Why is time synchronization critical in log ingestion?
It lets analysts correlate events accurately across multiple systems.
What is the main tradeoff of higher logging levels?
More detail improves detection but increases storage and noise.
What is the Windows Registry commonly used for in investigations?
To review persistence, configuration, and user/system activity artifacts.
Why are default-deny firewall rules valuable?
They block traffic unless it is explicitly allowed.
What is network segmentation designed to reduce?
Lateral movement between systems and security zones.
What does network access control (NAC) enforce?
Device or user compliance before granting network access.
What is the key difference between hashing and encryption?
Hashing is one-way; encryption is reversible with the right key.
What is the purpose of data loss prevention (DLP)?
To detect and stop unauthorized movement of sensitive data.
What does an ‘impossible travel’ alert usually indicate?
A user account appears to log in from distant locations too quickly to be legitimate.
What does periodic outbound traffic to the same destination often suggest?
Beaconing to command-and-control infrastructure.
Why is unauthorized software installation a host-based indicator of compromise?
It may show policy violation, malware execution, or persistence.
What can unexpected service restarts or interruptions indicate?
Application instability, exploitation attempts, or malicious tampering.
What is the main role of endpoint detection and response (EDR)?
To monitor endpoints and support detection, investigation, and response.
What is a SIEM primarily used for?
To aggregate, normalize, correlate, and alert on security data.
Why would an analyst use Wireshark?
To inspect packet-level network traffic.
Why might an analyst submit a file hash to VirusTotal?
To check whether multiple security vendors already flag it as malicious.
What is the difference between an IOC and an IOA?
An IOC points to evidence of compromise; an IOA points to suspicious behavior.
What are TTPs in threat intelligence?
Tactics, techniques, and procedures used by an adversary.
What does a high confidence rating mean in threat intelligence?
The source or assessment is considered more reliable and well-supported.
What is a SOAR platform used for?
To automate and orchestrate security workflows and response actions.
