CompTIA CySA+ (CS0-003) — Question 451

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

Answer options

• A. Instruct the firewall engineer that a rule needs to be added to block this external server
• B. Escalate the event to an incident and notify the SOC manager of the activity
• C. Notify the incident response team that there is a DDoS attack occurring
• D. Identify the IP/hostname for the requests and look at the related activity

Correct answer: D

Explanation

The correct answer is D because identifying the source of the requests is crucial for understanding the context of the HTTP/404 events. Options A and C are premature actions that do not address the root of the issue, while B involves escalation that may not be necessary at this stage.