A web application was updated at 10:00. At 10:05, the SIEM reports a sharp rise in HTTP 500 errors and WAF blocks from the same source range. The application owner says customers are seeing failures only on the new checkout page. What is the best next step?

Close the incident because the WAF is blocking the suspicious traffic.

WAF activity alone does not prove an attack, and the customer-facing failures still need investigation.

Disable all customer accounts until the failures disappear from the dashboard.

Disabling accounts is not targeted to the problem and would create unnecessary business disruption.

Increase the server's disk space and memory thresholds immediately.

Resource tuning may help some outages, but the log pattern points first to correlation and root-cause analysis.

What does this SY0-701 question test?

Read the scenario before looking for a memorised answer.

What is the correct answer to this question?

The correct answer is: Correlate deployment, WAF, and application logs to determine whether the release or an attack caused the failures. — This is the best next step because the timing strongly suggests either a bad deployment or an exploit attempt against the new checkout page. Correlating release records with WAF events and application logs helps determine whether the errors are caused by a coding defect, an input validation issue, or hostile traffic. That analysis lets the team respond appropriately instead of assuming the WAF alone has solved the problem. Why others are wrong: A confuses blocking activity with resolving the underlying issue. C is overly broad and would harm users without proving the source of the outage. D is a generic troubleshooting step that does not address the strong correlation between the release and the sudden error increase.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.