A network security analyst reviews firewall logs and identifies a high volume of outbound DNS queries to a known malicious domain from multiple internal hosts. Which THREE actions should the analyst take immediately?
Isolation prevents lateral movement and further data exfiltration.
Why this answer
The high volume of DNS queries to a malicious domain indicates possible C2 communication. Immediate actions: block the domain at the firewall/DNS, isolate affected hosts to prevent further spread, and conduct a forensic investigation to understand the infection. Checking antivirus is good but not immediate; logs for later analysis are secondary.