What is the main purpose of SIEM?
A. Encrypt data
B. Collect and analyse logs
C. Block malware
D. Store backups
Answer: B
Explanation:
SIEM = centralised logging + analysis platform.
Explanation:
A SIEM collects logs from multiple source devices (servers, firewalls, applications), normalises them, and performs analysis to detect threats. It also correlates events and provides dashboards for monitoring. It does not directly block attacks but supports detection and response.
What is the push method?
A. SIEM retrieves logs
B. Device sends logs to SIEM
C. Logs are deleted
D. Logs are encrypted
Answer: B
Explanation:
In the push method, the source device actively sends logs to the SIEM system. This is commonly used for real-time logging. The opposite is the pull method, where the SIEM retrieves logs from devices at intervals.
Why are indexes used in Splunk?
A. Encrypt logs
B. Improve search performance
C. Delete logs
D. Block attacks
Answer: B
Explanation:
Indexes in Splunk organise stored data and make searching faster and more efficient. They also help control access to data. Without indexing, searching large volumes of log data would be slow and inefficient.
What is the purpose of dashboards?
A. Store logs
B. Visualise data
C. Encrypt logs
D. Delete logs
Answer: B
Explanation:
Dashboards present log data visually using graphs and charts. This helps analysts quickly identify patterns, trends, and anomalies. They are often populated using reports generated from SIEM queries.
What is a SIEM system?
A. Firewall
B. Log collection and analysis system
C. Antivirus
D. Encryption tool
Answer: B
Explanation:
A SIEM (Security Information and Event Management) system collects logs from multiple source devices such as servers, firewalls, and applications. It then normalises, correlates, and analyses these logs to detect suspicious activity. It provides visibility through dashboards and alerts but does not directly block attacks.
What is a source device?
A. SIEM platform
B. Device that generates logs
C. Dashboard
D. Firewall rule
Answer: B
Explanation:
A source device is any system that generates logs, such as a router, server, or application. These logs are sent to the SIEM for analysis. Understanding log sources is important because SIEM relies on accurate and complete data collection.
What is the pull method?
A. Device sends logs
B. SIEM retrieves logs
C. Logs are blocked
D. Logs are deleted
Answer: B
Explanation:
In the pull method, the SIEM system connects to source devices and retrieves logs at intervals. This method can be useful where devices cannot push logs directly, but it may introduce delays compared to push-based collection
What is Splunk primarily used for?
A. Blocking attacks
B. Collecting and searching log data
C. Encrypting traffic
D. Creating malware
Answer: B
Explanation:
Splunk is a SIEM platform used to collect, index, and search large volumes of machine-generated data. It allows analysts to monitor systems, investigate incidents, and generate reports through a web interface.
Splunk searches are:
A. Case-sensitive
B. Case-insensitive
C. Numeric only
D. Binary
Answer: B
Explanation:
Splunk searches are case-insensitive, meaning “Splunkd” and “splunkd” are treated the same. This simplifies searching and reduces errors when querying log data.
What is the purpose of indexes in Splunk?
A. Encrypt logs
B. Improve search performance
C. Delete logs
D. Block traffic
Answer: B
Explanation:
Indexes organise data in Splunk, allowing faster searches and efficient filtering. They also help control access to data. Without indexing, searching large datasets would be slow and inefficient.
What are dashboards used for?
A. Store logs
B. Visualise data
C. Encrypt logs
D. Delete logs
Answer: B
Explanation:
Dashboards present log data visually using graphs, charts, and panels. This helps analysts quickly identify trends, anomalies, and security issues without manually reading logs.
Which operator is used in Splunk searches?
A. XOR
B. AND
C. NAND
D. NOR
Answer: B
Explanation:
Splunk supports logical operators such as AND, OR, and NOT to combine search terms. These help refine searches and retrieve relevant log data more efficiently.
How are phrases searched in Splunk?
A. Using brackets
B. Using quotes
C. Using numbers
D. Using symbols
Answer: B
Explanation:
Phrases in Splunk must be enclosed in quotation marks to ensure the exact phrase is searched. Without quotes, Splunk treats each word separately.
What is log normalisation?
A. Encrypting logs
B. Standardising log formats
C. Deleting logs
D. Blocking logs
Answer: B
Explanation:
Log normalisation converts logs from different sources into a consistent format. This is essential for correlation and analysis, as different systems produce logs in different structures.
Why is log correlation important?
A. Encrypt data
B. Combine related events
C. Delete logs
D. Backup data
Answer: B
Explanation:
Correlation links related events across different systems to identify patterns of attacks. For example, multiple failed logins followed by a successful login may indicate a brute-force attack.
SIEM helps with:
A. Prevention only
B. Detection and analysis
C. Encryption only
D. Backup only
Answer: B
Explanation:
SIEM focuses on detecting threats by analysing logs and correlating events. It supports incident response but does not replace prevention tools like firewalls.
Which is NOT a SIEM function?
A. Collect logs
B. Analyse events
C. Block attacks directly
D. Correlate data
Answer: C
Explanation:
SIEM does not directly block attacks. Instead, it detects and alerts security teams, who then take action using other tools such as firewalls or endpoint protection.
Why is SIEM important in SOC?
A. Encrypt traffic
B. Centralised monitoring
C. Replace IDS
D. Backup systems
Answer: B
Explanation:
SIEM provides a central platform for monitoring and analysing logs from across the organisation. This enables faster detection of threats and more efficient incident response within a SOC.
-
Week 1 Questions11
-
Week 2 Questions6
-
Week 3 Questions5
-
Week 4 Questions1
-
Week 5 Questions5
-
Week 6 Questions14
-
Practice Questions16
-
Chapter 2 Questions23
-
Chapter 3 Questions19
-
Chapter 4 Questions18
-
Chapter 5 Questions21
-
Chapter 6 Questions17
-
Chapter 7 Questions17
-
Chapter 8 Questions15
-
Chapter 10 Questions8
