CompTIA CySA+ (CS0-002) — Question 306

A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed, and no additional security controls have been implemented. Which of the following should the analyst review FIRST?

Answer options

• A. The DNS configuration
• B. Privileged accounts
• C. The IDS rule set
• D. The firewall ACL

Correct answer: C

Explanation

The analyst should review the IDS rule set first because a reduction in reported incidents may indicate that the intrusion detection system is not functioning properly or is misconfigured, leading to missed detections. The other options, while important, do not directly address the issue of incident reporting and may not provide immediate insights into the potential failure of security monitoring.