Exam CS0-003 topic 1 question 372 discussion

Stuck between B and D depending on what "further activity" entails, but I'm going with B. Preventing a precursor to a potential attack doesn't seem like it covers the full scope of what they're looking for in "further activity". However, using a SIEM to trigger on any activity from the source would allow an analyst to respond more effectively to tactic shifts / provide a wider safety net. D seems to narrow.

The best action for the SOC to take in this scenario is: D. Activate the scan signatures for the IP on the NGFWs. ⸻ Here’s why: • The activity involves reconnaissance in short bursts, which is often indicative of scanning or probing behavior. • The perimeter firewall is currently allowing the traffic, which means the source IP is not yet being blocked. • The NGFW (Next-Generation Firewall) can inspect traffic and apply intrusion prevention signatures or scan detection policies. • Activating scan signatures for that IP will help detect and block future scanning behavior at the network edge, preventing further reconnaissance attempts.

A. Add the IP to the EDR deny list: EDR operates on endpoints. While the destination hosts are covered, this won't prevent initial connection attempts or protect other network assets. B. Create a SIEM signature for alerting: Helpful for visibility, but reactive only—doesn't block the activity. Good for correlation, but not a defense action. C. Implement WAF policy: A WAF is only effective against HTTP/S traffic targeting web applications. If the reconnaissance includes non-web protocols (which is likely), this won't stop it. 🛡️ Summary: D is the most comprehensive and proactive defense measure—it ensures reconnaissance from that IP is detected and blocked at the perimeter, protecting all internal assets, not just those with EDR.

I'm going with D because the security team is enabling specific security rules on the NGFWs to monitor and possibly block malicious activities associated with a particular IP address based on known threat signatures

according to chat gpt:Adding the IP address to the EDR (Endpoint Detection and Response) deny list is the best immediate action in this scenario because it blocks further potential malicious activity from the source IP at the endpoint level. This approach directly protects the high-value assets, which already have EDR agents installed. It ensures the IP cannot interact with those critical systems, even if the traffic reaches them.