[&] Why might an incident responder decide to take a domain controller offline during an investigation?
- To prevent further lateral movement by an attacker
- To automatically quarantine all potential threats
- To reset all user account passwords simultaneously
- To test new group policy configurations in a live environment

[&] What indicates a possible compromise of a Linux account during a log analysis?
- SSH access recorded in auth.log using a known IP address
- Scheduled crontab tasks running as root
- The creation of new user accounts without documentation
- Regular backups of system logs

[&] When conducting a log analysis, why is it important to expand the timeline to include all events?
- To ensure no potentially relevant events are overlooked
- To focus only on the most recent logs
- To limit the scope of analysis to the current session
- To reduce the size of the log files

[&] In the process of endpoint analysis, which log file is crucial for tracking authentication attempts on a Linux server?
- /var/log/cron
- /var/log/syslog
- /var/log/kern.log
- /var/log/auth.log

[&] What is an important step to take after identifying accounts created by an intruder?
- Create a report and conclude the investigation
- Disable the accounts and change passwords for security
- Examine network traffic to find the root cause
- Review recent software updates on the server

[&] What is the primary function of using a SIEM like Splunk in log analysis?
- To summarize and visualize log data from multiple sources
- To ensure logs are parsed in a human-readable format
- To ensure logs are stored securely
- To automate initial analysis of logs