Scenario
An analyst must review email logs and SIEM process creation events after a phishing campaign. The known phishing domain is secure-credential-update.company-portal.com. SIEM Event ID 4688 tracks process creation, and the suspicious process name is svchost.exe.
Your task: Review the evidence and select the best analyst response for each field.
| Evidence | Details |
|---|---|
| Known phishing domain | secure-credential-update.company-portal.com |
| Clicked link count | 25 matching email log entries |
| Infected workstation count | 15 unique hosts with matching process events |
| Suspicious process | svchost.exe in Event ID 4688 records |
Analyst Decisions
Instructor Answer
- Email logs show link destinations and user interaction paths.
- There are 25 phishing-domain hits in the email logs.
- Event ID 4688 records process creation and helps identify malware execution.
- The infected count is 15 unique workstations, and the executable is svchost.exe.