1) A SIEM alert is triggered due to unusual network traffic involving NetBIOS. The System log shows that
“The TCP/IP NetBIOS Helper service entered the running state”. Concurrently, Event Code 4624: “An
account was successfully logged on” appears for multiple machines within a short time frame. The logon
type is identified as 3 (Network logon). Which of the following security incidents is the SIEM detecting?
A. A user connecting to shared files from multiple workstations
B. A malware infection spreading via SMB protocol
C. A network administrator conducting routine maintenance
D. An attacker performing lateral movement within the network
D. An attacker performing lateral movement within the network
2) A manufacturing company is deploying a SIEM system and wants to improve both its security monitoring
and regulatory compliance capabilities. During the planning phase, the team decides to use an output
driven approach, starting with use cases that address unauthorized access to production control systems.
They configure data sources and alert specific to this use case, ensuring they receive actionable alerts
without excessive false positives. After validating its success, they move on to use cases related to supply
chain disruptions and malware detection. Which of the following best describes the primary advantage of
using an output-driven approach in SIEM deployment?
A. The company can collect logs from non-critical systems.
B. The SOC team can respond to all incidents in real time without delays.
C. The SIEM system can automatically block all unauthorized access attempts.
D. The company can create more complex use cases with greater scope.
D. The company can create more complex use cases with greater scope.
3) An attacker attempts to gain unauthorized access to a secure network by repeatedly guessing login
credentials. The SIEM is configured to generate an alert after detecting 10 consecutive failed login
attempts within a short timeframe. However, the attacker successfully logs in on the 9th attempt, just
before the threshold is reached, bypassing the alert mechanism. Security teams only become aware of the
incident after detecting suspicious activity post-login, highlighting a gap in the SIEM’s detection rules.
What type of alert classification does this represent?
A. True Positive
B. False Positive
C. False Negative
D. True Negative
C. False Negative
4) Daniel Clark, a cybersecurity specialist working in the Cloud SOC for a government agency, is
responsible for ensuring secure access to cloud applications while maintaining compliance with regulatory
frameworks. His team needs a security solution that can enforce access policies to prevent unauthorized
access to cloud based applications, monitor and restrict data sharing within SaaS, PaaS, and IaaS
environments, ensure compliance with government regulations for data security and privacy, and apply
security controls to prevent sensitive data exposure in the cloud. To achieve these objectives, the team has
implemented a security technology that governs control over cloud resources, applies security policies,
and protects sensitive cloud-stored data. Which Cloud SOC technology is Daniel’s team using?
A. Cloud Security Posture Management
B. Cloud-native anomaly detection
C. Cloud Workload Protection Platform
D. Cloud Access Security Broker
D. Cloud Access Security Broker
5) A mid-sized healthcare organization is facing frequent phishing and ransomware attacks. They lack an
internal SOC and want proactive threat detection and response capabilities. Compliance with HIPAA
regulations is essential. The organization seeks a solution that includes both monitoring and rapid
response to incidents. Which service best meets their needs?
A. MSSP with 24/7 log monitoring and incident escalation
B. Self-hosted SIEM with in-house SOC analysts
C. MDR with proactive threat hunting and incident containment
D. Cloud-based SIEM with MSSP-Managed services
C. MDR with proactive threat hunting and incident containment
6) A Security Operations Center (SOC) analyst receives a high-priority alert indicating unusual user activity.
An employee account is attempting to access company resources from a different country and outside of
their normal working hours. This behavior raises concerns about potential account compromise or
unauthorized access to automate the initial response and quickly restrict access while further investigating
the incident, which SOAR Playbook would be relevant to adapt and implement?
A. Deprovisioning Users SOAR Playbook
B. Phishing Investigations SOAR Playbook
C. Alert Enrichment SOAR Playbook
D. Malware Containment SOAR Playbook
A. Deprovisioning Users SOAR Playbook
7) A government agency responsible for protecting sensitive information needs to monitor its network for
unusual data exfiltration attempts. Since traditional log data alone is insufficient to identify suspicious
traffic patterns, the SIEM team decides to integrate traffic flow data into their system. This data will help
detect anomalies, such as large data transfers to unauthorized destinations or unexpected traffic spikes.
The team must choose the appropriate protocol to collect IP traffic information from network devices like
routers and switches. Which protocol should be used to collect this data?
A. Syslog
B. SNMP (Simple Network Management Protocol)
C. IPFIX (IP Flow Information Export)
D. Net Flow (RFC 3954)
C. IPFIX (IP Flow Information Export)
8) SecureTech Solutions, a managed security service provider (MSSP), is optimizing its log management
architecture to enhance log storage, retrieval, and analysis efficiency. The SOC team needs to ensure that
security logs are stored in a structured or semi-structured format, allowing for easy parsing, querying, and
correlation of security events. To achieve this, they decide to implement a log storage format that
organizes data in a text file in tabular structure, ensuring each log entry is stored in rows and columns.
Additionally, they require a format that supports easy export to databases or spreadsheet-based analysis
while maintaining readability. Which log format should the SOC team choose to store logs in a structured
or semi structured format for efficient analysis?
A. Syslog Format
B. Cloud Storage
C. Comma-Separated Values (CSV) Format
D. Database
C. Comma-Separated Values (CSV) Format
9) A large web hosting service provider Web4Everyone is responsible for hosting multiple major websites,
social media platforms and more. You are working here as a L1 SOC analyst responsible for investigating
web server logs for potential malicious activity. Recently, your team detected multiple failed login
attempts and unusual traffic patterns targeting the company’s web application. To efficiently analyze the
logs and identify key details such as the remote host, username, timestamp, requested resource, and HTTP
status code, and user-agent you need a structured log format that ensures quick and accurate parsing.
Which standardized log format will you choose for this scenario?
A. Extended Log Format (ELF)
B. Tab-Separated Format
C. Common Log Format (CLF)
D. JSON Format
A. Extended Log Format (ELF)
10) At 10:30 AM, during routine monitoring, SOC’s Tier-1 Jennifer detects unusual network traffic and
confirms an active LockBit ransomware infection targeting systems in the finance department. She
escalates the issue to the SOC lead, Sarah, who activates the Incident Response Team (IRT) and instructs
the network team to isolate the finance department’s VLAN to prevent further spread across the network.
Which phase of the Incident Response process is currently being implemented?
A. Notification
B. Evidence Gathering and Forensic Analysis
C. Eradication
D. Containment
D. Containment
11) A SOC analyst is responsible for designing a security dashboard that provides real-time monitoring of security threats. The organization wants to avoid overwhelming analysts with excessive information and
focus on the most critical security alerts to ensure timely responses to potential threats. Which principle should guide the design of the dashboard?
A. Restrict dashboard access to only network administrators
B. Prioritize critical information and remove unnecessary details
C. Include as much data as possible to ensure complete visibility
D. Use only historical data to avoid real-time inconsistencies
B. Prioritize critical information and remove unnecessary details
12) The Security Operations Center (SOC) team at Rapid Response Group, a leading cybersecurity firm, is
facing challenges in managing security incidents efficiently. With an increasing volume of alerts and security events being generated daily in their Microsoft Sentinel environment, the team is struggling to respond to threats quickly and consistently. To enhance their incident response capabilities, they aim to automate routine security tasks, such as log collection, alert triaging, remediation steps, and notifications to stakeholders. By implementing automated workflows, they seek to reduce response times, eliminate
manual intervention for repetitive actions, and ensure a standardized approach to handling security threats across the organization. Which component of Microsoft Sentinel should they utilize to create these automated workflows for incident response?
A. Playbooks
B. Community
C. Workspace
D. Analytics
A. Playbooks
13) The SOC team found a suspicious document file on a user’s workstation. Upon initial inspection, the document appears benign, but deeper analysis reveals an embedded PowerShell script. The team suspects the script is designed to download and execute a malicious payload. They need to understand the script’s functionality without triggering it. Which malware analysis technique would be recommended technique for the SOC team to understand the PowerShell script’s functionality without executing it?
A. Automated behavioral analysis
B. Network traffic analysis
C. Dynamic analysis
D. Static analysis
D. Static analysis
14) A major financial institution has strict policies preventing unauthorized data transfers. As a SOC analyst,
you are conducting routine log analysis when you detect an anomaly – an employee’s workstation is initiating large file transfers outside of business hours. The files in question contain highly sensitive customer financial records. Upon further investigation, you discover that the employee has been remotely accessing the system from an unfamiliar IP address. Security logs also flag an unauthorized USB device connected to the workstation, violating corporate policy. Given the nature of the data involved and the possibility of data exfiltration, you need to act swiftly. What will be your first step in responding to this incident?
A. Isolate employee’s workstation and revoke remote access
B. Conduct a full forensic analysis first
C. Inform employee’s department and wait for evidence
D. Disable corporate VPN entirely
A. Isolate employee’s workstation and revoke remote access
15) Jannet works in a multinational corporation that operates multiple data centers, cloud environments, and on-premises systems as a SOC analyst, she notices that security incidents are taking too long to detect and
investigate. After analyzing this, she discovers that logs from firewalls, endpoint security solutions, authentication servers, and cloud applications are scattered across different systems in various formats hence her team has to manually convert logs into a readable format before investigating incidents. What approach should she implement to enable accepting the logs from heterogeneous sources with different
formats and converting them into common format and improving incident detection and response time?
A. Log normalization
B. Log transformation
C. Log collection
D. Log correlation
A. Log normalization
16) A security team is tasked with configuring a newly deployed SIEM system. With limited resources, they must prioritize specific monitoring scenarios that provide the greatest security benefit. The team understands that an effective SIEM relies on well-defined use cases tailored to the organization’s environment. Given the evolving threat landscape, they must carefully choose which use cases to
implement first to maximize value and threat detection capabilities. Which factor should guide their selection of use cases?
A. Focus on use cases required to meet industry compliance standards.
B. Select use cases based on the availability and quality of data from existing data sources.
C. Prioritize use cases that address zero day attacks.
D. Implement as many use cases as the SIEM supports to cover all threats.
B. Select use cases based on the availability and quality of data from existing data sources.
17) Bob is a SOC analyst in a multinational corporation that relies on a centralized file-sharing system for storing confidential project documents. One morning, he notices that few critical financial records stored on the shared server appear to have been altered without authorization. Upon further analysis, he discovers that the version history confirms unexpected changes made outside of business hours. Now he must investigate by inspecting the logs. Which log should he check to determine who accessed the files and
when the modifications occurred?
A. Authentication logs
B. Firewall logs
C. Security logs
D. Network logs
C. Security logs
18) SecureTech Inc., a leading cybersecurity-focused organization, operates its critical infrastructure and applications in AWS. The Security Operations Center (SOC) team is responsible for detecting, investigating, and mitigating security threats within their cloud environment. Recently, the SOC team has observed an increase in suspicious activities, such as unexpected API calls, unusual outbound traffic from instances, and DNS requests to potentially malicious domains. To enhance their threat detection
capabilities, they need a fully managed AWS security service that can continuously monitor for malicious activity across their AWS environment, analyze AWS CloudTrail logs, VPC Flow Logs, and DNS query logs, leverage machine learning and threat intelligence to identify advanced threats, and provide actionable security findings to accelerate response efforts. Which AWS service is best suited to help SecureTech Inc. proactively detect and respond to security threats in their AWS environment?
A. AWS Config
B. Amazon GuardDuty
C. AWS Security Hub
D. Amazon Macie
B. Amazon GuardDuty
19) As a SOC Administrator at a mid-sized financial institution, you noticed intermittent network slowdowns and unexplained high memory usage across multiple critical systems. Your initial analysis found no traces of malware, but a forensic investigation revealed unauthorized scheduled tasks that executed during off peak hours. These tasks ran obfuscated scripts that connected to an external C2 server. Further investigations showed that the adversary had gained access months ago through a compromised VPN account, leveraging stolen credentials from a phishing campaign. Which phase of the Advanced Persistent Threat (APT) lifecycle does this scenario align with?
A. Persistence
B. Cleanup
C. Search and Exfiltration
D. Initial Intrusion
A. Persistence
20) An organization with a complex IT infrastructure is planning to implement a SIEM solution to improve its threat detection and response capabilities. Due to the scale and complexity of its systems, the organization opts for a phased deployment approach to ensure a smooth implementation and reduce potential risks.
Which of the following should be the first phase in their SIEM deployment strategy?
A. Configure security analytics to identify potential threats
B. Set up the log management component before deploying the SIEM component
C. Implement User and Entity Behavior Analytics (UEBA)
D. Automate incident response processes
B. Set up the log management component before deploying the SIEM component
21) During a routine security audit, analysts discover that several of the organization’s web servers are still using a vulnerable third-party library flagged for a zero-day exploit. This vulnerability was identified in a
previous audit, and patches were initially deployed to mitigate the risk. However, due to reported application instability and compatibility issues, the application team rolled back the patches, leaving the
systems exposed. Despite the known risk, the vulnerability remains unaddressed, and no alternative mitigations have been put in place. Given the state of the web servers and their reliance on outdated, vulnerable software, how should the security team classify this risk in the context of web application security?
A. Vulnerable and Outdated Components
B. Software and Data Integrity Failures
C. Security Logging and Monitoring Failures
D. Insecure Design
A. Vulnerable and Outdated Components
22) The SOC team at a national cybersecurity agency has detected anomalous network traffic originating from a sensitive government server. Initial analysis suggests a potential intrusion, leading the SOC team to escalate the incident to the forensic team for deeper investigation. Upon forensic examination, the team discovers a trojan on the compromised server. The trojan is suspected of engaging in data exfiltration, raising concerns about potential backdoor access and long-term persistence mechanisms employed by the
malware. Given the severity of the situation, the lead malware analyst is tasked with conducting an in depth analysis of the trojan to determine its capabilities (e.g., command execution, privilege escalation, keylogging), its persistence mechanisms (e.g., registry modifications, scheduled tasks, startup entries), and
any backdoor functionalities (e.g., remote access, hidden communication channels). However, due to the sensitive nature of the system and the risk of unintended execution, the analyst must analyze the trojan’s binary code at the instruction level without actually executing it. Which technique should the forensic analyst use?
A. Malware Disassembly
B. Network Behavior Monitoring
C. Dynamic Code Injection
D. Interactive Debugging
A. Malware Disassembly
23) A SOC team at a major financial institution detects unauthorized access attempts on its web application. The security team reviews the logs to find the web application is compromised. To determine the exact attack technique used and implement necessary mitigation measures, the forensic investigators is assessing cookie attributes (such as HttpOnly, Secure, and SameSite) for security weaknesses, and track anomalous request patterns that deviate from normal user behavior. Which of the following attack vectors is the forensic team investigating in the above investigation?
A. SQL Injection
B. Cross-Site Scripting (XSS)
C. Man-in-the-Middle (MITM) Attack
D. Session Poisoning
D. Session Poisoning
24) A security operations center (SOC) team is investigating a phishing attack that targeted multiple
employees. During the Containment Phase, they need to determine how users interacted with the
malicious email, whether they opened it, clicked on links, downloaded attachments, or entered credentials.
This information is critical to assessing the impact and preventing further compromise. Which specific
activity helps the SOC team understand user interactions with the phishing email?
A. User action verification.
B. Blocking C2 and email traffic.
C. Monitoring and containment validation.
D. Malware infection check.
A. User action verification.
