Question 7
Domain 6: Monitoring, Logging and Runtime SecurityWhy should investigators care whether suspicious actions occurred under a user identity or a ServiceAccount identity?
Correct answer: A
Explanation
User identities usually indicate human activity, while ServiceAccount identities are used by workloads and automation. Distinguishing them changes containment decisions because investigators must decide whether to disable a person’s access or isolate a service, and it helps determine whether the activity was "human-driven or workload-driven."
Why each option is right or wrong
A. It changes containment decisions and reveals whether the activity was likely human-driven or workload-driven
Identity type directly affects containment scope: a user account can usually be disabled or forced to reset credentials immediately, while a ServiceAccount is often tied to an application, scheduled job, or cluster workload and may require isolating the host, pod, or service instead of shutting down a person’s access. In incident response terms, that distinction determines whether the event is likely attributable to a human operator or to automated workload behavior, which changes both the triage path and the blast-radius of any containment action.
B. There is no operational difference between those identities
Identity type affects attribution, triage, and containment, so the operational difference is significant.
C. ServiceAccounts cannot call the API
ServiceAccounts are commonly used by workloads specifically to authenticate and call APIs.
D. User identities never appear in audit logs
User identities generally do appear in audit logs and are central to forensic investigation.