CompTIA CySA+ (CS0-003) — Question 50

Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

Answer options

• A. Join an information sharing and analysis center specific to the company's industry
• B. Upload threat intelligence to the IPS in STIX'TAXII format
• C. Add data enrichment for IPs in the ingestion pipeline
• D. Review threat feeds after viewing the SIEM alert

Correct answer: C

Explanation

The correct answer, C, emphasizes the importance of enriching IP data during ingestion, which allows for immediate identification of known-malicious IPs. Options A and B may enhance overall threat intelligence but do not provide immediate context for specific alerts. Option D involves a reactive approach that may delay the response time to the alert.