CompTIA CySA+ (CS0-002) — Question 24

During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring tool about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue?

Answer options

• A. Warn the incident response team that the server can be compromised.
• B. Open a ticket informing the development team about the alerts.
• C. Check if temporary files are being monitored.
• D. Dismiss the alert, as the new application is still being adapted to the environment.

Correct answer: C

Explanation

The correct answer is C because checking if temporary files are being monitored can help determine if the alerts are due to legitimate changes made by the application during its adaptation phase. Options A and B are premature responses without first understanding the nature of the alerts, and D is not advisable as it could lead to missing potential security issues.