SOC ANALYST

1. Which of the log storage method arranges event logs in the form of a circular buffer?

A. FIFO
B. LIFO
C. non-wrapping
D. wrapping

2. An organization wants to implement a SIEM deployment architecture. However, they

have the capability to do only log collection and the rest of the SIEM functions must
be managed by an MSSP. Which SIEM deployment architecture will the organization
adopt?

A. Cloud, MSSP Managed

B. Self-hosted, Jointly Managed
C. Self-hosted, MSSP Managed
D. Self-hosted, Self-Managed

3. Banter is a threat analyst in Christine Group of Industries. As a part of the job, he is

currently formatting and structuring the raw data. He is at which stage of the threat
intelligence life cycle?

A. Dissemination and Integration

B. Processing and Exploitation
C. Collection
D. Analysis and Production

4. Which of the following attacks causes sudden changes in file extensions or increase
in file renames at rapid speed?

A. Ransomware Attack
B. DoS Attack
C. DHCP starvation Attack
D. File Injection Attack

5. Which of the following security technology is used to attract and trap people who
attempt unauthorized or illicit utilization of the host system?
A. De-Militarized Zone (DMZ)
B. Firewall
C. Honeypot
D. Intrusion Detection System

6. Identify the event severity level in Windows logs for the events that are not
necessarily significant, but may indicate a possible future problem.

A. Failure Audit
 B. Warning
C. Error
D. Information

7. Which of the following factors determine the choice of SIEM architecture?

A. SMTP Configuration
B. DHCP Configuration
C. DNS Configuration
D. Network Topology

8. What does HTTPS Status code 403 represents?

A. Unauthorized Error
B. Not Found Error
C. Internal Server Error
D. Forbidden Error

9. Which of the following Windows event is logged every time when a user tries to
access the "Registry" key?

A. 4656
B. 4663
C. 4660
D. 4657

10. Which of the following are the responsibilities of SIEM Agents?

1. Collecting data received from various devices sending data to SIEM before
forwarding it to the central engine.
2. Normalizing data received from various devices sending data to SIEM before
forwarding it to the central engine.
3. Co-relating data received from various devices sending data to SIEM before
forwarding it to the central engine.
4. Visualizing data received from various devices sending data to SIEM before
forwarding it to the central engine.

A. 1 and 2
B. 2 and 3
C. 1 and 4
D. 3 and 1

11. Sam , a security analyst with INFOSOL INC., while monitoring and analyzing IIS logs,
detected an event matching regex/\\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\
%52))/ix.
12. What does this event log indicate?

A. SQL Injection Attack

B. Parameter Tampering Attack
C. XSS Attack
D. Directory Traversal Attack

13. Which of the following framework describes the essential characteristics of an

organization's security engineering process that must exist to ensure good security
engineering?

A. COBIT
B. ITIL
C. SSE-CMM
D. SOC-CMM

14. What does Windows event ID 4740 indicate?

A. A user account was locked out.

B. A user account was disabled.
C. A user account was enabled.
D. A user account was created

15. Which of the following is a Threat Intelligence Platform?

A. SolarWinds MS
B. TC Complete
C. Keepnote
D. Apility.io

16. A type of threat intelligent that find out the information about the attacker by
misleading them is known as .

A. Threat trending Intelligence

B. Detection Threat Intelligence
C. Operational Intelligence
D. Counter Intelligence

17. Chloe, a SOC analyst with Jake Tech, is checking Linux systems logs. She is
investigating files at /var/log/ wtmp. What Chloe is looking at?

A. Error log
B. System boot log
 C. General message and system-related stuff
D. Login records

18. Which of the following threat intelligence is used by a SIEM for supplying the analysts
with context and "situational awareness" by using threat actor TTPs, malware
campaigns, tools used by threat actors.

1. Strategic threat intelligence

2. Tactical threat intelligence
3. Operational threat intelligence
4. Technical threat intelligence

A. 2 and 3
B. 1 and 3
C. 3 and 4
D. 1 and 2

19. Properly applied cyber threat intelligence to the SOC team help them in discovering
TTPs. What does these TTPs refer to?

A. Tactics, Techniques, and Procedures

B. Tactics, Threats, and Procedures
C. Targets, Threats, and Process
D. Tactics, Targets, and Process

20. Which of the following data source can be used to detect the traffic associated with
Bad Bot User Agents?

A. Windows Event Log

B. Web Server Logs
C. Router Logs
D. Switch Logs

21. Daniel is a member of an IRT, which was started recently in a company named Mesh
Tech. He wanted to find the purpose and scope of the planned incident response
capabilities. What is he looking for?

A. Incident Response Intelligence

B. Incident Response Mission
C. Incident Response Vision
D. Incident Response Resources

22. John , a SOC analyst, while monitoring and analyzing Apache web server logs,
identified an event log matching Regex /(\.|(%|%25)2E)(\.|(%|%25)2E)(\/|(%|
%25)2F|\\|(%|%25)5C)/i.
What does this event log indicate?
 A. XSS Attack
B. SQL injection Attack
C. Directory Traversal Attack
D. Parameter Tampering Attack

23. According to the Risk Matrix table, what will be the risk level when the probability of
an attack is very high, and the impact of that attack is major?
NOTE: It is mandatory to answer the question before proceeding to the next one.

A. High
B. Extreme
C. Low
D. Medium

24. Jason, a SOC Analyst with Maximus Tech, was investigating Cisco ASA Firewall logs
and came across May 06 2018 21:27:27 asa 1: %ASA -5 - 11008: User 'enable_15'
executed the 'configure term' command What does the security level in the above
log indicates?

A. Warning condition message

B. Critical condition message
C. Normal but significant message
D. Informational message

25. What is the correct sequence of SOC Workflow?

A. Collect, Ingest, Validate, Document, Report, Respond

B. Collect, Ingest, Document, Validate, Report, Respond
C. Collect, Respond, Validate, Ingest, Report, Document
D. Collect, Ingest, Validate, Report, Respond, Document

26. Wesley is an incident handler in a company named Maddison Tech. One day, he was
learning techniques for eradicating the insecure deserialization attacks. What among
the following should Wesley avoid from considering?

A. Deserialization of trusted data must cross a trust boundary

B. Understand the security permissions given to serialization and deserialization
C. Allow serialization for security-sensitive classes
D. Validate untrusted input, which is to be serialized to ensure that serialized data
contain only trusted classes.

27. An attacker, in an attempt to exploit the vulnerability in the dynamically generated

welcome page, inserted code at the end of the company's URL as follows:

A. Cross-site Scripting Attack

B. SQL Injection Attack
 C. Denial-of-Service Attack
D. Session Attack

28. Which of the following formula represents the risk levels?

A. Level of risk = Consequence × Severity

B. Level of risk = Consequence × Impact
C. Level of risk = Consequence × Likelihood
D. Level of risk = Consequence × Asset Value

29. In which of the following incident handling and response stages, the root cause of
the incident must be found from the forensic results?

A. Evidence Gathering
B. Evidence Handling
C. Eradication
D. Systems Recovery

30. Which of the following data source will a SOC Analyst use to monitor connections to
the insecure ports?

Netstat Data
DNS Data
IIS Data
DHCP Data

31. Bonney's system has been compromised by a gruesome malware.

What is the primary step that is advisable to Bonney in order to contain the malware
incident from spreading?

Complaint to police in a formal way regarding the incident

Turn off the infected machine
Leave it to the network administrators to handle
Call the legal department in the organization and inform about the incident.

32. According to the forensics investigation process, what is the next step carried out
right after collecting the evidence?

Create a Chain of Custody Document

Send it to the nearby police station
Set a Forensic lab
Call Organizational Disciplinary Team
33. Which one of the following is the correct flow for Setting Up a Computer Forensics
Lab?

Planning and budgeting -> Physical location and structural design considerations ->
Work area considerations -> Human resource considerations -> Physical security
recommendations -> Forensics lab licensing

Planning and budgeting -> Physical location and structural design considerations->
Forensics lab licensing -> Human resource considerations -> Work area
considerations -> Physical security recommendations

Planning and budgeting -> Forensics lab licensing -> Physical location and structural
design considerations -> Work area considerations -> Physical security
recommendations -> Human resource considerations

Planning and budgeting -> Physical location and structural design considerations ->
Forensics lab licensing ->Work area considerations -> Human resource considerations
-> Physical security recommendations

34. Which of the following Windows Event Id will help you monitors file sharing across
the network?

A. 7045
B. 4625
C. 5140
D. 4624

35. The threat intelligence, which will help you, understand adversary intent and make
informed decision to ensure appropriate security in alignment with risk. What kind of
threat intelligence described above?

A. Tactical Threat Intelligence

B. Strategic Threat Intelligence
C. Functional Threat Intelligence
D. Operational Threat Intelligence

36. Identify the type of attack, an attacker is attempting on www.example.com website.

A. Cross-site Scripting Attack

B. Session Attack
C. Denial-of-Service Attack
D. SQL Injection Attack

37. Which of the following fields in Windows logs defines the type of event occurred,
such as Correlation Hint, Response Time, SQM, WDI Context, and so on?

A. Keywords
 B. Task Category
C. Level
D. Source

38. Which of the following tool is used to recover from web application incident?

A. CrowdStrike FalconTM Orchestrator

B. Symantec Secure Web Gateway
C. Smoothwall SWG
D. Proxy Workbench

39. Robin , a SOC engineer in a multinational company, is planning to implement a SIEM.

He realized that his organization is capable of performing only Correlation, Analytics,
Reporting, Retention, Alerting, and Visualization required for the SIEM
implementation and has to take collection and aggregation services from a Managed
Security Services Provider (MSSP). What kind of SIEM is Robin planning to
implement?

A. Self-hosted, Self-Managed
B. Self-hosted, MSSP Managed
C. Hybrid Model, Jointly Managed
D. Cloud, Self-Managed

40. What type of event is recorded when an application driver loads successfully in
Windows?

A. Error
B. Success Audit
C. Warning
D. Information

41. An attacker exploits the logic validation mechanisms of an e-commerce website. He

successfully purchases a product worth $100 for $10 by modifying the URL
exchanged between the client and the server.

Identify the attack depicted in the above scenario

A. Denial-of-Service Attack
B. SQL Injection Attack
C. Parameter Tampering Attack
D. Session Fixation Attack

42. John, a threat analyst at GreenTech Solutions, wants to gather information about
specific threats against the organization. He started collecting information from
various sources, such as humans, social media, chat room, and so on, and created a
report that contains malicious activity. Which of the following types of threat
 intelligence did he use?

A. Strategic Threat Intelligence

B. Technical Threat Intelligence
C. Tactical Threat Intelligence
D. Operational Threat Intelligence

43. Which of the following is a default directory in a Mac OS X that stores security-
related logs?

A. /private/var/log
B. /Library/Logs/Sync
C. /var/log/cups/access_log
D. ~/Library/Logs

44. John, SOC analyst wants to monitor the attempt of process creation activities from
any of their Windows endpoints. Which of following Splunk query will help him to
fetch related logs associated with process creation?

A. index=windows LogName=Security EventCode=4678 NOT

(Account_Name=*$) .. .. ... ..
B. index=windows LogName=Security EventCode=4688 NOT
(Account_Name=*$) .. .. ..
C. index=windows LogName=Security EventCode=3688 NOT
(Account_Name=*$) .. .. ..
D. index=windows LogName=Security EventCode=5688 NOT (Account_Name=*$) .

45. Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet
Information Service (IIS) version 7.0 to host their website. Where will Harley find the
web server logs, if he wants to investigate them for any anomalies?

A. SystemDrive%\inetpub\logs\LogFiles\W3SVCN
B. SystemDrive%\LogFiles\inetpub\logs\W3SVCN
C. %SystemDrive%\LogFiles\logs\W3SVCN
D. SystemDrive%\ inetpub\LogFiles\logs\W3SVCN

46. What does the Security Log Event ID 4624 of Windows 10 indicate?

A. Service added to the endpoint

B. A share was assessed
C. An account was successfully logged on
D. New process executed

47. Which of the following is a set of standard guidelines for ongoing development,
enhancement, storage, dissemination and implementation of security standards for
account data protection?
 A. FISMA
B. HIPAA
C. PCI-DSS
D. DARPA

48. What does the HTTP status codes 1XX represents?

A. Informational message
B. Client error
C. Success
D. Redirection

49. In which phase of Lockheed Martin's - Cyber Kill Chain Methodology, adversary
creates a deliverable malicious payload using an exploit and a backdoor?

A. Reconnaissance
B. Delivery
C. Weaponization
D. Exploitation

50. Identify the attack, where an attacker tries to discover all the possible information
about a target network before launching a further attack.

A. DoS Attack
B. Man-In-Middle Attack
C. Ransomware Attack
D. Reconnaissance Attack

51. In which phase of Lockheed Martin's - Cyber Kill Chain Methodology, adversary
creates a deliverable malicious payload using an exploit and a backdoor?

A. Reconnaissance
B. Delivery
C. Weaponization
D. Exploitation

52. Identify the attack, where an attacker tries to discover all the possible information
about a target network before launching a further attack.

A. DoS Attack
B. Man-In-Middle Attack
C. Ransomware Attack
D. Reconnaissance Attack

53. What does [-n] in the following checkpoint firewall log syntax represents? fw log [-f [-
t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-
u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert
 name|all)] [-g] [logfile]

A. Speed up the process by not performing IP addresses DNS resolution in the Log
files
B. Display both the date and the time for each log record
C. Display account log records only
D. Display detailed log chains (all the log segments a log record consists of)

54. Which of the following attack inundates DHCP servers with fake DHCP requests to
exhaust all available IP addresses?

A. DHCP Starvation Attacks

B. DHCP Spoofing Attack
C. DHCP Port Stealing
D. DHCP Cache Poisoning

55. Mike is an incident handler for PNP Infosystems Inc. One day, there was a ticket
raised regarding a critical incident and Mike was assigned to handle the incident.
During the process of incident handling, at one stage, he has performed incident
analysis and validation to check whether the incident is a true incident or a false
positive. Identify the stage in which he is currently in.

A. Post-Incident Activities
B. Incident Recording and Assignment
C. Incident Triage
D. Incident Disclosure

56. Which of the following is a correct flow of the stages in an incident handling and
response (IH&R) process?

A. Containment -> Incident Recording -> Incident Triage -> Preparation -> Recovery ->
Eradication -> Post-Incident Activities
B. Preparation -> Incident Recording -> Incident Triage -> Containment ->
Eradication -> Recovery -> Post-Incident Activities
C. Incident Triage -> Eradication -> Containment -> Incident Recording -> Preparation
-> Recovery -> Post-Incident Activities D. Incident Recording -> Preparation ->
Containment -> Incident Triage -> Recovery -> Eradication -> Post-Incident Activities.

57. Rinni, SOC analyst, while monitoring IDS logs detected events shown in the figure
below

What does this event log indicate?

A. Directory Traversal Attack

B. XSS Attack
C. SQL Injection Attack
D. Parameter Tampering Attack
58. Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs
of the company and wanted to check the logs that are generated by access control
list numbered 210. What filter should Peter add to the 'show logging' command to
get the required output?

A. show logging | access 210

B. show logging | forward 210
C. show logging | include 210
D. show logging | route 210

59. Identify the attack in which the attacker exploits a target system through publicly
known but still unpatched vulnerabilities.

A. Slow DoS Attack

B. DHCP Starvation
C. Zero-Day Attack
D. DNS Poisoning Attack

60. In which log collection mechanism, the system or application sends log records either
on the local disk or over the network.

A. rule-based
B. pull-based
C. push-based
D. signature-based

61. Which of the following attack can be eradicated by disabling of "allow_url_fopen and
allow_url_include" in the php.ini file?

A. File Injection Attacks

B. URL Injection Attacks
C. LDAP Injection Attacks
D. Command Injection Attacks

62. Which of the following stage executed after identifying the required event sources?

A. Identifying the monitoring Requirements

B. Defining Rule for the Use Case
C. Implementing and Testing the Use Case
D. Validating the event source against monitoring requirement

63. Which of the following steps of incident handling and response process focus on
limiting the scope and extent of an incident?

A. Containment
B. Data Collection
 C. Eradication
D. Identification

64. Which of the following data source will a SOC Analyst use to monitor connections to
the insecure ports?

A. Netstat Data
B. DNS Data
C. IIS Data
D. DHCP Data

65. Which of the following technique protects from flooding attacks originated from the
valid prefixes (IP addresses) so that they can be traced to its true source?

A. Rate Limiting
B. Egress Filtering
C. Ingress Filtering
D. Throttling

66. Which of the following contains the performance measures, and proper project and
time management details?

A. Incident Response Policy

B. Incident Response Tactics
C. Incident Response Process
D. Incident Response Procedures

67. John as a SOC analyst is worried about the amount of Tor traffic hitting the network.
He wants to prepare a dashboard in the SIEM to get a graph to identify the locations
from where the TOR traffic is coming. Which of the following data source will he use
to prepare the dashboard?

A. DHCP/Logs capable of maintaining IP addresses or hostnames with IPtoName

resolution.
B. IIS/Web Server logs with IP addresses and user agent IPtouseragent resolution.
C. DNS/ Web Server logs with IP addresses.
D. Apache/ Web Server logs with IP addresses and Host Name.

68. Which of the following process refers to the discarding of the packets at the routing
level without informing the source that the data did not reach its intended
recipient?

A. Load Balancing
B. Rate Limiting
C. Black Hole Filtering
D. Drop Requests
69. Which of the following tool can be used to filter web requests associated with the
SQL Injection attack?

A. Nmap
B. UrlScan
C. ZAP proxy
D. Hydra

70. Charline is working as an L2 SOC Analyst. One day, an L1 SOC Analyst escalated an
incident to her for further investigation and confirmation. Charline, after a thorough
investigation, confirmed the incident and assigned it with an initial priority. What
would be her next action according to the SOC workflow?

A. She should immediately escalate this issue to the management

B. She should immediately contact the network administrator to solve the problem
C. She should communicate this incident to the media immediately
D. She should formally raise a ticket and forward it to the IRT

71. Which of the following threat intelligence helps cyber security professionals such as
security operations managers, network operations center and incident responders to
understand how the adversaries are expected to perform the attack on the
organization, and the technical capabilities and goals of the attackers along with the
attack vectors?

A. Analytical Threat Intelligence

B. Operational Threat Intelligence
C. Strategic Threat Intelligence
D. Tactical Threat Intelligence

72. If the SIEM generates the following four alerts at the same time:

I. Firewall blocking traffic from getting into the network alerts

II. SQL injection attempt alerts
III. Data deletion attempt alerts
IV. Brute-force attempt alerts

73. Which alert should be given least priority as per effective alert triaging?

A. III
B. IV
C. II
D. I

74. InfoSystem LLC, a US-based company, is establishing an in-house SOC. John has been
given the responsibility to finalize strategy, policies, and procedures for the SOC.
Identify the job role of John.
 A. Security Analyst - L1
B. Chief Information Security Officer (CISO)
C. Security Engineer
D. Security Analyst - L2

75. Which of the following service provides phishing protection and content filtering to
manage the Internet experience on and off your network with the acceptable use or
compliance policies?

A. Apility.io
B. Malstrom
C. OpenDNS
D. I-Blocklist

76. David is a SOC analyst in Karen Tech. One day an attack is initiated by the intruders
but David was not able to find any suspicious events. This type of incident is
categorized into ?

A. True Positive Incidents

B. False positive Incidents
C. True Negative Incidents
D. False Negative Incidents

77. Emmanuel is working as a SOC analyst in a company named Tobey Tech. The
manager of Tobey Tech recently recruited an Incident Response Team (IRT) for his
company. In the process of collaboration with the IRT, Emmanuel just escalated an
incident to the IRT. What is the first step that the IRT will do to the incident escalated
by Emmanuel?

A. Incident Analysis and Validation

B. Incident Recording
C. Incident Classification
D. Incident Prioritization

78. Identify the HTTP status codes that represents the server error.

A. 2XX
B. 4XX
C. 1XX
D. 5XX

79. Jony , a security analyst, while monitoring IIS logs, identified events shown in the
figure below

What does this event log indicate?

 A. Parameter Tampering Attack
B. XSS Attack
C. Directory Traversal Attack
D. SQL Injection Attack

80. Jony, a security analyst, while monitoring IIS logs, identified events shown in the
figure below

What does this event log indicate?

A. Parameter Tampering Attack

B. XSS Attack
C. Directory Traversal Attack
D. SQL Injection Attack

81. Which attack works like a dictionary attack, but adds some numbers and symbols to
the words from the dictionary and tries to crack the password?

A. Hybrid Attack
B. Bruteforce Attack
C. Rainbow Table Attack
D. Birthday Attack

82. Which of the following attack can be eradicated by converting all non-alphanumeric
characters to HTML character entities before displaying the user input in search
engines and forums?

A. Broken Access Control Attacks

B. Web Services Attacks
C. XSS Attacks
D. Session Management Attacks

83. Which one of the following is the correct flow for Setting Up a Computer Forensics
Lab?

A. Planning and budgeting -> Physical location and structural design considerations
-> Work area considerations -> Human resource considerations -> Physical security
recommendations -> Forensics lab licensing
B. Planning and budgeting -> Physical location and structural design considerations->
Forensics lab licensing -> Human resource considerations -> Work area
considerations -> Physical security recommendations
C. Planning and budgeting -> Forensics lab licensing -> Physical location and
structural design considerations -> Work area considerations -> Physical security
recommendations -> Human resource considerations
D. Planning and budgeting -> Physical location and structural design considerations ->
Forensics lab licensing ->Work area considerations -> Human resource considerations
-> Physical security recommendations
84. Which of the following command is used to enable logging in iptables?

A. $ iptables -B INPUT -j LOG

B. $ iptables -A OUTPUT -j LOG
C. $ iptables -A INPUT -j LOG
D. $ iptables -B OUTPUT -j LOG

85. Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is
affected by a DoS/DDoS attack. For the containment of this incident, Ray and his
team are trying to provide additional bandwidth to the network devices and
increasing the capacity of the servers. What is Ray and his team doing?

A. Blocking the Attacks

B. Diverting the Traffic
C. Degrading the services
D. Absorbing the Attack

86. Identify the attack when an attacker by several trial and error can read the contents
of a password file present in the restricted etc folder just by manipulating the URL in
the browser as shown: http://www.terabytes.com/process.php./../../../../etc/passwd

A. Directory Traversal Attack

B. SQL Injection Attack
C. Denial-of-Service Attack
D. Form Tampering Attack

87. Which encoding replaces unusual ASCII characters with "%" followed by the
character's two-digit ASCII code expressed in hexadecimal?

A. Unicode Encoding
B. UTF Encoding
C. Base64 Encoding
D. URL Encoding

88. Which of the following formula represents the risk?

A. Risk = Likelihood × Severity × Asset Value
B. Risk = Likelihood × Consequence × Severity
C. Risk = Likelihood × Impact × Severity
D. Risk = Likelihood × Impact × Asset Value

89. The Syslog message severity levels are labelled from level 0 to level 7.
What does level 0 indicate?
A. Alert
B. Notification
C. Emergency
D. Debugging
90. Where will you find the reputation IP database, if you want to monitor traffic from
known bad IP reputation using OSSIM SIEM?
A. /etc/ossim/reputation
B. /etc/ossim/siem/server/reputation/data
C. /etc/siem/ossim/server/reputation.data
D. /etc/ossim/server/reputation.data

91. According to the Risk Matrix table, what will be the risk level when the probability of
an attack is very low and the impact of that attack is major?
A. High
B. Extreme
C. Low
D. Medium

92. Which of the following command is used to view iptables logs on Ubuntu and Debian
distributions?
A. $ tailf /var/log/sys/kern.log
B. $ tailf /var/log/kern.log
C. # tailf /var/log/messages
D. # tailf /var/log/sys/messages

93. Which of the following technique involves scanning the headers of IP packets leaving
a network to make sure that the unauthorized or malicious traffic never leaves the
internal network?
A. Egress Filtering
B. Throttling
C. Rate Limiting
D. Ingress Filtering

94. Which of the following formula is used to calculate the EPS of the
organization?
A. EPS = average number of correlated events / time in seconds
B. EPS = number of normalized events / time in seconds
C. EPS = number of security events / time in seconds
D. EPS = number of correlated events / time in seconds

95. Juliea a SOC analyst, while monitoring logs, noticed large TXT, NULL payloads.
What does this indicate?

A. Concurrent VPN Connections Attempt

B. DNS Exfiltration Attempt
C. Covering Tracks Attempt
D. DHCP Starvation Attempt

96. An organization is implementing and deploying the SIEM with following

capabilities.
What kind of SIEM deployment architecture the organization is planning to
implement?
 A. Cloud, MSSP Managed
B. Self-hosted, Jointly Managed
C. Self-hosted, Self-Managed
D. Self-hosted, MSSP Managed

97. What is the process of monitoring and capturing all data packets passing
through a given network using different tools?

A. Network Scanning
B. DNS Footprinting
C. Network Sniffing
D. Port Scanning

98. Which of the following is a report writing tool that will help incident handlers to
generate efficient reports on detected incidents during incident response
process?

A. threat_note
B. MagicTree
C. IntelMQ
D. Malstrom

99. Which of the following Windows features is used to enable Security Auditing in
Windows?

A. Bitlocker
B. Windows Firewall
C. Local Group Policy Editor
D. Windows Defender

100. Which of the following attack can be eradicated by filtering improper

XML syntax?

A. CAPTCHA Attacks
B. SQL Injection Attacks
C. Insufficient Logging and Monitoring Attacks
D. Web Services Attacks

101. Which of the following attack can be eradicated by using a safe API to
avoid the use of the interpreter entirely?

A. Command Injection Attacks

B. SQL Injection Attacks
C. File Injection Attacks
D. LDAP Injection Attacks

102. Shawn is a security manager working at Lee Inc Solution. His organization wants to
develop threat intelligent strategy plan. As a part of threat intelligent strategy plan, he
suggested various components, such as threat intelligence requirement analysis,
 intelligence and collection planning, asset identification, threat reports, and
intelligence buy-in. Which one of the following components he should include in the
above threat intelligent strategy plan to make it effective?
A. Threat pivoting
B. Threat trending
C. Threat buy-in
D. Threat boosting

103. Which of the following can help you eliminate the burden of investigating false positives?

A. Keeping default rules

B. Not trusting the security devices
C. Treating every alert as high level
D. Ingesting the context data

104. Which of the following event detection techniques uses User and Entity Behavior
Analytics (UEBA)?

A. Rule-based detection
B. Heuristic-based detection
C. Anomaly-based detection
D. Signature-based detection

105. Identify the password cracking attempt involving a precomputed dictionary of plaintext
passwords and their corresponding hash values to crack the password.

A. Dictionary Attack
B. Rainbow Table Attack
C. Bruteforce Attack
D. Syllable Attack

106. Which of the log storage method arranges event logs in the form of a circular buffer?

A. FIFO
B. LIFO
C. non-wrapping
D. wrapping

107. An organization wants to implement a SIEM deployment architecture. However, they have
the capability to do only log collection and the rest of the SIEM functions must be
managed by an MSSP. Which SIEM deployment architecture will the organization adopt?

A. Cloud, MSSP Managed

B. Self-hosted, Jointly Managed
C. Self-hosted, MSSP Managed
D. Self-hosted, Self-Managed

108. Banter is a threat analyst in Christine Group of Industries. As a part of the job, he is
currently formatting and structuring the raw data. He is at which stage of the threat
intelligence life cycle?
 A. Dissemination and Integration
B. Processing and Exploitation
C. Collection
D. Analysis and Production

109. Which of the following attacks causes sudden changes in file extensions or increase in file
renames at rapid speed?

A. Ransomware Attack
B. DoS Attack
C. DHCP starvation Attack
D. File Injection Attack

110. Which of the following security technology is used to attract and trap people who attempt
unauthorized or illicit utilization of the host system?
A. De-Militarized Zone (DMZ)
B. Firewall
C. Honeypot
D. Intrusion Detection System

111. Identify the event severity level in Windows logs for the events that are not necessarily
significant, but may indicate a possible future problem.

A. Failure Audit
B. Warning
C. Error
D. Information

112. Identify the event severity level in Windows logs for the events that are not necessarily
significant, but may indicate a possible future problem.

A. Failure Audit
B. Warning
C. Error
D. Information

113. Which of the following factors determine the choice of SIEM architecture?
A. SMTP Configuration
B. DHCP Configuration
C. DNS Configuration
D. Network Topology

114. What does HTTPS Status code 403 represents?

A. Unauthorized Error
B. Not Found Error
C. Internal Server Error
D. Forbidden Error
115. Which of the following Windows event is logged every time when a user tries to access
the "Registry" key?
A. 4656
B. 4663
C. 4660
D. 4657

116. Which of the following are the responsibilities of SIEM Agents?

1. Collecting data received from various devices sending data to SIEM before forwarding
it to the central engine.
2. Normalizing data received from various devices sending data to SIEM before
forwarding it to the central engine.
3. Co-relating data received from various devices sending data to SIEM before forwarding
it to the central engine.
4. Visualizing data received from various devices sending data to SIEM before forwarding
it to the central engine.

A. 1 and 2
B. 2 and 3
C. 1 and 4
D. 3 and 1

117. Sam , a security analyst with INFOSOL INC., while monitoring and analyzing IIS logs,
detected an event matching regex /\\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix.
What does this event log indicate?

A. SQL Injection Attack

B. Parameter Tampering Attack
C. XSS Attack
D. Directory Traversal Attack

118. Which of the following framework describes the essential characteristics of an

organization's security engineering process that must exist to ensure good security
engineering?

A. COBIT
B. ITIL
C. SSE-CMM
D. SOC-CMM
119. What does Windows event ID 4740 indicate?

A. A user account was locked out.

B. A user account was disabled.
C. A user account was enabled.
D. A user account was created

120. Which of the following is a Threat Intelligence Platform?

A. SolarWinds MS
 B. TC Complete
C. Keepnote
D. Apility.io
121. A type of threat intelligent that find out the information about the attacker by misleading
them is known as .
A. Threat trending Intelligence
B. Detection Threat Intelligence
C. Operational Intelligence
D. Counter Intelligence

122. Chloe, a SOC analyst with Jake Tech, is checking Linux systems logs. She is
investigating files at /var/log/ wtmp. What Chloe is looking at?

A. Error log
B. System boot log
C. General message and system-related stuff
D. Login records

123. Which of the following threat intelligence is used by a SIEM for supplying the analysts
with context and "situational awareness" by using threat actor TTPs, malware campaigns,
tools used by threat actors.

1. Strategic threat intelligence

2. Tactical threat intelligence
3. Operational threat intelligence
4. Technical threat intelligence

A. 2 and 3
B. 1 and 3
C. 3 and 4
D. 1 and 2

124. Properly applied cyber threat intelligence to the SOC team help them in discovering
TTPs. What does these TTPs refer to?

A. Tactics, Techniques, and Procedures

B. Tactics, Threats, and Procedures
C. Targets, Threats, and Process
D. Tactics, Targets, and Process

125. Which of the following data source can be used to detect the traffic associated with Bad
Bot User Agents?

A. Windows Event Log

B. Web Server Logs
C. Router Logs
D. Switch Logs

126. Daniel is a member of an IRT, which was started recently in a company named Mesh
Tech. He wanted to find the purpose and scope of the planned incident response
 capabilities. What is he looking for?

A. Incident Response Intelligence

B. Incident Response Mission
C. Incident Response Vision
D. Incident Response Resources

127. John , a SOC analyst, while monitoring and analyzing Apache web server logs, identified
an event log matching Regex
/(\.|(%|%25)2E)(\.|(%|%25)2E)(\/|(%|%25)2F|\\|(%|%25)5C)/i.
What does this event log indicate?

A. XSS Attack
B. SQL injection Attack
C. Directory Traversal Attack
D. Parameter Tampering Attack

128. According to the Risk Matrix table, what will be the risk level when the probability of an
attack is very high, and the impact of that attack is major?
NOTE: It is mandatory to answer the question before proceeding to the next one.

A. High
B. Extreme
C. Low
D. Medium

129. Jason , a SOC Analyst with Maximus Tech, was investigating Cisco ASA Firewall logs and
came across May 06 2018 21:27:27 asa 1: %ASA -5 - 11008: User 'enable_15' executed
the 'configure term' command What does the security level in the above log indicates?

A. Warning condition message

B. Critical condition message
C. Normal but significant message
D. Informational message

130. What is the correct sequence of SOC Workflow?

A. Collect, Ingest, Validate, Document, Report, Respond

B. Collect, Ingest, Document, Validate, Report, Respond
C. Collect, Respond, Validate, Ingest, Report, Document
D. Collect, Ingest, Validate, Report, Respond, Document

131. Wesley is an incident handler in a company named Maddison Tech. One day, he was
learning techniques for eradicating the insecure deserialization attacks. What among the
following should Wesley avoid from considering?

A. Deserialization of trusted data must cross a trust boundary

B. Understand the security permissions given to serialization and deserialization
C. Allow serialization for security-sensitive classes
 D. Validate untrusted input, which is to be serialized to ensure that serialized data contain
only trusted classes.

132. An attacker, in an attempt to exploit the vulnerability in the dynamically generated

welcome page, inserted code at the end of the company's URL as follows:

A. Cross-site Scripting Attack

B. SQL Injection Attack
C. Denial-of-Service Attack
D. Session Attack

133. Which of the following formula represents the risk levels?

A. Level of risk = Consequence × Severity

B. Level of risk = Consequence × Impact
C. Level of risk = Consequence × Likelihood
D. Level of risk = Consequence × Asset Value

134. In which of the following incident handling and response stages, the root cause of the
incident must be found from the forensic results?

A. Evidence Gathering
B. Evidence Handling
C. Eradication
D. Systems Recovery

135. Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((\
%3C)|<)((\%69)|i|(\% 49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/|.

What does this event log indicate?

A. Directory Traversal Attack

B. Parameter Tampering Attack
C. XSS Attack
D. SQL Injection Attack

136. Which of the following Windows Event Id will help you monitors file sharing across the
network?

A. 7045
B. 4625
C. 5140
D. 4624

137. The threat intelligence, which will help you, understand adversary intent and make
informed decision to ensure appropriate security in alignment with risk. What kind of
threat intelligence described above?

A. Tactical Threat Intelligence

B. Strategic Threat Intelligence
 C. Functional Threat Intelligence
D. Operational Threat Intelligence

138. Identify the type of attack, an attacker is attempting on www.example.com website.

A. Cross-site Scripting Attack

B. Session Attack
C. Denial-of-Service Attack
D. SQL Injection Attack

139. Which of the following fields in Windows logs defines the type of event occurred, such as
Correlation Hint, Response Time, SQM, WDI Context, and so on?

A. Keywords
B. Task Category
C. Level
D. Source

140. Which of the following tool is used to recover from web application incident?

A. CrowdStrike FalconTM Orchestrator

B. Symantec Secure Web Gateway
C. Smoothwall SWG
D. Proxy Workbench

141. Robin , a SOC engineer in a multinational company, is planning to implement a SIEM. He

realized that his organization is capable of performing only Correlation, Analytics,
Reporting, Retention, Alerting, and Visualization required for the SIEM implementation
and has to take collection and aggregation services from a Managed Security Services
Provider (MSSP). What kind of SIEM is Robin planning to implement?

A. Self-hosted, Self-Managed
B. Self-hosted, MSSP Managed
C. Hybrid Model, Jointly Managed
D. Cloud, Self-Managed

142. What type of event is recorded when an application driver loads successfully in Windows?

A. Error
B. Success Audit
C. Warning
D. Information

143. An attacker exploits the logic validation mechanisms of an e-commerce website. He

successfully purchases a product worth $100 for $10 by modifying the URL exchanged
between the client and the server.

Identify the attack depicted in the above scenario

A. Denial-of-Service Attack
 B. SQL Injection Attack
C. Parameter Tampering Attack
D. Session Fixation Attack

144. John, a threat analyst at GreenTech Solutions, wants to gather information about specific
threats against the organization. He started collecting information from various sources,
such as humans, social media, chat room, and so on, and created a report that contains
malicious activity. Which of the following types of threat intelligence did he use?

A. Strategic Threat Intelligence

B. Technical Threat Intelligence
C. Tactical Threat Intelligence
D. Operational Threat Intelligence

145. Which of the following is a default directory in a Mac OS X that stores security-related
logs?

A. /private/var/log
B. /Library/Logs/Sync
C. /var/log/cups/access_log
D. ~/Library/Logs

146. John, SOC analyst wants to monitor the attempt of process creation activities from any of
their Windows endpoints. Which of following Splunk query will help him to fetch related
logs associated with process creation?

A. index=windows LogName=Security EventCode=4678 NOT

(Account_Name=*$) .. .. ... ..
B. index=windows LogName=Security EventCode=4688 NOT (Account_Name=*$) ..
C. index=windows LogName=Security EventCode=3688 NOT (Account_Name=*$) .. .. ..
D. index=windows LogName=Security EventCode=5688 NOT (Account_Name=*$) ... ... .

147. Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet
Information Service (IIS) version 7.0 to host their website. Where will Harley find the web
server logs, if he wants to investigate them for any anomalies?

A. SystemDrive%\inetpub\logs\LogFiles\W3SVCN
B. SystemDrive%\LogFiles\inetpub\logs\W3SVCN
C. %SystemDrive%\LogFiles\logs\W3SVCN
D. SystemDrive%\ inetpub\LogFiles\logs\W3SVCN

148. Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet
Information Service (IIS) version 7.0 to host their website. Where will Harley find the web
server logs, if he wants to investigate them for any anomalies?

A. SystemDrive%\inetpub\logs\LogFiles\W3SVCN
B. SystemDrive%\LogFiles\inetpub\logs\W3SVCN
C. %SystemDrive%\LogFiles\logs\W3SVCN
D. SystemDrive%\ inetpub\LogFiles\logs\W3SVCN
149. What does the Security Log Event ID 4624 of Windows 10 indicate?

A. Service added to the endpoint

B. A share was assessed
C. An account was successfully logged on
D. New process executed

150. Which of the following is a set of standard guidelines for ongoing development,
enhancement, storage, dissemination and implementation of security standards for
account data protection?

A. FISMA
B. HIPAA
C. PCI-DSS
D. DARPA

151. What does the HTTP status codes 1XX represents?

A. Informational message
B. Client error
C. Success
D. Redirection

152. In which phase of Lockheed Martin's - Cyber Kill Chain Methodology, adversary creates a
deliverable malicious payload using an exploit and a backdoor?

A. Reconnaissance
B. Delivery
C. Weaponization
D. Exploitation

153. Identify the attack, where an attacker tries to discover all the possible information about a
target network before launching a further attack.

A. DoS Attack
B. Man-In-Middle Attack
C. Ransomware Attack
D. Reconnaissance Attack

154. What does [-n] in the following checkpoint firewall log syntax represents? fw log [-f [-t]] [-n]
[-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u
unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert name|all)] [-g]
[logfile]

A. Speed up the process by not performing IP addresses DNS resolution in the Log
files
B. Display both the date and the time for each log record
C. Display account log records only
D. Display detailed log chains (all the log segments a log record consists of)
155. Which of the following attack inundates DHCP servers with fake DHCP requests to
exhaust all available IP addresses?

A. DHCP Starvation Attacks

B. DHCP Spoofing Attack
C. DHCP Port Stealing
D. DHCP Cache Poisoning

156. Mike is an incident handler for PNP Infosystems Inc. One day, there was a ticket raised
regarding a critical incident and Mike was assigned to handle the incident. During the
process of incident handling, at one stage, he has performed incident analysis and
validation to check whether the incident is a true incident or a false positive. Identify the
stage in which he is currently in.

A. Post-Incident Activities
B. Incident Recording and Assignment
C. Incident Triage
D. Incident Disclosure

157. Which of the following is a correct flow of the stages in an incident handling and response
(IH&R) process?

A. Containment -> Incident Recording -> Incident Triage -> Preparation -> Recovery ->
Eradication -> Post-Incident Activities
B. Preparation -> Incident Recording -> Incident Triage -> Containment ->
Eradication -> Recovery -> Post-Incident Activities
C. Incident Triage -> Eradication -> Containment -> Incident Recording -> Preparation ->
Recovery -> Post-Incident Activities D. Incident Recording -> Preparation -> Containment
-> Incident Triage -> Recovery -> Eradication -> Post-Incident Activities

158. Rinni, SOC analyst, while monitoring IDS logs detected events shown in the figure below

What does this event log indicate?

A. Directory Traversal Attack

B. XSS Attack
C. SQL Injection Attack
D. Parameter Tampering Attack

159. Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs of
the company and wanted to check the logs that are generated by access control list
numbered 210. What filter should Peter add to the 'show logging' command to get the
required output?

A. show logging | access 210

B. show logging | forward 210
C. show logging | include 210
D. show logging | route 210
160. Identify the attack in which the attacker exploits a target system through publicly known
but still unpatched vulnerabilities.

A. Slow DoS Attack

B. DHCP Starvation
C. Zero-Day Attack
D. DNS Poisoning Attack

161. In which log collection mechanism, the system or application sends log records either on
the local disk or over the network.

A. rule-based
B. pull-based
C. push-based
D. signature-based

162. Which of the following attack can be eradicated by disabling of "allow_url_fopen and
allow_url_include" in the php.ini file?

A. File Injection Attacks

B. URL Injection Attacks
C. LDAP Injection Attack
D. Command Injection Attacks

163. Which of the following stage executed after identifying the required event sources?

A. Identifying the monitoring Requirements

B. Defining Rule for the Use Case
C. Implementing and Testing the Use Case
D. Validating the event source against monitoring requirement

164. Which of the following steps of incident handling and response process focus on limiting
the scope and extent of an incident?

A. Containment
B. Data Collection
C. Eradication
D. Identification