In which log collection mechanism, the system or application sends log records either on the local disk or over the network.

A. rule-based

B. pull-based

C. push-based

D. signature-based

Banter is a threat analyst in Christine Group of Industries. As a part of the job, he is currently formatting and structuring the raw data.
He is at which stage of the threat intelligence life cycle?

A. Dissemination and Integration

B. Processing and Exploitation

C. Collection

D. Analysis and Production

Which of the following Windows Event Id will help you monitors file sharing across the network?

A. 7045

B. 4625

C. 5140

D. 4624

An attacker, in an attempt to exploit the vulnerability in the dynamically generated welcome page, inserted code at the end of the company’s URL as follows: http://technosoft.com.com/alert("WARNING: The application has encountered an error");.
Identify the attack demonstrated in the above scenario.

A. Cross-site Scripting Attack

B. SQL Injection Attack

C. Denial-of-Service Attack

D. Session Attack

Robin, a SOC engineer in a multinational company, is planning to implement a SIEM. He realized that his organization is capable of performing only Correlation, Analytics, Reporting, Retention, Alerting, and Visualization required for the SIEM implementation and has to take collection and aggregation services from a Managed Security Services Provider (MSSP).
What kind of SIEM is Robin planning to implement?

A. Self-hosted, Self-Managed

B. Self-hosted, MSSP Managed

C. Hybrid Model, Jointly Managed

D. Cloud, Self-Managed

Chloe, a SOC analyst with Jake Tech, is checking Linux systems logs. She is investigating files at /var/log/wtmp.
What Chloe is looking at?

A. Error log

B. System boot log

C. General message and system-related stuff

D. Login records

Which of the log storage method arranges event logs in the form of a circular buffer?

A. FIFO

B. LIFO

C. non-wrapping

D. wrapping

John, a SOC analyst, while monitoring and analyzing Apache web server logs, identified an event log matching Regex /(.|(%|%25)2E)(.|(%|%25)2E)(/|(%|%25)2F||(%|%25)5C)/i.
What does this event log indicate?

A. XSS Attack

B. SQL injection Attack

C. Directory Traversal Attack

D. Parameter Tampering Attack

Emmanuel is working as a SOC analyst in a company named Tobey Tech. The manager of Tobey Tech recently recruited an Incident Response Team (IRT) for his company. In the process of collaboration with the IRT, Emmanuel just escalated an incident to the IRT.
What is the first step that the IRT will do to the incident escalated by Emmanuel?

A. Incident Analysis and Validation

B. Incident Recording

C. Incident Classification

D. Incident Prioritization

Which of the following contains the performance measures, and proper project and time management details?

A. Incident Response Policy

B. Incident Response Tactics

C. Incident Response Process

D. Incident Response Procedures

Which of the following command is used to view iptables logs on Ubuntu and Debian distributions?

A. $ tailf /var/log/sys/kern.log

B. $ tailf /var/log/kern.log

C. # tailf /var/log/messages

D. # tailf /var/log/sys/messages

Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet Information Service (IIS) version 7.0 to host their website.
Where will Harley find the web server logs, if he wants to investigate them for any anomalies?

A. SystemDrive%inetpublogsLogFilesW3SVCN

B. SystemDrive%LogFilesinetpublogsW3SVCN

C. %SystemDrive%LogFileslogsW3SVCN

D. SystemDrive% inetpubLogFileslogsW3SVCN

Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs of the company and wanted to check the logs that are generated by access control list numbered 210.
What filter should Peter add to the 'show logging' command to get the required output?

A. show logging | access 210

B. show logging | forward 210

C. show logging | include 210

D. show logging | route 210

Identify the event severity level in Windows logs for the events that are not necessarily significant, but may indicate a possible future problem.

A. Failure Audit

B. Warning

C. Error

D. Information

Which of the following attack can be eradicated by filtering improper XML syntax?

A. CAPTCHA Attacks

B. SQL Injection Attacks

C. Insufficient Logging and Monitoring Attacks

D. Web Services Attacks

Identify the attack when an attacker by several trial and error can read the contents of a password file present in the restricted etc folder just by manipulating the URL in the browser as shown: http://www.terabytes.com/process.php./../../../../etc/passwd

A. Directory Traversal Attack

B. SQL Injection Attack

C. Denial-of-Service Attack

D. Form Tampering Attack

Which of the following can help you eliminate the burden of investigating false positives?

A. Keeping default rules

B. Not trusting the security devices

C. Treating every alert as high level

D. Ingesting the context data

Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((%3C)|)/|.
What does this event log indicate?

A. Directory Traversal Attack

B. Parameter Tampering Attack

C. XSS Attack

D. SQL Injection Attack

What does the HTTP status codes 1XX represents?

A. Informational message

B. Client error

C. Success

D. Redirection

An organization wants to implement a SIEM deployment architecture. However, they have the capability to do only log collection and the rest of the SIEM functions must be managed by an MSSP.
Which SIEM deployment architecture will the organization adopt?

A. Cloud, MSSP Managed

B. Self-hosted, Jointly Managed

C. Self-hosted, MSSP Managed

D. Self-hosted, Self-Managed

In which of the following incident handling and response stages, the root cause of the incident must be found from the forensic results?

A. Evidence Gathering

B. Evidence Handling

C. Eradication

D. Systems Recovery

John as a SOC analyst is worried about the amount of Tor traffic hitting the network. He wants to prepare a dashboard in the SIEM to get a graph to identify the locations from where the TOR traffic is coming.
Which of the following data source will he use to prepare the dashboard?

A. DHCP/Logs capable of maintaining IP addresses or hostnames with IPtoName resolution.

B. IIS/Web Server logs with IP addresses and user agent IPtouseragent resolution.

C. DNS/ Web Server logs with IP addresses.

D. Apache/ Web Server logs with IP addresses and Host Name.

Which of the following Windows event is logged every time when a user tries to access the "Registry" key?

A. 4656

B. 4663

C. 4660

D. 4657

Which of the following is a report writing tool that will help incident handlers to generate efficient reports on detected incidents during incident response process?

A. threat_note

B. MagicTree

C. IntelMQ

D. Malstrom

The threat intelligence, which will help you, understand adversary intent and make informed decision to ensure appropriate security in alignment with risk.
What kind of threat intelligence described above?

A. Tactical Threat Intelligence

B. Strategic Threat Intelligence

C. Functional Threat Intelligence

D. Operational Threat Intelligence

Which of the following stage executed after identifying the required event sources?

A. Identifying the monitoring Requirements

B. Defining Rule for the Use Case

C. Implementing and Testing the Use Case

D. Validating the event source against monitoring requirement

Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is affected by a DoS/DDoS attack. For the containment of this incident, Ray and his team are trying to provide additional bandwidth to the network devices and increasing the capacity of the servers.
What is Ray and his team doing?

A. Blocking the Attacks

B. Diverting the Traffic

C. Degrading the services

D. Absorbing the Attack

A type of threat intelligent that find out the information about the attacker by misleading them is known as __________.

A. Threat trending Intelligence

B. Detection Threat Intelligence

C. Operational Intelligence

D. Counter Intelligence

Identify the type of attack, an attacker is attempting on www.example.com website.
 

A. Cross-site Scripting Attack

B. Session Attack

C. Denial-of-Service Attack

D. SQL Injection Attack

What does Windows event ID 4740 indicate?

A. A user account was locked out.

B. A user account was disabled.

C. A user account was enabled.

D. A user account was created.

Which of the following attacks causes sudden changes in file extensions or increase in file renames at rapid speed?

A. Ransomware Attack

B. DoS Attack

C. DHCP starvation Attack

D. File Injection Attack

Jason, a SOC Analyst with Maximus Tech, was investigating Cisco ASA Firewall logs and came across the following log entry:
May 06 2018 21:27:27 asa 1: %ASA -5 – 11008: User 'enable_15' executed the 'configure term' command
What does the security level in the above log indicates?

A. Warning condition message

B. Critical condition message

C. Normal but significant message

D. Informational message

Sam, a security analyst with INFOSOL INC., while monitoring and analyzing IIS logs, detected an event matching regex /w*((%27)|(’))((%6F)|o|(%4F))((%72)|r|(%52))/ix.
What does this event log indicate?

A. SQL Injection Attack

B. Parameter Tampering Attack

C. XSS Attack

D. Directory Traversal Attack

Which of the following framework describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering?

A. COBIT

B. ITIL

C. SSE-CMM

D. SOC-CMM

Which of the following formula represents the risk?

A. Risk = Likelihood × Severity × Asset Value

B. Risk = Likelihood × Consequence × Severity

C. Risk = Likelihood × Impact × Severity

D. Risk = Likelihood × Impact × Asset Value

Identify the attack, where an attacker tries to discover all the possible information about a target network before launching a further attack.

A. DoS Attack

B. Man-In-Middle Attack

C. Ransomware Attack

D. Reconnaissance Attack

Identify the HTTP status codes that represents the server error.

A. 2XX

B. 4XX

C. 1XX

D. 5XX

An attacker exploits the logic validation mechanisms of an e-commerce website. He successfully purchases a product worth $100 for $10 by modifying the URL exchanged between the client and the server.
Original URL: http://www.buyonline.com/product.aspx?profile=12&debit=100
Modified URL: http://www.buyonline.com/product.aspx?profile=12&debit=10
Identify the attack depicted in the above scenario.

A. Denial-of-Service Attack

B. SQL Injection Attack

C. Parameter Tampering Attack

D. Session Fixation Attack

The Syslog message severity levels are labelled from level 0 to level 7.
What does level 0 indicate?

A. Alert

B. Notification

C. Emergency

D. Debugging

Which encoding replaces unusual ASCII characters with "%" followed by the character’s two-digit ASCII code expressed in hexadecimal?

A. Unicode Encoding

B. UTF Encoding

C. Base64 Encoding

D. URL Encoding

Which of the following threat intelligence is used by a SIEM for supplying the analysts with context and "situational awareness" by using threat actor TTPs, malware campaigns, tools used by threat actors.
1. Strategic threat intelligence
2. Tactical threat intelligence
3. Operational threat intelligence
4. Technical threat intelligence

A. 2 and 3

B. 1 and 3

C. 3 and 4

D. 1 and 2

According to the Risk Matrix table, what will be the risk level when the probability of an attack is very low and the impact of that attack is major?

A. High

B. Extreme

C. Low

D. Medium

What is the process of monitoring and capturing all data packets passing through a given network using different tools?

A. Network Scanning

B. DNS Footprinting

C. Network Sniffing

D. Port Scanning

According to the forensics investigation process, what is the next step carried out right after collecting the evidence?

A. Create a Chain of Custody Document

B. Send it to the nearby police station

C. Set a Forensic lab

D. Call Organizational Disciplinary Team

Which one of the following is the correct flow for Setting Up a Computer Forensics Lab?

A. Planning and budgeting –> Physical location and structural design considerations –> Work area considerations –> Human resource considerations –> Physical security recommendations –> Forensics lab licensing

B. Planning and budgeting –> Physical location and structural design considerations–> Forensics lab licensing –> Human resource considerations –> Work area considerations –> Physical security recommendations

C. Planning and budgeting –> Forensics lab licensing –> Physical location and structural design considerations –> Work area considerations –> Physical security recommendations –> Human resource considerations

D. Planning and budgeting –> Physical location and structural design considerations –> Forensics lab licensing –>Work area considerations –> Human resource considerations –> Physical security recommendations

Which of the following attack inundates DHCP servers with fake DHCP requests to exhaust all available IP addresses?

A. DHCP Starvation Attacks

B. DHCP Spoofing Attack

C. DHCP Port Stealing

D. DHCP Cache Poisoning

David is a SOC analyst in Karen Tech. One day an attack is initiated by the intruders but David was not able to find any suspicious events.
This type of incident is categorized into __________?

A. True Positive Incidents

B. False positive Incidents

C. True Negative Incidents

D. False Negative Incidents

Wesley is an incident handler in a company named Maddison Tech. One day, he was learning techniques for eradicating the insecure deserialization attacks.
What among the following should Wesley avoid from considering?

A. Deserialization of trusted data must cross a trust boundary

B. Understand the security permissions given to serialization and deserialization

C. Allow serialization for security-sensitive classes

D. Validate untrusted input, which is to be serialized to ensure that serialized data contain only trusted classes

Which of the following formula represents the risk levels?

A. Level of risk = Consequence × Severity

B. Level of risk = Consequence × Impact

C. Level of risk = Consequence × Likelihood

D. Level of risk = Consequence × Asset Value

Which of the following attack can be eradicated by using a safe API to avoid the use of the interpreter entirely?

A. Command Injection Attacks

B. SQL Injection Attacks

C. File Injection Attacks

D. LDAP Injection Attacks