Question: 1/50
A security analyst is reviewing alerts and sees repeated outbound connections from a user workstation to a newly registered domain over TCP/443 at consistent 60-second intervals. No business application is known to use this domain. Which action is the BEST next step to validate whether this is command-and-control (C2) activity?
Query DNS logs and proxy/EDR telemetry to correlate the process initiating the connections and the resolved IPs
Immediately block all outbound TCP/443 traffic from the entire subnet at the perimeter firewall
Reimage the workstation to remove any potential malware without further investigation
Send a company-wide alert instructing users to avoid clicking unknown links