CompTIA CySA+ (CS0-003) — Question 319

A third-party assessment of a recent incident determined that the incident response team spent too long trying to get the scope needed for the incident timeline and too much time was spent searching for false positives. Which of the following should the team work on first?

Answer options

• A. Playbook edits
• B. Ticket system automation
• C. Detection tuning
• D. Standard operating procedure refinement

Correct answer: C

Explanation

The correct answer is C, Detection tuning, as it directly addresses the issue of identifying false positives and refining detection capabilities. The other options, while important, do not immediately resolve the problem of inefficiencies in the incident response process.