CompTIA CySA+ (CS0-003) — Question 228

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

Answer options

• A. Add the IP address to the EDR deny list.
• B. Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.
• C. Implement a prevention policy for the IP on the WAF.
• D. Activate the scan signatures for the IP on the NGFWs.

Correct answer: D

Explanation

The correct answer is D because activating the scan signatures on the NGFWs allows for proactive detection and mitigation of any malicious activity from the identified IP. Options A and C do not provide immediate response capabilities, while B, though useful for monitoring, does not actively prevent further actions from the source IP.