CompTIA CySA+ (CS0-001) — Question 10

A cybersecurity analyst has several SIEM event logs to review for possible APT activity. The analyst was given several items that include lists of indicators for both
IP addresses and domains. Which of the following actions is the BEST approach for the analyst to perform?

Answer options

• A. Use the IP addresses to search through the event logs.
• B. Analyze the trends of the events while manually reviewing to see if any of the indicators match.
• C. Create an advanced query that includes all of the indicators, and review any of the matches.
• D. Scan for vulnerabilities with exploits known to have been used by an APT.

Correct answer: B

Explanation

The best approach is to analyze the trends of the events while manually reviewing to see if any of the indicators match (option B) because it allows the analyst to identify patterns and context that may not be captured in automated queries. Option A focuses only on IP addresses, which may miss essential domain indicators. Option C could be effective but may overlook nuanced trends that manual analysis can provide. Option D is not directly related to identifying ongoing APT activity from existing logs.