Which of the following is the first action the analyst should take in this situation?

A security analyst who works in the SOC receives a new requirement to monitor for indicators of

compromise.

Which of the following is the first action the analyst should take in this situation?
A . Develop a dashboard to track the indicators of compromise.
B . Develop a query to search for the indicators of compromise.
C . Develop a new signature to alert on the indicators of compromise.
D . Develop a new signature to block the indicators of compromise.

View Answer

Answer: B

Explanation:

Developing a query to search for the indicators of compromise is the first action the analyst should take in this situation. Indicators of compromise (IOCs) are pieces of information that suggest a system or network has been compromised by an attacker. IOCs can include IP addresses, domain names, file hashes, URLs, or other artifacts that are associated with malicious activity. Developing a query to search for IOCs can help to identify any potential incidents or threats in the environment and initiate further investigation or response.

Explanation:

Reference: https://www.crowdstrike.com/cybersecurity-101/incident-response/indicators-of-compromise/