A Security Analyst found multiple connection attempts from suspicious remote IP addresses to a local host on the DMZ over port 80. After checking related events no successful exploits were detected. Upon checking international documentation, this activity was part of an expected penetration test which requires no immediate investigation.
How can the Security Analyst ensure results of the penetration test are retained?
A . Hide the offense and add a note with a reference to the penetration test findings
B . Protect the offense to not allow it to delete automatically after the offense retention period has elapsed
C . Close the offense and mark the source IP for Follow-Up to check if there are future events from the host
D . Email the Offense Summary to the penetration team so they have the offense id, add a note, and close the Offense
Answer: B
Explanation:
Reference:
http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_Off_Retention.html