CompTIA CySA+ (CS0-003) — Question 311

A WAF weekly report shows that a daily spike occurs from the same subnet. An open-source review indicates the IP addresses belong to a legitimate internet service provider but have been flagged for DDoS attacks and reconnaissance scanning in the past year. Which of the following actions should a SOC analyst take first in response to these traffic uptick activities?

Answer options

• A. Recommend a firewall rule implementation to deny all traffic from the IP subnet.
• B. Continue monitoring because the traffic spike did not cause any security notifications or concerns.
• C. Review the network logs to identify the context of traffic and what action was taken.
• D. Check the resource consumption levels to determine whether the uptick is due to a device performance issue.

Correct answer: C

Explanation

The correct answer is C because reviewing network logs helps to gather context about the traffic increase, allowing for informed decision-making. Answer A may be too drastic without further context, and B dismisses the potential risk associated with flagged IP addresses. Answer D addresses device performance, which is not the primary concern given the history of DDoS and reconnaissance associated with the IPs.