Certified SOC Analyst (CSA v2) — Question 7

A government agency responsible for protecting sensitive information needs to monitor its network for unusual data exfiltration attempts. Since traditional log data alone is insufficient to identify suspicious traffic patterns, the SIEM team decides to integrate traffic flow data into their system. This data will help detect anomalies, such as large data transfers to unauthorized destinations or unexpected traffic spikes. The team must choose the appropriate protocol to collect IP traffic information from network devices like routers and switches. Which protocol should be used to collect this data?

Answer options

• A. Syslog
• B. SNMP (Simple Network Management Protocol)
• C. IPFIX (IP Flow Information Export)
• D. Net Flow (RFC 3954)

Correct answer: C

Explanation

The correct answer is C, IPFIX (IP Flow Information Export), as it is specifically designed to export flow information from network devices, making it ideal for monitoring traffic patterns. Syslog is more focused on logging events rather than traffic flow, while SNMP is primarily used for network management and monitoring, and Net Flow (RFC 3954) is a specific implementation of flow reporting that may not be as universally supported as IPFIX.