CompTIA CySA+ (CS0-002) — Question 204

A security analyst who works in the SOC receives a new requirement to monitor for indicators of compromise. Which of the following is the first action the analyst should take in this situation?

Answer options

• A. Develop a dashboard to track the indicators of compromise.
• B. Develop a query to search for the indicators of compromise.
• C. Develop a new signature to alert on the indicators of compromise.
• D. Develop a new signature to block the indicators of compromise.

Correct answer: B

Explanation

The correct first step is to develop a query to search for the indicators of compromise, as this allows the analyst to identify potential threats effectively. Creating a dashboard or signature is premature without first establishing the necessary queries to detect the indicators in the environment.