🔥 3-day streak
CompTIA SecurityX (CAS-005)100 / 120
Question 100 of 120

A threat hunter is investigating suspected command-and-control activity in a large enterprise. Proxy logs show outbound HTTPS traffic to a newly registered domain from several workstations. The traffic uses valid TLS, occurs during business hours, and the destination is not on any threat feed. However, the hunter notices all sessions to this domain share an identical, uncommon HTTP User-Agent string that does not match any known browser or approved application in the software inventory. What is the MOST effective next step to confirm the hypothesis while minimizing false positives?

Reviewed for accuracy · Report an issueNext question