Security Operations

A SIEM correlation rule for impossible travel is creating noise from VPN users. Which refinements should improve fidelity? (Choose two.)

A SOC is onboarding endpoint logs into a SIEM. Which fields are most important for process-chain investigations? (Choose three.)

A threat hunter suspects data exfiltration over HTTPS from a database server. Which data sources are most useful? (Choose two.)

A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)

Which signals strengthen an alert for Kerberoasting activity? (Choose two.)

A detection engineer is writing a Sigma rule for suspicious rundll32 usage. Which fields should be included? (Choose two.)

A cloud workload identity begins accessing secrets outside its normal application scope. Which evidence should be reviewed? (Choose two.)

A phishing detection rule looks only for known malicious URLs and misses newly registered lookalike domains. Which improvements help? (Choose two.)

An analyst suspects DNS tunnelling but wants to avoid over-escalating normal CDN behaviour. Which comparisons help? (Choose two.)

A SOAR playbook enriches suspicious IP addresses. Which enrichment sources are useful? (Choose two.)

A SOC is tuning a detection for suspected DNS tunnelling. Which evidence points are useful before escalating the alert? (Choose two.)

A malware alert shows a signed binary performing suspicious actions. Which facts help decide whether it is living-off-the-land abuse? (Choose two.)

Which evidence helps distinguish a true brute-force attack from a misconfigured service account? (Choose two.)

A Kubernetes audit alert shows a service account creating privileged pods. Which checks are most relevant? (Choose two.)

An IDS signature fires on outbound traffic but analysts suspect a false positive. Which validation steps are appropriate? (Choose two.)

A SOC wants to measure whether alert enrichment is improving operations. Which metrics are useful? (Choose two.)

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant?

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected?

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as?

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix?

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the evidence source phase, Which evidence source best supports or refutes the detection?

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the containment trade-off phase, Which response balances containment with evidence preservation?

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the root-cause analysis phase, Which finding would most directly explain the activity?

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

An analyst is creating a detection for suspicious PowerShell. Which conditions improve fidelity? (Choose two.)

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the containment trade-off phase, Which response balances containment with evidence preservation?

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the root-cause analysis phase, Which finding would most directly explain the activity?

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the evidence source phase, Which evidence source best supports or refutes the detection?

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the containment trade-off phase, Which response balances containment with evidence preservation?

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the root-cause analysis phase, Which finding would most directly explain the activity?

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the evidence source phase, Which evidence source best supports or refutes the detection?

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the containment trade-off phase, Which response balances containment with evidence preservation?

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the root-cause analysis phase, Which finding would most directly explain the activity?

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the containment trade-off phase, Which response balances containment with evidence preservation?

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the root-cause analysis phase, Which finding would most directly explain the activity?

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the evidence source phase, Which evidence source best supports or refutes the detection?

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the containment trade-off phase, Which response balances containment with evidence preservation?

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the root-cause analysis phase, Which finding would most directly explain the activity?

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the evidence source phase, Which evidence source best supports or refutes the detection?

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the containment trade-off phase, Which response balances containment with evidence preservation?

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the root-cause analysis phase, Which finding would most directly explain the activity?

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the evidence source phase, Which evidence source best supports or refutes the detection?

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the containment trade-off phase, Which response balances containment with evidence preservation?

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the root-cause analysis phase, Which finding would most directly explain the activity?

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the evidence source phase, Which evidence source best supports or refutes the detection?

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the containment trade-off phase, Which response balances containment with evidence preservation?

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the root-cause analysis phase, Which finding would most directly explain the activity?

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the evidence source phase, Which evidence source best supports or refutes the detection?

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the containment trade-off phase, Which response balances containment with evidence preservation?

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the root-cause analysis phase, Which finding would most directly explain the activity?

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the evidence source phase, Which evidence source best supports or refutes the detection?

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the containment trade-off phase, Which response balances containment with evidence preservation?

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the root-cause analysis phase, Which finding would most directly explain the activity?

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the evidence source phase, Which evidence source best supports or refutes the detection?

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the containment trade-off phase, Which response balances containment with evidence preservation?

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the root-cause analysis phase, Which finding would most directly explain the activity?

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the evidence source phase, Which evidence source best supports or refutes the detection?

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the root-cause analysis phase, Which finding would most directly explain the activity?

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the evidence source phase, Which evidence source best supports or refutes the detection?

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the containment trade-off phase, Which response balances containment with evidence preservation?

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the root-cause analysis phase, Which finding would most directly explain the activity?

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the alert triage phase, Which action gives the analyst the clearest next triage step?

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the evidence source phase, Which evidence source best supports or refutes the detection?

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the containment trade-off phase, Which response balances containment with evidence preservation?

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the root-cause analysis phase, Which finding would most directly explain the activity?

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the alert triage phase, Which action gives the analyst the clearest next triage step?

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the evidence source phase, Which evidence source best supports or refutes the detection?

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the containment trade-off phase, Which response balances containment with evidence preservation?

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the root-cause analysis phase, Which finding would most directly explain the activity?

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the evidence source phase, Which evidence source best supports or refutes the detection?

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A SIEM receives endpoint, firewall, identity, and cloud logs for the same incident, but timestamps do not align across sources. Which actions should the analyst take before finalizing the timeline? (Choose two.)