CompTIA Security Exam Practice Questions Sample SY0 501 Q470

An incident response manager has started to gather all the facts related to a SIEM alert showing
multiple systems may have been compromised.
The manager has gathered these facts:
– The breach is currently indicated on six user PCs
– One service account is potentially compromised
– Executive management has been notified
In which of the following phases of the IRP is the manager currently working?

A. Recovery
B. Eradication
C. Containment
D. Identification

Correct Answer: D