CORRECT TEXT
A security administrator discovers that an attack has been completed against a node on the
corporate network. All available logs were collected and stored.
You must review all network logs to discover the scope of the attack, check the box of the node(s)
that have been compromised and drag and drop the appropriate actions to complete the incident
response on the network. The environment is a critical production environment; perform the
LEAST disruptive actions on the network, while still performing the appropriate incident responses.
Instructions: The web server, database server, IDS, and User PC are clickable. Check the box of
the node(s) that have been compromised and drag and drop the appropriate actions to complete
the incident response on the network. Not all actions may be used, and order is not important. If at
anytime you would like to bring back the initial state of the simulation, please select the Reset
button. When you have completed the simulation, please select the Done button to submit. Once
the simulation is submitted, please select the Next button to continue.

Answer: See the explanation

Explanation:
Database server was attacked; actions should be to capture network traffic and Chain of
Custody.
(The database server logs shows the Audit Failure and Audit Success attempts)It is only logical
that all the logs will be stored on the database server and the least disruption action on the
network to take as a response to the incident would be to check the logs (since these are already
collected and stored) and maintain a chain of custody of those logs.

IDS Server Log:

Web Server Log:

Database Server Log:

Users PC Log:

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex,
Indianapolis, 2014, pp. 100, 117