CompTIASecurityX CAS-005 Official Study Guide:Chapter on SIEM & Incident Analysis, MITRE ATT&CK Tactics:Lateral Movement & Network-based Attacks, NIST 800-94:Guidelines for Network Intrusion Detection and Analysis, , , ]
