D (4: HTTPS traffic to an external IP - 5.29.1.5)
The log entry shows an internal system (172.16.1.30) communicating with an external IP (5.29.1.5) overTCP 443 (HTTPS)usingBrowser.exe.
HTTPS traffic to an unknown external IP could indicate data exfiltration, as attackers often use encrypted channels to disguise stolen data transfers.
G (7: FTP traffic to an external backup server - bank.backup.com)
The log entry indicates that an internal machine (172.16.1.25) is transferring data tobank.backup.comusingFTP (port 21)andFileZilla.
FTP is a major concern because it is an outdated, unencrypted protocolthat can be exploited for data exfiltration. If unauthorized, this could be a serious data breach.
Other Options:
A (ARP traffic) → Not a concern(Just address resolution)
B (RPC Kerberos traffic) → Normal for authentication
C (SMB traffic) → Internal file sharing
**E (DNS traffic) → Common, though could be exfiltration in some cases, but not in this log)
F (WUS traffic) → Appears to be Windows Update Service traffic, likely legitimate
[Reference: CompTIA CySA+ CS0-003, Chapter 5: "Network Security Monitoring and Analysis," Section: "Detecting Data Exfiltration", ]
Submit