CompTIA CySA+ (CS0-003) — Question 363

A report contains IoC and TTP information for a zero-day exploit that leverages vulnerabilities in a specific version of a web application. Which of the following actions should a SOC analyst take first after receiving the report?

Answer options

• A. Implement a vulnerability scan to determine whether the environment is at risk.
• B. Block the IP addresses and domains from the report in the web proxy and firewalls.
• C. Verify whether the information is relevant to the organization.
• D. Analyze the web application logs to identify any suspicious or malicious activity.

Correct answer: C

Explanation

The correct first action is to confirm if the information is relevant to the organization, as this ensures that resources are directed appropriately based on the actual threat. Implementing a vulnerability scan, blocking IPs, or analyzing logs may be premature if the reported threat does not pertain to the organization's environment.