CompTIA CySA+ (CS0-002) — Question 138

A security analyst is reviewing WAF logs and notes requests against the corporate website are increasing and starting to impact the performance of the web server. The security analyst queries the logs for requests that triggered an alert on the WAF but were not blocked. Which of the following possible TTP combinations might warrant further investigation? (Choose two.)

Answer options

• A. Requests identified by a threat intelligence service with a bad reputation
• B. Requests sent from the same IP address using different user agents
• C. Requests blocked by the web server per the input sanitization
• D. Failed log-in attempts against the web application
• E. Requests sent by NICs with outdated firmware
• F. Existence of HTTP/501 status codes generated to the same IP address

Correct answer: A, B

Explanation

Option A is valid as requests from a bad reputation service could indicate malicious intent. Option B is also suspicious because using different user agents from the same IP can signify an attempt to evade detection. The other options either involve legitimate requests or are not directly relevant to the increased load on the web server.