Exam CS0-002 topic 1 question 162 discussion

B is most in line of sight to what the question is asking. best chance of detecting this activity in the first line it says "the team has seen this same traffic" prior to that it says "an analyst realizes" this indicates to me that only 1 person on the team has become aware of it and the next thing he should do is make it known to the rest of the team. it was already deduced that the traffic was related to malicious activity so i dont think the threat team needs to analyze it more plus that still wont allow them to actually detect it faster and more often

Seems like if an analyst has seen this 3 times in a week and it resulted in confirmed malware activity, then it should be actively communicated to the threat team so they take some proactive actions for it (like create an alert???). Noting the incident seems like a passive response to a known threat for this repetative issue. Especially since there have been 3 other incidents...apparently no one is reading the incident reports... I also understand these test questions sometimes don't quite line up with reality. So I see how it could also be B.

Duplicate question but answer B is different which is what I was leaning towards. So i guess it’s C #333

C. Communicate the security incident to the threat team for further review and analysis. By communicating the security incident to the threat team, the analyst ensures that the traffic patterns and indicators of compromise are properly analyzed and documented. The threat team can then work on developing and implementing appropriate detection and alerting mechanisms to identify similar traffic in the future, thus increasing the chance of detecting such incidents. This approach helps to improve the overall security posture of the organization.

C seems the most textbook way of responding to the incident rather than "taking note"

C. Incident has been resolved.

C, because the incident has been resolved already therefore it has been communicated to the team which means a post mortem (b) has been done already.

And what will seal the deal for C is there is no other alert for this . Threat team can create that rule/alert for the SIEM and have the engineers implement it. The rule alerts everyone automatically. Definitely C if you read the question very well.

C. Threat team can review it and give every other IOC related to it and they can be blocked either by automation or by spreading the word to other analysts. I know telling other analysts is how it works in real life but you can never tell with comptia. The most simple answer is never always right lol

"increase the chance of detecting this traffic in the future"

I believe it would be B. The quickest way is to notify other analyst of the traffic so they can watch for it. Usually analyst notes are made and shared.

B doesn't help.

I am voting for C.

C is the smartest choice.