A security analyst needs to monitor decryption performance and identify sessions that are bypassing decryption due to policy or technical reasons. Which two monitoring tools or methods can provide this insight?
Decryption logs can be filtered to show sessions where decryption was not performed, including bypass reasons.
Why this answer
Option A is correct because decryption logs with a filter for 'decryption action not equal to decrypt' will show sessions that were not decrypted, including those bypassed due to policy (e.g., excluded URLs) or technical reasons (e.g., unsupported cipher suites). Option C is correct because the ACC > Decryption Overview provides a dashboard that visualizes decryption performance metrics, such as the number of sessions bypassed, decrypted, or failed, giving the analyst a high-level view of bypass activity.
Exam trap
The trap here is that candidates may confuse traffic logs with decryption logs, or assume that system logs contain decryption session details, when in fact decryption-specific logs and the ACC Decryption Overview are the correct sources for monitoring bypass activity.