ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-002 All Questions

View all questions & answers for the CS0-002 exam
Go to Exam

Exam CS0-002 topic 1 question 368 discussion

Actual exam question from CompTIA's CS0-002
Question #: 368
Topic #: 1
[All CS0-002 Questions]

A security analyst who works in the SOC receives a new requirement to monitor for indicators of compromise. Which of the following is the first action the analyst should take in this situation?

  • A. Develop a dashboard to track the indicators of compromise.
  • B. Develop a query to search for the indicators of compromise.
  • C. Develop a new signature to alert on the indicators of compromise.
  • D. Develop a new signature to block the indicators of compromise.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by NerdAlert at May 12, 2023, 5:50 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Chilaqui1es
1 year, 8 months ago
Why would it not be A? It says to monitor. Creating a dashboard (ex:SIEM) is for monitoring.
upvoted 1 times
SecurityGuyPP
1 year, 8 months ago
before you make a monitor, how do you know what to monitor? Thus, making query/knowing what to search will have to be first before you know what to monitor. Answer is B.
upvoted 1 times
...
...
SimonR2
1 year, 11 months ago
It should be in this order from start to finish: B. Develop a query to search for the indicators of compromise. C. Develop a new signature to alert on the indicators of compromise. A. Develop a dashboard to track the indicators of compromise. D. Develop a new signature to block the indicators of compromise. You can't possibly make an alert on an IOC unless you have defined the relevant search terms to find them first. Answer B.
upvoted 3 times
...
justauser
2 years ago
Selected Answer: B
Agree with karpal
upvoted 1 times
...
karpal
2 years ago
Selected Answer: B
B and C match, i tend twards B. A queary search in all the system integrated in a SIEM (endhost, logs from netflow, from switches etc). a signature refers to an IPS or maybe a HIPS. I first want to know if I was breached. So Query first , signature later.
upvoted 4 times
...
CyberCEH
2 years, 1 month ago
Answer B
upvoted 2 times
...
Hershey2025
2 years, 1 month ago
First two do not make sense. You cannot write a query to search for IOCs. I would go with C.
upvoted 1 times
Hershey2025
2 years, 1 month ago
Also I am not sure how one can develop a dashboard but it sounds like a good idea.
upvoted 1 times
...
kill_chain
1 year, 11 months ago
In the soc that's what we do with new IOCs. at least the first thing, run a query. with a query you can build a correlation rule... which can use different methods of alerting one of which can be a dashboard which needs constant monitoring...
upvoted 1 times
...
...
ZUL01
2 years, 1 month ago
Selected Answer: C
@NerdAlert me either. However, I would probably develop new signature to alert about IoC activity. Why not block? As the question states: we must MONITOR the activity. When alert will come to our SIEM, we can then investigate the offense and check if this activity is FP or real threat.
upvoted 2 times
...
NerdAlert
2 years, 1 month ago
I dont understand this one. Anyone who knows and can explain?
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel