A SIEM alert shows a payroll administrator account signed in at 02:10 from a country the employee has never visited. The employee says they are on vacation at home and did not travel. What should the analyst do first?

Immediately disable the account and wait for the employee to return.

This could be necessary later if the activity is confirmed malicious, but it is not the first triage step.

Close the alert as a false positive because the user is on vacation.

Vacation status does not prove the sign-in was legitimate. The account could still be compromised.

Reimage the user’s workstation before checking any logs.

Reimaging is a response action, not an initial triage step. Logs should be reviewed first.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Verify the login context with the user or manager and review recent authentication history. — The best first action is to verify the login context and review authentication history. In security operations, alert triage starts with confirming whether the event matches expected user behavior and whether there are legitimate explanations such as VPN use, travel, or a help desk session. This avoids overreacting to benign anomalies while still allowing escalation if evidence supports compromise. Why others are wrong: Disabling the account may be appropriate after confirmation, but doing it immediately can interrupt business unnecessarily. Closing the alert as a false positive is unsafe because an unusual sign-in from another country is a valid indicator of compromise until proven otherwise. Reimaging the workstation is premature because the suspicious event is about authentication activity, and logs should be reviewed before destructive remediation.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.