Certified SOC Analyst Dump - Correct Answers PDF

Summary

This document contains a large number of practice questions and answers on security operations, focusing on questions that are related to security analysis and practices. They appear to be practice questions for a certified SOC Analyst exam.

Full Transcript

No. Question Text Answers Correct Answer Source
A. Nmap
Which of the following tool can be used to filter web requests associated B. UrlScan
1 B L6 P226
with the SQL Injection attack? C. ZAP proxy
D. Hydra
A. Slow DoS Attack
Identify the attack in which the attacker exploits a target system through publicly B. DHCP Starvation
2 C Logic
known but still unpatched vulnerabilities. C. Zero-Day Attack
D. DNS Poisoning Attack
A. Collect, Ingest, Validate, Document, Report, Respond
B. Collect, Ingest, Document, Validate, Report, Respond
3 What is the correct sequence of SOC Workflow? D M1 P18
C. Collect, Respond, Validate, Ingest, Report, Document
D. Collect, Ingest, Validate, Report, Respond, Document
Charline is working as an L2 SOC Analyst. One day, an L1 SOC Analyst
A. She should immediately escalate this issue to the management
escalated an incident to her for further investigation and confirmation.
B. She should immediately contact the network administrator to solve the problem
4 Charline, after a thorough investigation, confirmed the incident and assigned it D M1 P18
C. She should communicate this incident to the media immediately
with an initial priority.
D. She should formally raise a ticket and forward it to the IRT
What would be her next action according to the SOC workflow?
An attacker, in an attempt to exploit the vulnerability in the dynamically generated
A. Cross-site Scripting Attack
welcome page, inserted code at the end of the company’s URL as follows:
B. SQL Injection Attack
5 http://technosoft.com.com/alert("WARNING: The application has A M2 P114
C. Denial-of-Service Attack
encountered an error");.
D. Session Attack
Identify the attack demonstrated in the above scenario.
An attacker exploits the logic validation mechanisms of an e-commerce website.
He successfully purchases a product worth $100 for $10 by modifying the URL
exchanged between the client and the server. A. Denial-of-Service Attack
Original URL: B. SQL Injection Attack
6 C M2 P120
http://www.buyonline.com/product.aspx?profile=12&debit=100 C. Parameter Tampering Attack
Modified URL: D. Session Fixation Attack
http://www.buyonline.com/product.aspx?profile=12&debit=10
Identify the attack depicted in the above scenario.
A. Directory Traversal Attack
Jane, a security analyst, while analyzing IDS logs, detected an event matching
B. Parameter Tampering Attack
7 Regex /((\)/|. C M2 P142
C. XSS Attack
What does this event log indicate?
D. SQL Injection Attack
Identify the attack when an attacker by several trial and error can read the A. Directory Traversal Attack
contents of a password file present in the restricted etc folder just by B. SQL Injection Attack
8 A M2 P145
manipulating the URL in the browser as shown: C. Denial-of-Service Attack
http://www.terabytes.com/process.php./../../../../etc/passwd D. Form Tampering Attack
A. Tactics, Techniques, and Procedures
Properly applied cyber threat intelligence to the SOC team help them in
B. Tactics, Threats, and Procedures
9 discovering TTPs. A M2 P60
C. Targets, Threats, and Process
What does these TTPs refer to?
D. Tactics, Targets, and Process
A. DoS Attack
Identify the attack, where an attacker tries to discover all the possible information B. Man-In-Middle Attack
10 D M2 P65
about a target network before launching a further attack. C. Ransomware Attack
D. Reconnaissance Attack
A. Network Scanning
What is the process of monitoring and capturing all data packets passing through B. DNS Footprinting
11 C M2 P70
a given network using different tools? C. Network Sniffing
D. Port Scanning
A. Hybrid Attack
Which attack works like a dictionary attack, but adds some numbers and B. Bruteforce Attack
12 A M2 P73
symbols to the words from the dictionary and tries to crack the password? C. Rainbow Table Attack
D. Birthday Attack
A. Dictionary Attack
Identify the password cracking attempt involving a precomputed dictionary of B. Rainbow Table Attack
13 B M2 P73
plaintext passwords and their corresponding hash values to crach the password. C. Bruteforce Attack
D. Syllable Attack
A. DHCP Starvation Attacks
Which of the following attack inundates DHCP servers with fake DHCP requests to B. DHCP Spoofing Attack
14 A M2 P81
exhaust all available IP addresses? C. DHCP Port Stealing
D. DHCP Cache Poisoning
A. rule-based
In which log collection mechanism, the system or application sends log records B. pull-based
15 C M3 P168
either on the local disk or over the network. C. push-based
D. signature-based
A. FIFO
Which of the log storage method arranges event logs in the form of a B. LIFO
16 D M3 P180
circular buffer? C. non-wrapping
D. wrapping
A. Keywords
Which of the following fields in Windows logs defines the type of event occurred, B. Task Category
17 A M3 P185
such as Correlation Hint, Response Time, SQM, WDI Context, and so on? C. Level
D. Source
A. Failure Audit
Identify the event severity level in Windows logs for the events that are not B. Warning
18 B M3 P188
necessarily significant, but may indicate a possible future problem. C. Error
D. Information
A. Error
What type of event is recorded when an application driver loads successfully B. Success Audit
19 D M3 P188
in Windows? C. Warning
D. Information
A. Bitlocker
Which of the following Windows features is used to enable Security Auditing B. Windows Firewall
20 C M3 P191
in Windows? C. Local Group Policy Editor
D. Windows Defender
A. Alert
The Syslog message severity levels are labelled from level 0 to level 7. B. Notification
21 C M3 P205
What does level 0 indicate? C. Emergency
D. Debugging
A. Alert
The Syslog message severity levels are labelled from level 0 to level 7. B. Notification
22 A M3 P205
What does level 1 indicate? C. Emergency
D. Debugging
A. /private/var/log
Which of the following is a default directory in a Mac OS X that stores B. /Library/Logs/Sync
23 A M3 P212
security-related logs? C. /var/log/cups/access_log
D. ~/Library/Logs
Jason, a SOC Analyst with Maximus Tech, was investigating Cisco ASA
A. Normal but significant message
Firewall logs and came across the following log entry:
B. Critical condition message
24 May 06 2018 21:27:27 A M3 P242
C. Warning condition message
asa 1: %ASA -5 - 11008: User 'enable_15' executed the 'configure term'
D. Informational message
command What does the security level in the above log indicates?
A. Speed up the process by not performing IP addresses DNS resolution in
What does [-n] in the following checkpoint firewall log syntax represents?
the Log files
fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime]
25 B. Display both the date and the time for each log record A M3 P251
[-b starttime endtime] [-u unification_scheme_file]
C. Display account log records only
[-m unification_mode(initial|semi|raw)] [-a] [-k (alert name|all)] [-g] [logfile]
D. Display detailed log chains (all the log segments a log record consists of)
Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the
A. show logging | access 210
router logs of the company and wanted to check the logs that are generated by
B. show logging | forward 210
26 access control list numbered 210. C M3 P259
C. show logging | include 210
What filter should Peter add to the 'show logging' command to get the required
D. show logging | route 210
output?
 Which of the following are the responsibilities of SIEM Agents?
1. Collecting data received from various devices sending data to SIEM
before forwarding it to the central engine.
A. 1 and 2
2. Normalizing data received from various devices sending data to SIEM
B. 2 and 3
27 before forwarding it to the central engine. A M4 P375
C. 1 and 4
3. Co-relating data received from various devices sending data to
D. 3 and 1
SIEM before forwarding it to the central engine.
4. Visualizing data received from various devices sending data to
SIEM before forwarding it to the central engine.
A. Identifying the monitoring Requirements
B. Defining Rule for the Use Case
28 Which of the following stage executed after identifying the required event sources? D M4 P406
C. Implementing and Testing the Use Case
D. Validating the event source against monitoring requirement
A. EPS = average number of correlated events / time in seconds
B. EPS = number of normalized events / time in seconds
29 Which of the following formula is used to calculate the EPS of the organization? C M4 P414
C. EPS = number of security events / time in seconds
D. EPS = number of correlated events / time in seconds
A. SMTP Configuration
B. DHCP Configuration
30 Which of the following factors determine the choice of SIEM architecture? D M4 P419
C. DNS Configuration
D. Network Topology
An organization wants to implement a SIEM deployment architecture. However, A. Cloud, MSSP Managed
they have the capability to do only log collection and the rest of the SIEM B. Self-hosted, Jointly Managed
31 C M4 P423
functions must be managed by an MSSP. C. Self-hosted, MSSP Managed
Which SIEM deployment architecture will the organization adopt? D. Self-hosted, Self-Managed
Robin , a SOC engineer in a multinational company, is planning to implement
a SIEM. He realized that his organization is capable of performing only Correlation, A. Self-hosted, Self-Managed
Analytics, Reporting, Retention, Alerting, and Visualization required for the SIEM B. Self-hosted, MSSP Managed
32 D M4 P431
implementation and has to take collection and aggregation services from a C. Hybrid Model, Jointly Managed
Managed Security Services Provider (MSSP). D. Cloud, Self-Managed
What kind of SIEM is Robin planning to implement?
Sam, a security analyst with INFOSOL INC., while monitoring and analyzing IIS A. SQL Injection Attack
logs, detected an event matching regex B. Parameter Tampering Attack
33 A M4 P444
/\\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix. C. XSS Attack
What does this event log indicate? D. Directory Traversal Attack
Jane, a security analyst, while analyzing IDS logs, detected an event matching A. Directory Traversal Attack
Regex B. Parameter Tampering Attack
34 C M4 P446
/((\%3C)|)/|. C. XSS Attack
What does this event log indicate? D. SQL Injection Attack
John , a SOC analyst, while monitoring and analyzing Apache web server logs, A. XSS Attack
identified an event log matching Regex B. SQL injection Attack
35 C M4 P448
/(\.|(%|%25)2E)(\.|(%|%25)2E)(\/|(%|%25)2F|\\|(%|%25)5C)/i. C. Directory Traversal Attack
What does this event log indicate? D. Parameter Tampering Attack
A. Windows Event Log
Which of the following data source can be used to detect the traffic associated B. Web Server Logs
36 B M4 P457
with Bad Bot User-Agents? C. Router Logs
D. Switch Logs
Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using A. SystemDrive%\inetpub\logs\LogFiles\W3SVCN
Internet Information Service (IIS) version 7.0 to host their website. B. SystemDrive%\LogFiles\inetpub\logs\W3SVCN
37 A M4 P459
Where will Harley find the web server logs, if he wants to investigate them C. %SystemDrive%\LogFiles\logs\W3SVCN
for any anomalies? D. SystemDrive%\ inetpub\LogFiles\logs\W3SVCN
A. DHCP/Logs capable of maintaining IP addresses or hostnames with
John as a SOC analyst is worried about the amount of Tor traffic hitting the
IPtoName resolution.
network. He wants to prepare a dashboard in the SIEM to get a graph to identify
38 B. IIS/Web Server logs with IP addresses and user agent IPtouseragent resolution. A M4 P488
the locations from where the TOR traffic is coming.
C. DNS/ Web Server logs with IP addresses.
Which of the following data source will he use to prepare the dashboard?
D. Apache/ Web Server logs with IP addresses and Host Name.
A. Netstat Data
Which of the following data source will a SOC Analyst use to monitor connections B. DNS Data
39 A M4 P490
to the insecure ports? C. IIS Data
D. DHCP Data
A. Ransomware Attack
Which of the following attacks causes sudden changes in file extensions or B. DHCP starvation Attack
40 A M4 P511
increase in file renames at rapid speed? C. File Injection Attack
D. DoS Attack
A. Concurrent VPN Connections Attempt
Juliea a SOC analyst, while monitoring logs, noticed large TXT, NULL payloads. B. DNS Exfiltration Attempt
41 B M4 P520
What does this indicate? C. Covering Tracks Attempt
D. DHCP Starvation Attempt
John, a SOC analyst, wants to monitor the attempt of process creation activities A. Index=windows LogName=Security EventCode=4678 NOT (Account_Name=*$)
from any of their Windows endpoints. B. Index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$)
42 B M4 P536
Which of following Splunk queries will help him fetch the logs associated with C. Index=windows LogName=Security EventCode=3688 NOT (Account_Name=*$)
process creation? D. Index=windows LogName=Security EventCode=5688 NOT (Account_Name=*$)
A. Service added to the endpoint
B. A share was assessed
43 What does the Security Log Event ID 4624 of Windows 10 indicate? C M4 P539
C. An account was successfully logged on
D. New process executed
A. Keeping default rules
Which of the following can help you eliminate the burden of investigating B. Not trusting the security devices
44 D M4 P562
false positives? C. Treating every alert as high level
D. Ingesting the context data
If the SIEM generates the following four alerts at the same time:
I. Firewall blocking traffic from getting into the network alerts A. III
II. SQL injection attempt alerts B. IV
45 D M4 P566
III. Data deletion attempt alerts C. II
IV. Brute-force attempt alerts D. I
Which alert should be given least priority as per effective alert triaging?
Which of the following threat intelligence helps cyber security professionals
A. Analytical Threat Intelligence
such as security operations managers, network operations center and incident
B. Operational Threat Intelligence
46 responders to understand how the adversaries are expected to perform the D M5 P543
C. Strategic Threat Intelligence
attack on the organization, and the technical capabilities and goals of the
D. Tactical Threat Intelligence
attackers along with the attack vectors?
Which of the following threat intelligence is used by a SIEM for supplying
the analysts with context and "situational awareness" by using threat
A. 2 and 3
actor TTPs, malware campaigns, tools used by threat actors.
B. 1 and 3 M5 P543
47 1. Strategic threat intelligence A
C. 3 and 4 M5 P546
2. Tactical threat intelligence
D. 1 and 2
3. Operational threat intelligence
4. Technical threat intelligence
John, a threat analyst at GreenTech Solutions, wants to gather information about
A. Strategic Threat Intelligence
specific threats against the organization. He started collecting information from
B. Technical Threat Intelligence
48 various sources, such as humans, social media, chat room, and so on, and D M5 P544
C. Tactical Threat Intelligence
created a report that contains malicious activity.
D. Operational Threat Intelligence
Which of the following types of threat intelligence did he use?
Shawn is a security manager working at Lee Inc Solution. His organization wants
to develop threat intelligent strategy plan. As a part of threat intelligent strategy
A. Threat pivoting
plan, he suggested various components, such as threat intelligence requirement
B. Threat trending
49 analysis, intelligence and collection planning, asset identification, threat reports, B M5 P547
C. Threat buy-in
and intelligence buy-in.
D. Threat boosting
Which one of the following components he should include in the above threat
intelligent strategy plan to make it effective?
A. Threat trending Intelligence
A type of threat intelligent that find out the information about the attacker by B. Detection Threat Intelligence
50 D M5 P566
misleading them is known as: C. Operational Intelligence
D. Counter Intelligence
 A. Dissemination and Integration
Banter is a threat analyst in Christine Group of Industries. As a part of the job,
B. Processing and Exploitation
51 he is currently formatting and structuring the raw data. B M5 P571
C. Collection
He is at which stage of the threat intelligence life cycle?
D. Analysis and Production
A. SolarWinds MS
B. TC Complete
52 Which of the following is a Threat Intelligence Platform? B M5 P579
C. Keepnote
D. Apility.io
A. Tactical Threat Intelligence
The threat intelligence, which will help you, understand adversary intent and
B. Strategic Threat Intelligence
53 make informed decision to ensure appropriate security in alignment with risk. B M5 P592
C. Functional Threat Intelligence
What kind of threat intelligence described above?
D. Operational Threat Intelligence
A. Load Balancing
Which of the following process refers to the discarding of the packets at the
B. Rate Limiting
54 routing level without informing the source that the data did not reach its C M6 798
C. Black Hole Filtering
intended recipient?
D. Drop Requests
A. Containment –> Incident Recording –> Incident Triage –> Preparation –>
Recovery –> Eradication –> Post-Incident Activities
B. Preparation –> Incident Recording –> Incident Triage –> Containment –>
Which of the following is a correct flow of the stages in an incident handling and Eradication –> Recovery –> Post-Incident Activities
55 B M6 P666
response (IH&R) process? C. Incident Triage –> Eradication –> Containment –> Incident Recording –>
Preparation –> Recovery –> Post-Incident Activities
D. Incident Recording –> Preparation –> Containment –> Incident Triage –>
Recovery –> Eradication –> Post-Incident Activities
Daniel is a member of an IRT, which was started recently in a company named A. Incident Response Intelligence
Mesh Tech. He wanted to find the purpose and scope of the planned incident B. Incident Response Mission
56 B M6 P674
response capabilities. C. Incident Response Vision
What is he looking for? D. Incident Response Resources
A. Incident Response Policy
Which of the following contains the performance measures, and proper project B. Incident Response Tactics
57 A M6 P679
and time management details? C. Incident Response Process
D. Incident Response Procedures
A. De-Militarized Zone (DMZ)
Which of the following security technology is used to attract and trap people B. Firewall
58 C M6 P701
who attempt unauthorized or illicit utilization of the host system? C. Honeypot
D. Intrusion Detection System
Mike is an incident handler for PNP Infosystems Inc. One day, there was a ticket
raised regarding a critical incident and Mike was assigned to handle the incident. A. Post-Incident Activities
During the process of incident handling, at one stage, he has performed incident B. Incident Recording and Assignment
59 C M6 P714
analysis and validation to check whether the incident is a true incident or C. Incident Triage
a false positive. D. Incident Disclosure
Identify the stage in which he is currently in.
Emmanuel is working as a SOC analyst in a company named Tobey Tech.
A. Incident Analysis and Validation
The manager of Tobey Tech recently recruited an Incident Response Team
B. Incident Recording
60 (IRT) for his company. In the process of collaboration with the IRT, Emmanuel A M6 P714
C. Incident Classification
just escalated an incident to the IRT.
D. Incident Prioritization
What is the first step that the IRT will do to the incident escalated by Emmanuel?
A. Risk = Likelihood × Severity × Asset Value
B. Risk = Likelihood × Consequence × Severity
61 Which of the following formula represents the risk? D M6 P720
C. Risk = Likelihood × Impact × Severity
D. Risk = Likelihood × Impact × Asset Value
A. Level of risk = Consequence × Severity
B. Level of risk = Consequence × Impact
62 Which of the following formula represents the risk levels? C M6 P721
C. Level of risk = Consequence × Likelihood
D. Level of risk = Consequence × Asset Value
A. High
According to the Risk Matrix table, what will be the risk level when the probability B. Medium
63 B M6 P722
of an attack is very low and the impact of that attack is major? C. Low
D. Extreme
A. High
According to the Risk Matrix table, what will be the risk level when the probability B. Extreme
64 B M6 P722
of an attack is very high, and the impact of that attack is major? C. Low
D. Medium
A. Containment
Which of the following steps of incident handling and response process focus on B. Data Collection
65 A M6 P742
limiting the scope and extent of an incident? C. Eradication
D. Identification
A. Evidence Gathering
In which of the following incident handling and response stages, the root cause B. Evidence Handling
66 C M6 P753
of the incident must be found from the forensic results? C. Eradication
D. Systems Recovery
Ray is a SOC analyst in a company named Queens Tech. One Day, Queens
A. Blocking the Attacks
Tech is affected by a DoS/DDoS attack. For the containment of this incident,
B. Diverting the Traffic
67 Ray and his team are trying to provide additional bandwidth to the network D M6 P792
C. Degrading the services
devices and increasing the capacity of the servers.
D. Absorbing the Attack
What is Ray and his team doing?
A. Rate Limiting
Which of the following technique protects from flooding attacks originated from the B. Egress Filtering
68 C M6 P795
valid prefixes (IP addresses) so that they can be traced to its true source? C. Ingress Filtering
D. Throttling
A. Egress Filtering
Which of the following technique involves scanning the headers of IP packets
B. Throttling
69 leaving a network to make sure that the unauthorized or malicious traffic never A M6 P795
C. Rate Limiting
leaves the internal network?
D. Ingress Filtering
A. Apility.io
Which of the following service provides phishing protection and content filtering
B. Malstrom
70 to manage the Internet experience on and off your network with the acceptable C M6 P809
C. OpenDNS
use or compliance policies?
D. I-Blocklist
A. File Injection Attacks
Which of the following attack can be eradicated by disabling of "allow_url_fopen B. URL Injection Attacks
71 A M6 P815
and allow_url_include" in the php.ini file? C. LDAP Injection Attacks
D. Command Injection Attacks
A. Command Injection Attacks
Which of the following attack can be eradicated by using a safe API to avoid B. SQL Injection Attacks
72 A M6 P815
the use of the interpreter entirely? C. File Injection Attacks
D. LDAP Injection Attacks
A. Broken Access Control Attacks
Which of the following attack can be eradicated by converting all non-alphanumeric
B. Web Services Attacks
73 characters to HTML character entities before displaying the user input in search C M6 P824
C. XSS Attacks
engines and forums?
D. Session Management Attacks
A. Validate untrusted input, which is to be serialized to ensure that serialized data
Wesley is an incident handler in a company named Maddison Tech. One day, contain only trusted classes
74 he was learning techniques for eradicating the insecure deserialization attacks. B. Understand the security permissions given to serialization and deserialization C M6 P826
What among the following should Wesley avoid from considering? C. Allow serualization for security-sensitive classes
D. Deserialization of trusted data must cross a trust boundary
A. CAPTCHA Attacks
B. SQL Injection Attacks
75 Which of the following attack can be eradicated by filtering improper XML syntax? D M6 P829
C. Insufficient Logging and Monitoring Attacks
D. Web Services Attacks
A. Unicode Encoding
Which encoding replaces unusual ASCII characters with "%" followed by the B. UTF Encoding
76 D M6 P834
character’s two-digit ASCII code expressed in hexadecimal? C. Base64 Encoding
D. URL Encoding
 A. CrowdStrike FalconTM Orchestrator
B. Symantec Secure Web Gateway
77 Which of the following tool is used to recover from web application incident? A M6 P842
C. Smoothwall SWG
D. Proxy Workbench
A. FISMA
Which of the following is a set of standard guidelines for ongoing development,
B. HIPAA
78 enhancement, storage, dissemination and implementation of security standards C Not sure
C. PCI-DSS
for account data protection?
D. DARPA
A. True Positive Incidents
David is a SOC analyst in Karen Tech. One day an attack is initiated by the
B. False positive Incidents
79 intruders but David was not able to find any suspicious events. C Not sure
C. True Negative Incidents
This type of incident is categorized into ?
D. False Negative Incidents
A. /var/log/cups/Printer_log file
B. /var/log/cups/access_log file
80 Which of the following directory will contain logs related to printer access? B
C. /var/log/cups/accesslog file
D. /var/log/cups/Printeraccess_log file
A. $ iptables -B INPUT -j LOG
B. $ iptables -A OUTPUT -j LOG
81 Which of the following command is used to enable logging in iptables? C
C. $ iptables -A INPUT -j LOG
D. $ iptables -B OUTPUT -j LOG
A. $ tailf /var/log/sys/kern.log
Which of the following commands is used to view iptables logs on B. $ tailf /var/log/kern.log
82 B
Ubuntu and Debian distributions? C. # tailf /var/log/messages
D. # tailf /var/log/sys/messages
A. $ tailf /var/log/sys/kern.log
Which of the following commands is used to view iptables logs on B. $ tailf /var/log/kern.log
83 C
CentOS/RHEL and Fedora distributions? C. # tailf /var/log/messages
D. # tailf /var/log/sys/messages
A. Informational message
B. Client error
84 What does the HTTP status codes 1XX represent? A
C. Success
D. Redirection
InfoSystem LLC, a US-based company, is establishing an in-house SOC. A. Security Analyst – L1
John has been given the responsibility to finalize strategy, policies, and B. Chief Information Security Officer (CISO)
85 B
procedures for the SOC. C. Security Engineer
Identify the job role of John. D. Security Analyst – L2
A. Reconnaissance
In which phase of Lockheed Martin’s – Cyber Kill Chain Methodology, adversary B. Delivery
86 C
creates a deliverable malicious payload using an exploit and a backdoor? C. Weaponization
D. Exploitation
A. Unauthorized Error
B. Not Found Error
87 What does HTTPS Status code 403 represent? D
C. Internal Server Error
D. Forbidden Error
A. 4656
Which of the following Windows event is logged every time when a user tries to B. 4663
88 A
access the "Registry" key? C. 4660
D. 4657
A. COBIT
Which of the following framework describes the essential characteristics of an
B. ITIL
89 organization's security engineering process that must exist to ensure good C
C. SSE-CMM
security engineering?
D. SOC-CMM
A. A user account was locked out.
B. A user account was disabled.
90 What does Windows event ID 4740 indicate? A
C. A user account was enabled.
D. A user account was created.
A. Error log
Chloe, a SOC analyst with Jake Tech, is checking Linux systems logs.
B. System boot log
91 She is investigating files at /var/log/wtmp. D
C. General message and system-related stuff
What Chloe is looking at?
D. Login records
A. 2XX
B. 4XX
92 Identify the HTTP status codes that represent the client error. B
C. 1XX
D. 5XX
A. 2XX
B. 4XX
93 Identify the HTTP status codes that represent the server error. D
C. 1XX
D. 5XX
A. 7045
Which of the following Windows Event ID will help you monitor file sharing B. 4625
94 C
across the network? C. 5140
D. 4624
A. /etc/ossim/reputation
Where will you find the reputation IP database, if you want to monitor traffic from B. /etc/ossim/siem/server/reputation/data
95 D
known bad IP reputation using OSSIM SIEM? C. /etc/siem/ossim/server/reputation.data
D. /etc/ossim/server/reputation.data
A. Complaint to police in a formal way regarding the incident
Bonney's system has been compromised by a gruesome malware.
B. Turn off the infected machine
96 What is the primary step that is advisable to Bonney in order to contain the B
C. Leave it to the network administrators to handle
malware incident from spreading?
D. Call the legal department in the organization and inform about the incident
A. Create a Chain of Custody Document
According to the forensics investigation process, what is the next step carried out B. Send it to the nearby police station
97 A
right after collecting the evidence? C. Set a Forensic lab
D. Call Organizational Disciplinary Team
A. Planning and budgeting –>
Physical location and structural design considerations –>
Work area considerations –> Human resource considerations –>
Physical security recommendations –> Forensics lab licensing A
B. Planning and budgeting –> Physical location and structural design considerations–> (Only one that
Forensics lab licensing –> Human resource considerations –> starts with
Which one of the following is the correct flow for Setting Up a Computer
98 Work area considerations –> Physical security recommendations planning
Forensics Lab?
C. Planning and budgeting –> Forensics lab licensing –> amd budgeting
Physical location and structural design considerations –> Work area considerations –> and ends with
Physical security recommendations –> Human resource considerations licensing)
D. Planning and budgeting –> Physical location and structural design considerations –>
Forensics lab licensing –>Work area considerations –>
Human resource considerations –> Physical security recommendations
A. threat_note
Which of the following is a report writing tool that will help incident handlers
B. MagicTree
99 to generate efficient reports on detected incidents during incident response B
C. IntelMQ
process?
D. Malstrom
A. Rule-based detection
Which of the following event detection techniques uses B. Heuristic-based detection
100 C
User and Entity Behavior Analytics (UEBA)? C. Anomaly-based detection
D. Signature-based detection