Which TWO pieces of information are essential for an analyst to correlate when investigating an intrusion alert from a network-based sensor?
IP addresses identify the communicating hosts.
Why this answer
Source and destination IP addresses are essential because they allow the analyst to identify the communicating endpoints involved in the intrusion attempt. By correlating these addresses with other alert data, the analyst can determine the origin of the attack and the targeted asset, which is critical for scoping the incident and initiating containment actions.
Exam trap
Cisco often tests the distinction between operational data (IP addresses, timestamps) and irrelevant administrative or physical details, trapping candidates who confuse 'essential for correlation' with 'nice to have' or 'commonly known' information.