In a large corporation, the HR department receives an urgent email from someone impersonating a high-level executive, requesting immediate transfer of sensitive employee data. The email includes an official-looking document and a phone number for verification. Feeling pressured, the HR manager calls the number and “confirms” the request, then transfers the data. Investigation later confirms the email was fraudulent and the executive had no knowledge of the request. What type of attack did the HR department face?

The Security Operations Center (SOC) team at Rapid Response Group, a leading cybersecurity firm, is facing challenges in managing security incidents efficiently. With an increasing volume of alerts and security events being generated daily in their Microsoft Sentinel environment, the team is struggling to respond to threats quickly and consistently. To enhance their incident response capabilities, they aim to automate routine security tasks, such as log collection, alert triaging, remediation steps, and notifications to stakeholders. By implementing automated workflows, they seek to reduce response times, eliminate manual intervention for repetitive actions, and ensure a standardized approach to handling security threats across the organization. Which component of Microsoft Sentinel should they utilize to create these automated workflows for incident response?

Which of the following service provides phishing protection and content filtering to manage the Internet experience on and off your network with the acceptable use or compliance policies?

Which of the following attack can be eradicated by filtering improper XML syntax?

The threat intelligence, which will help you, understand adversary intent and make informed decision to ensure appropriate security in alignment with risk.

What kind of threat intelligence described above?

Identify the attack in which the attacker exploits a target system through publicly known but still unpatched vulnerabilities.

Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((\%3C)|<)((\%69)|i|(\% 49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/|.

What does this event log indicate?

You are a SOC analyst on duty during a high-severity incident involving a DDoS attack targeting your organization’s e-commerce platform. The attack disrupts online transactions. Using SIEM tools and packet capture systems, you identify unusual traffic patterns and trace activity back to command-and-control (C2) servers directing a botnet. Your goal is to recommend an eradication strategy that will sever the attackers’ control over infected devices and halt the attack. Which strategy should your team implement?

What is the correct sequence of SOC Workflow?

A SOC analyst monitors network traffic to detect potential data exfiltration. The team uses a security solution that inspects data packets in real time as they traverse the network. During incident response, the solution struggles to analyze encrypted traffic, limiting effectiveness in identifying threats hidden within secure communications. Which security control, with this known limitation, is the SOC team relying on?

Robin, a SOC engineer in a multinational company, is planning to implement a SIEM. He realized that his organization is capable of performing onlyCorrelation, Analytics, Reporting, Retention, Alerting, and Visualization required for the SIEM implementation and has to take collection and aggregation services from a Managed Security Services Provider (MSSP).

What kind of SIEM is Robin planning to implement?

A large financial organization has experienced an increase in sophisticated cyber threats, including zero-day attacks and APTs. Traditional detection relies heavily on signatures and manual intervention, causing delays. The CISO is exploring AI-driven solutions that can automatically analyze large datasets, detect anomalies, and adapt to evolving threats in real time—identifying suspicious activity without predefined signatures and with minimal human oversight. Which key AI technology should the organization focus on?

Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is affected by a DoS/DDoS attack. For the containment of this incident, Ray and his team are trying to provide additional bandwidth to the network devices and increasing the capacity of the servers.

What is Ray and his team doing?

Jackson & Co., a mid-sized law firm, is concerned about web-based cyber threats. The IT team implements a solution that serves as an intermediary for all HTTP and HTTPS requests. This allows the SOC to inspect, filter, and control web traffic to detect and block malicious websites, phishing attempts, and other online threats before they reach users. Which containment method is the organization using to gain visibility and control over web traffic?

A SOC analyst is responsible for designing a security dashboard that provides real-time monitoring of security threats. The organization wants to avoid overwhelming analysts with excessive information and focus on the most critical security alerts to ensure timely responses to potential threats. Which principle should guide the design of the dashboard?

Which of the log storage method arranges event logs in the form of a circularbuffer?

The team receives an alert about a ransomware incident affecting the organization’s email infrastructure. Forensic analysis identifies the ransomware exploited CVE-2024-0123 in an unpatched mail server. The incident response team is deploying an emergency patch (KB5025941), updating mail filtering rules to block malicious payloads, and implementing additional network segmentation to limit lateral movement. Which phase of the Incident Response process is the SOC currently executing?

A financial services company hosts an online banking platform accessible via a public web portal. The SOC team has deployed Snort IDS to monitor HTTP traffic for potential attacks targeting the login page. One day, a user attempts to log in multiple times, generating a series of failed authentication events. During this time, Snort IDS triggers an alert based on the following rule:

alert tcp any any -> any 80 (msg:"SQL Injection attempt detected"; content:"' OR T=T"; nocase; sid:1000001; rev:1;)

The alert indicates that an incoming HTTP request contained the classic SQL injection payload ' OR T=T, which is commonly used to bypass login authentication by always evaluating to true. The SIEM, integrated with Snort, receives this alert and correlates it with multiple failed login attempts from the same source IP. This triggers an automated response, temporarily blocking the suspicious IP address and notifying the SOC team. Which detection method is used by this rule?

Charline is working as an L2 SOC Analyst. One day, an L1 SOC Analyst escalated an incident to her for furtherinvestigation and confirmation. Charline, after a thorough investigation, confirmed the incident and assigned it with an initial priority.

What would be her next action according to the SOC workflow?

Where will you find the reputation IP database, if you want to monitor traffic from known bad IP reputation using OSSIM SIEM?

CyberBank has experienced phishing, insider threats, and attempted data breaches targeting customer financial records. The bank operates across multiple regions and needs a solution offering continuous security monitoring, rapid threat detection, and centralized visibility across all branches. Which solution will provide automated alerting, digital forensics capabilities, and active threat hunting?

A major financial institution has strict policies preventing unauthorized data transfers. As a SOC analyst, during routine log analysis you detect an anomaly: an employee workstation initiates large file transfers outside business hours, involving highly sensitive customer financial records. You discover remote access from an unfamiliar IP address and an unauthorized USB device connection on the workstation. Given the likelihood of data exfiltration, what should be your first step in responding?

Which of the following security technology is used to attract and trap people who attempt unauthorized or illicit utilization of the host system?

A Security Operations Center (SOC) analyst receives a high-priority alert indicating unusual user activity. An employee account is attempting to access company resources from a different country and outside of their normal working hours. This behavior raises concerns about potential account compromise or unauthorized access. To automate the initial response and quickly restrict access while further investigating the incident, which SOAR playbook would be relevant to adapt and implement?

A multinational financial institution notices unusual network activity during a routine security audit. The SOC detects multiple failed login attempts, followed by a successful access attempt using an administrator's credentials from an unrecognized IP address. Shortly after, sensitive customer records are accessed without authorization. The company suspects a breach and calls in the forensic investigation team. During evidence collection, the forensic team creates a detailed record that tracks every individual who handled the evidence, its storage location, and timestamps of transfers. What is this process called?

The SOC team is tasked with enhancing the security of an organization's network infrastructure. The organization's public-facing web servers, which handle customer transactions, need to be isolated from the internal private network containing sensitive employee data and proprietary systems. The goal is to create a buffer zone that limits exposure of internal systems if the web servers are compromised during a cyberattack, such as a DDoS or SQL injection attempt. As a SOC analyst, which network architecture component would you recommend implementing to establish this isolated region?

Which of the following event detection techniques uses User and Entity Behavior Analytics (UEBA)?

If the SIEM generates the following four alerts at the same time:

I.Firewall blocking traffic fromgetting into the network alerts

II.SQL injection attempt alerts

III.Data deletion attempt alerts

IV.Brute-force attempt alerts

Which alert should be given least priority as per effective alert triaging?

In which of the following incident handling and response stages, the root cause of the incident must be found from the forensic results?

A multinational cybersecurity firm wants to enhance its threat intelligence capabilities by integrating real-time threat feeds into Microsoft Sentinel. These feeds include malicious IPs, domains, file hashes, and attack patterns. The firm requires a standardized protocol that allows automated threat intelligence sharing so Sentinel continuously receives updated indicators from external sources in a structured format. Which Microsoft Sentinel data connector should be implemented to integrate threat intelligence feeds using an industry-standard protocol?

Which of the following attack can be eradicated by using a safe API to avoid the use of the interpreter entirely?

According to the Risk Matrix table, what will be the risk level when the probability of an attack is very low and the impact of that attack is major?

Which of the following framework describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering?

A security team is designing SIEM use-case logic to detect privilege escalation attempts on Windows servers. They have already identified and validated the necessary event sources (e.g., Active Directory logs, Windows Security logs). What should be their next step in the use case logic development process?

Which encoding replaces unusual ASCII characters with "%" followed by the character’s two-digit ASCII code expressed in hexadecimal?

Which of the following Windows Event Id will help you monitors file sharing across the network?

As a SOC Administrator at a mid-sized financial institution, you noticed intermittent network slowdowns and unexplained high memory usage across multiple critical systems. Your initial analysis found no traces of malware, but a forensic investigation revealed unauthorized scheduled tasks that executed during off-peak hours. These tasks ran obfuscated scripts that connected to an external command-and-control (C2) server. Further investigations showed that the adversary had gained access months ago through a compromised VPN account, leveraging stolen credentials from a phishing campaign. Which phase of the Advanced Persistent Threat (APT) lifecycle does this scenario align with?

A manufacturing company is deploying a SIEM system and uses an output-driven approach, starting with use cases addressing unauthorized access to production control systems. They configure data sources and alerts to ensure actionable alerts with low false positives, then expand to supply chain disruptions and malware detection. What is the primary advantage of an output-driven approach?

A health corporation is implementing a SIEM solution to improve detection and response and comply with HIPAA requirements. They need the SIEM to efficiently collect, analyze, and correlate security events from network devices, servers, and security applications, and generate timely alerts for potential HIPAA violations. Which capability is needed to meet these needs?

You are a Level 1 SOC analyst at a critical infrastructure provider. Threat actors infiltrated the network and exfiltrated sensitive system blueprints. Before detection, they executed commands that altered system logs, wiped forensic artifacts, and modified timestamps to mimic normal activity. They also manipulated security monitoring tools to prevent unusual login events from being recorded. Which APT lifecycle phase does this represent?

Daniel is a member of an IRT, which was started recently in a company named Mesh Tech. He wanted to find the purpose and scope of the planned incident response capabilities.

What is he looking for?

Jennifer, a SOC analyst, initiates an investigation after receiving an alert about potential unauthorized activity on Marcus's workstation. She starts by retrieving EDR logs from the endpoint, analyzing network traffic patterns in the Security Information and Event Management (SIEM) system, and inspecting email gateway logs for signs of malicious attachments. Her objective is to determine whether this alert represents a legitimate security incident. In which phase of the Incident Response process is Jennifer currently operating?

You are a Threat Hunter in an IT company’s security team working to enhance threat hunting capabilities. You observed that relying solely on traditional security alerts often results in missed detections of sophisticated threats. To strengthen your approach, you decide to incorporate multiple data sources, including external threat intelligence feeds, internal security logs, network traffic data, and endpoint telemetry. To efficiently process this vast amount of data, you implement a new tool that can aggregate, normalize, and correlate threat intelligence with internal telemetry to gain a more holistic understanding of emerging threats and enhance detection accuracy. What key threat detection capability is being leveraged in this scenario?

Which of the following data source will a SOC Analyst use to monitor connections to the insecure ports?

John, SOC analyst wants to monitor the attempt of process creation activities from any of their Windows endpoints.

Which of following Splunk query will help him to fetch related logs associated with process creation?

At GlobalTech, the SOC team detects a suspicious ransomware outbreak affecting multiple endpoints. After successfully isolating the infected systems from the network, the Digital Forensics team begins their investigation. They deploy a forensics workstation to acquire RAM dumps, extract Windows Event Logs, and collect network PCAP files from the compromised hosts. Which phase of the Incident Response lifecycle is currently underway?

What type of event is recorded when an application driver loads successfully in Windows?

A financial institution suspects an insider threat due to unauthorized access attempts on restricted databases. However, SIEM alerts lack sufficient information to differentiate between legitimate and malicious access. The SOC manager recommends integrating contextual data to improve detection. Which contextual data source should be integrated in this scenario?

Which of the following attack can be eradicated by disabling of "allow_url_fopen and allow_url_include" in the php.ini file?

A SOC team at a major financial institution detects unauthorized access attempts on its web application. Logs indicate the web application is compromised. To determine the exact attack technique and implement mitigation, forensic investigators assess cookie attributes (such as HttpOnly, Secure, and SameSite) for security weaknesses and track anomalous request patterns that deviate from normal user behavior. Which attack vector is the forensic team investigating?

The Security Operations Center (SOC) team is investigating a suspected malware incident during the Analysis Phase of their incident response process. Their primary goal is to validate the initial detection, ensure the threat is real, and gather critical intelligence to understand the scope of the attack. Which action should the SOC team take to confirm initial findings and eliminate false alarms?

A mid-sized hospital's SOC team has recently detected multiple malware incidents that disrupted access to patient records and caused operational inefficiencies. The SOC analysts have been tasked with eradicating current infections and preventing future attacks by addressing the underlying vulnerabilities that allowed the malware to breach defenses. As a SOC analyst, you need to recommend a step that directly targets weaknesses in the hospital’s network infrastructure or system configurations exploited by the malware. Which eradication step would best address these root causes?

An attacker exploits the logic validation mechanisms of an e-commerce website. He successfully purchases a product worth $100 for $10 by modifying the URL exchanged between the client and the server.

Original URL: http://www.buyonline.com/product.aspx?profile=12 &debit=100 Modified URL: http://www.buyonline.com/product.aspx?profile=12 &debit=10

Identify the attack depicted in the above scenario.

A newly hired SOC analyst at a fast-growing multinational organization must quickly assess the company’s external exposure and identify potential security risks. Techniques considered include analyzing publicly available information, scanning exposed services, reviewing DNS records, and gathering external intelligence. Due to the scale across subsidiaries, cloud environments, and third-party integrations, some methods may not scale well and may lead to delays or incomplete insights. Which technique is less practical for handling large or diverse data sets in this scenario?

Identify the HTTP status codes that represents the server error.

John, a SOC analyst, while monitoring and analyzing Apache web server logs, identified an event log matching Regex /(\.|(%|%25)2E)(\.|(%|%25)2E)(\/|(%|%25)2F|\\|(%|%25)5C)/i.

What does this event log indicate?

At 10:30 AM, during routine monitoring, Tier 1 SOC analyst Jennifer detects unusual network traffic and confirms an active LockBit ransomware infection targeting systems in the finance department. She escalates to the SOC lead, Sarah, who activates the Incident Response Team (IRT) and instructs the network team to isolate the finance department’s VLAN to prevent further spread across the network. Which phase of the Incident Response process is currently being implemented?

A SOC analyst monitoring authentication logs detects a sudden and significant spike in failed login attempts targeting multiple critical servers during non-business hours. These repeated authentication failures are abnormal compared to typical login activity. All attempts originate from a single external IP address, indicating a targeted attack rather than random scanning. Some login attempts use legitimate employee usernames, suggesting credential stuffing using previously compromised credentials or an ongoing brute-force attempt. Given this suspicious activity and its potential to escalate into unauthorized access, what is the appropriate next step in the threat-hunting process to assess the situation further?

You are a Threat Hunter at a law firm that suffered a data breach where confidential documents were leaked. Using the Cyber Kill Chain framework, you trace the attacker’s steps: they bypassed MFA by masquerading as a legitimate user, moved laterally, accessed sensitive records from a shared repository, and exfiltrated data over an extended period. You must identify the Cyber Kill Chain phase at which the attack was identified, to strengthen defenses and detect intrusions before exfiltration occurs. At which phase was the attack identified?

You are working as a SOC analyst in a multinational company with multiple data centers and remote offices. Security logs are stored locally at each site, making it difficult to correlate incidents across different locations. Recently, an advanced persistent threat (APT) compromised multiple servers, but due to multiple sources of logs and inconsistent monitoring, the attack was detected only after significant data exfiltration. To improve visibility, streamline log analysis, and enable faster incident response, you need to implement a solution that aggregates logs from all sources into a unified system. Which solution will you implement?