Question: SOC Analyst Path - Using Threat Intelligence

vpiserchia · February 12, 2025, 2:13pm

The second question in the “Using Threat Intelligence” Lesson says:

If we receive an alarm from the threat intelligence product we use indicating that an IP address of our organization has been blacklisted. How should we handle the incident?

A- The reason why the IP address is blacklisted should be determined.
B- The reputation should be corrected by contacting the vendor whose IP address is blacklisted.
C- The IP address should be disabled.
D- A search should be made for the server to which the IP address points.

In the lesson itself, regarding the blacklist case, we read:

If it is a blacklist case, we should investigate the root cause and determine on what sources it has been blacklisted.

Reading the latter, I would expect that the correct answer is “A”, but it’s not . Can anyone explain why?

Hunter · February 25, 2025, 7:56am

Hello @vpiserchia,

It looks like there was some confusion in the question. Apart from option C, the other approaches seem to be correct. It would be more appropriate for the question to ask, “Which of the following approaches is incorrect?”

I have informed the relevant team, and they mentioned that the question will be revised.

Thank you for your feedback!

Topic		Replies	Views
FAQ: SOC Fundamentals Help	3	2635	February 14, 2025
Question about SOC105 - Requested T.I. URL address Pracice - SIEM Alert	0	55	November 17, 2024
FAQ: Email Header Analysis Help header-analysis	2	765	August 23, 2024
FAQ: Log Management Help log-management	8	1242	February 13, 2025
Question about SOC170 alert - Passwd Found in Requested URL - Possible LFI Attack Pracice - SIEM Alert	5	60	October 23, 2024

Question: SOC Analyst Path - Using Threat Intelligence

Related topics