Which of the following stage executed after identifying the required event sources?

A. Identifying the monitoring Requirements

B. Defining Rule for the Use Case

C. Implementing and Testing the Use Case

D. Validating the event source against monitoring requirement

Mike is an incident handler for PNP Infosystems Inc. One day, there was a ticket raised regarding a critical incident and Mike was assigned to handle the incident. During the process of incident handling, at one stage, he has performed incident analysis and validation to check whether the incident is a true incident or a false positive.
Identify the stage in which he is currently in.

A. Post-Incident Activities

B. Incident Recording and Assignment

C. Incident Triage

D. Incident Disclosure

Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet Information Service (IIS) version 7.0 to host their website.
Where will Harley find the web server logs, if he wants to investigate them for any anomalies?

A. SystemDrive%inetpublogsLogFilesW3SVCN

B. SystemDrive%LogFilesinetpublogsW3SVCN

C. %SystemDrive%LogFileslogsW3SVCN

D. SystemDrive% inetpubLogFileslogsW3SVCN

What type of event is recorded when an application driver loads successfully in Windows?

A. Error

B. Success Audit

C. Warning

D. Information

Which of the following fields in Windows logs defines the type of event occurred, such as Correlation Hint, Response Time, SQM, WDI Context, and so on?

A. Keywords

B. Task Category

C. Level

D. Source

Which of the following formula represents the risk levels?

A. Level of risk = Consequence × Severity

B. Level of risk = Consequence × Impact

C. Level of risk = Consequence × Likelihood

D. Level of risk = Consequence × Asset Value

Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is affected by a DoS/DDoS attack. For the containment of this incident, Ray and his team are trying to provide additional bandwidth to the network devices and increasing the capacity of the servers.
What is Ray and his team doing?

A. Blocking the Attacks

B. Diverting the Traffic

C. Degrading the services

D. Absorbing the Attack

Which of the following is a report writing tool that will help incident handlers to generate efficient reports on detected incidents during incident response process?

A. threat_note

B. MagicTree

C. IntelMQ

D. Malstrom

Identify the password cracking attempt involving a precomputed dictionary of plaintext passwords and their corresponding hash values to crack the password.

A. Dictionary Attack

B. Rainbow Table Attack

C. Bruteforce Attack

D. Syllable Attack

Identify the attack, where an attacker tries to discover all the possible information about a target network before launching a further attack.

A. DoS Attack

B. Man-In-Middle Attack

C. Ransomware Attack

D. Reconnaissance Attack

Which of the following are the responsibilities of SIEM Agents?
1. Collecting data received from various devices sending data to SIEM before forwarding it to the central engine.
2. Normalizing data received from various devices sending data to SIEM before forwarding it to the central engine.
3. Co-relating data received from various devices sending data to SIEM before forwarding it to the central engine.
4. Visualizing data received from various devices sending data to SIEM before forwarding it to the central engine.

A. 1 and 2

B. 2 and 3

C. 1 and 4

D. 3 and 1

Which of the following formula represents the risk?

A. Risk = Likelihood × Severity × Asset Value

B. Risk = Likelihood × Consequence × Severity

C. Risk = Likelihood × Impact × Severity

D. Risk = Likelihood × Impact × Asset Value

Which of the following command is used to view iptables logs on Ubuntu and Debian distributions?

A. $ tailf /var/log/sys/kern.log

B. $ tailf /var/log/kern.log

C. # tailf /var/log/messages

D. # tailf /var/log/sys/messages

Which of the following event detection techniques uses User and Entity Behavior Analytics (UEBA)?

A. Rule-based detection

B. Heuristic-based detection

C. Anomaly-based detection

D. Signature-based detection

According to the Risk Matrix table, what will be the risk level when the probability of an attack is very low and the impact of that attack is major?

A. High

B. Extreme

C. Low

D. Medium

Bonney's system has been compromised by a gruesome malware.
What is the primary step that is advisable to Bonney in order to contain the malware incident from spreading?

A. Complaint to police in a formal way regarding the incident

B. Turn off the infected machine

C. Leave it to the network administrators to handle

D. Call the legal department in the organization and inform about the incident

Which of the log storage method arranges event logs in the form of a circular buffer?

A. FIFO

B. LIFO

C. non-wrapping

D. wrapping

The threat intelligence, which will help you, understand adversary intent and make informed decision to ensure appropriate security in alignment with risk.
What kind of threat intelligence described above?

A. Tactical Threat Intelligence

B. Strategic Threat Intelligence

C. Functional Threat Intelligence

D. Operational Threat Intelligence

In which of the following incident handling and response stages, the root cause of the incident must be found from the forensic results?

A. Evidence Gathering

B. Evidence Handling

C. Eradication

D. Systems Recovery

According to the Risk Matrix table, what will be the risk level when the probability of an attack is very high, and the impact of that attack is major?
NOTE: It is mandatory to answer the question before proceeding to the next one.

A. High

B. Extreme

C. Low

D. Medium

Charline is working as an L2 SOC Analyst. One day, an L1 SOC Analyst escalated an incident to her for further investigation and confirmation. Charline, after a thorough investigation, confirmed the incident and assigned it with an initial priority.
What would be her next action according to the SOC workflow?

A. She should immediately escalate this issue to the management

B. She should immediately contact the network administrator to solve the problem

C. She should communicate this incident to the media immediately

D. She should formally raise a ticket and forward it to the IRT

David is a SOC analyst in Karen Tech. One day an attack is initiated by the intruders but David was not able to find any suspicious events.
This type of incident is categorized into __________?

A. True Positive Incidents

B. False positive Incidents

C. True Negative Incidents

D. False Negative Incidents

Which of the following attack can be eradicated by converting all non-alphanumeric characters to HTML character entities before displaying the user input in search engines and forums?

A. Broken Access Control Attacks

B. Web Services Attacks

C. XSS Attacks

D. Session Management Attacks

Identify the HTTP status codes that represents the server error.

A. 2XX

B. 4XX

C. 1XX

D. 5XX

Which of the following formula is used to calculate the EPS of the organization?

A. EPS = average number of correlated events / time in seconds

B. EPS = number of normalized events / time in seconds

C. EPS = number of security events / time in seconds

D. EPS = number of correlated events / time in seconds

Which of the following threat intelligence is used by a SIEM for supplying the analysts with context and "situational awareness" by using threat actor TTPs, malware campaigns, tools used by threat actors.
1. Strategic threat intelligence
2. Tactical threat intelligence
3. Operational threat intelligence
4. Technical threat intelligence

A. 2 and 3

B. 1 and 3

C. 3 and 4

D. 1 and 2

Shawn is a security manager working at Lee Inc Solution. His organization wants to develop threat intelligent strategy plan. As a part of threat intelligent strategy plan, he suggested various components, such as threat intelligence requirement analysis, intelligence and collection planning, asset identification, threat reports, and intelligence buy-in.
Which one of the following components he should include in the above threat intelligent strategy plan to make it effective?

A. Threat pivoting

B. Threat trending

C. Threat buy-in

D. Threat boosting

Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((%3C)|)/|.
What does this event log indicate?

A. Directory Traversal Attack

B. Parameter Tampering Attack

C. XSS Attack

D. SQL Injection Attack

Which of the following attacks causes sudden changes in file extensions or increase in file renames at rapid speed?

A. Ransomware Attack

B. DoS Attack

C. DHCP starvation Attack

D. File Injection Attack

Which of the following attack can be eradicated by disabling of "allow_url_fopen and allow_url_include" in the php.ini file?

A. File Injection Attacks

B. URL Injection Attacks

C. LDAP Injection Attacks

D. Command Injection Attacks

Emmanuel is working as a SOC analyst in a company named Tobey Tech. The manager of Tobey Tech recently recruited an Incident Response Team (IRT) for his company. In the process of collaboration with the IRT, Emmanuel just escalated an incident to the IRT.
What is the first step that the IRT will do to the incident escalated by Emmanuel?

A. Incident Analysis and Validation

B. Incident Recording

C. Incident Classification

D. Incident Prioritization

According to the forensics investigation process, what is the next step carried out right after collecting the evidence?

A. Create a Chain of Custody Document

B. Send it to the nearby police station

C. Set a Forensic lab

D. Call Organizational Disciplinary Team

An attacker exploits the logic validation mechanisms of an e-commerce website. He successfully purchases a product worth $100 for $10 by modifying the URL exchanged between the client and the server.
Original URL: http://www.buyonline.com/product.aspx?profile=12&debit=100
Modified URL: http://www.buyonline.com/product.aspx?profile=12&debit=10
Identify the attack depicted in the above scenario.

A. Denial-of-Service Attack

B. SQL Injection Attack

C. Parameter Tampering Attack

D. Session Fixation Attack

Which of the following Windows event is logged every time when a user tries to access the "Registry" key?

A. 4656

B. 4663

C. 4660

D. 4657

Where will you find the reputation IP database, if you want to monitor traffic from known bad IP reputation using OSSIM SIEM?

A. /etc/ossim/reputation

B. /etc/ossim/siem/server/reputation/data

C. /etc/siem/ossim/server/reputation.data

D. /etc/ossim/server/reputation.data

What does the Security Log Event ID 4624 of Windows 10 indicate?

A. Service added to the endpoint

B. A share was assessed

C. An account was successfully logged on

D. New process executed

John as a SOC analyst is worried about the amount of Tor traffic hitting the network. He wants to prepare a dashboard in the SIEM to get a graph to identify the locations from where the TOR traffic is coming.
Which of the following data source will he use to prepare the dashboard?

A. DHCP/Logs capable of maintaining IP addresses or hostnames with IPtoName resolution.

B. IIS/Web Server logs with IP addresses and user agent IPtouseragent resolution.

C. DNS/ Web Server logs with IP addresses.

D. Apache/ Web Server logs with IP addresses and Host Name.

Which of the following data source can be used to detect the traffic associated with Bad Bot User-Agents?

A. Windows Event Log

B. Web Server Logs

C. Router Logs

D. Switch Logs

Which of the following is a correct flow of the stages in an incident handling and response (IH&R) process?

A. Containment –> Incident Recording –> Incident Triage –> Preparation –> Recovery –> Eradication –> Post-Incident Activities

B. Preparation –> Incident Recording –> Incident Triage –> Containment –> Eradication –> Recovery –> Post-Incident Activities

C. Incident Triage –> Eradication –> Containment –> Incident Recording –> Preparation –> Recovery –> Post-Incident Activities

D. Incident Recording –> Preparation –> Containment –> Incident Triage –> Recovery –> Eradication –> Post-Incident Activities

Jony, a security analyst, while monitoring IIS logs, identified events shown in the figure below.
 
What does this event log indicate?

A. Parameter Tampering Attack

B. XSS Attack

C. Directory Traversal Attack

D. SQL Injection Attack

What is the process of monitoring and capturing all data packets passing through a given network using different tools?

A. Network Scanning

B. DNS Footprinting

C. Network Sniffing

D. Port Scanning

Which of the following attack inundates DHCP servers with fake DHCP requests to exhaust all available IP addresses?

A. DHCP Starvation Attacks

B. DHCP Spoofing Attack

C. DHCP Port Stealing

D. DHCP Cache Poisoning

Identify the type of attack, an attacker is attempting on www.example.com website.
 

A. Cross-site Scripting Attack

B. Session Attack

C. Denial-of-Service Attack

D. SQL Injection Attack

Which of the following technique involves scanning the headers of IP packets leaving a network to make sure that the unauthorized or malicious traffic never leaves the internal network?

A. Egress Filtering

B. Throttling

C. Rate Limiting

D. Ingress Filtering

Which of the following attack can be eradicated by filtering improper XML syntax?

A. CAPTCHA Attacks

B. SQL Injection Attacks

C. Insufficient Logging and Monitoring Attacks

D. Web Services Attacks

Which of the following Windows Event Id will help you monitors file sharing across the network?

A. 7045

B. 4625

C. 5140

D. 4624

Which of the following tool is used to recover from web application incident?

A. CrowdStrike FalconTM Orchestrator

B. Symantec Secure Web Gateway

C. Smoothwall SWG

D. Proxy Workbench

Which attack works like a dictionary attack, but adds some numbers and symbols to the words from the dictionary and tries to crack the password?

A. Hybrid Attack

B. Bruteforce Attack

C. Rainbow Table Attack

D. Birthday Attack

Which of the following directory will contain logs related to printer access?

A. /var/log/cups/Printer_log file

B. /var/log/cups/access_log file

C. /var/log/cups/accesslog file

D. /var/log/cups/Printeraccess_log file

An organization wants to implement a SIEM deployment architecture. However, they have the capability to do only log collection and the rest of the SIEM functions must be managed by an MSSP.
Which SIEM deployment architecture will the organization adopt?

A. Cloud, MSSP Managed

B. Self-hosted, Jointly Managed

C. Self-hosted, MSSP Managed

D. Self-hosted, Self-Managed