ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-003 All Questions

View all questions & answers for the CS0-003 exam
Go to Exam

Exam CS0-003 topic 1 question 372 discussion

Actual exam question from CompTIA's CS0-003
Question #: 372
Topic #: 1
[All CS0-003 Questions]

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

  • A. Add the IP address to the EDR deny list.
  • B. Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.
  • C. Implement a prevention policy for the IP on the WAF.
  • D. Activate the scan signatures for the IP on the NGFWs.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Wolf541 at Jan. 23, 2025, 6:34 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Cyde
2 months, 3 weeks ago
Selected Answer: D
I'm going with D because the security team is enabling specific security rules on the NGFWs to monitor and possibly block malicious activities associated with a particular IP address based on known threat signatures
upvoted 1 times
Cyde
2 months, 3 weeks ago
and the question says ..."the best action for the SOC to take to protect against any further activity from the source IP"...
upvoted 1 times
...
...
Popeyes_Chicken
3 months ago
Selected Answer: B
Stuck between B and D depending on what "further activity" entails, but I'm going with B. Preventing a precursor to a potential attack doesn't seem like it covers the full scope of what they're looking for in "further activity". However, using a SIEM to trigger on any activity from the source would allow an analyst to respond more effectively to tactic shifts / provide a wider safety net. D seems to narrow.
upvoted 4 times
...
Wolf541
3 months ago
Selected Answer: A
according to chat gpt:Adding the IP address to the EDR (Endpoint Detection and Response) deny list is the best immediate action in this scenario because it blocks further potential malicious activity from the source IP at the endpoint level. This approach directly protects the high-value assets, which already have EDR agents installed. It ensures the IP cannot interact with those critical systems, even if the traffic reaches them.
upvoted 1 times
Popeyes_Chicken
3 months ago
EDR works at the endpoint level. It doesn't prevent further reconnaissance at the network perimeter.
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago