SOC Questions
SOC Questions
1. Bonney's system has been compromised by gruesome malware. What is the primary step
that is advisable to Bonney in order to contain the malware incident from spreading?
A. Complaint to the police in a formal way regarding the incident
D. Call the legal department in the organization and information about the
incident
2. According to the forensics investigation process, what is the next step carried out right
after collecting the evidence?
3. Which one of the following is the correct flow for Setting Up a Computer Forensics Lab?
A. Planning and budgeting –> Physical location and structural design
C. Planning and budgeting –> Forensics lab licensing –> Physical location and
structural design considerations –> Work area considerations –> Physical
B. /var/log/cups/access_log file
C. /var/log/cups/accesslog file
D. /var/log/cups/Printeraccess_log file
5. Which of the following command is used to enable logging in iptables?
6. Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is
affected by a DoS/DDoS attack. For the containment of this incident, Ray and his team
are trying to provide additional bandwidth to the network devices and increasing the
capacity of the servers.
C. Denial-of-Service Attack
D. Form Tampering Attack
8. Which encoding replaces unusual ASCII characters with "%" followed by the character’s
two-digit ASCII code expressed in hexadecimal?
A. Unicode Encoding
B. UTF Encoding
C. Base64 Encoding
D. URL Encoding
9. Which of the following formula represents the risk?
A. Risk = Likelihood × Severity × Asset Value
B. Notification
C. Emergency
D. Debugging
11. Where will you find the reputation IP database, if you want to monitor traffic from known
B. /etc/ossim/siem/server/reputation/data
C. /etc/siem/ossim/server/reputation.data
D. /etc/ossim/server/reputation.data
12. According to the Risk Matrix table, what will be the risk level when the probability of an
D. Medium
13. Which of the following command is used to view iptables logs on Ubuntu and Debian
distributions?
A. $ tailf /var/log/sys/kern.log
B. $ tailf /var/log/kern.log
C. # tailf /var/log/messages
D. # tailf /var/log/sys/messages
14. Which of the following technique involves scanning the headers of IP packets leaving a
network to make sure that the unauthorized or malicious traffic never leaves the internal
network?3
A. Egress Filtering
B. Throttling
C. Rate Limiting
D. Ingress Filtering
15. Which of the following formula is used to calculate the EPS of the organization?
16. Juliea a SOC analyst, while monitoring logs, noticed large TXT, NULL payloads.
What does this indicate?
17. An organization is implementing and deploying the SIEM with following capabilities.
What kind of SIEM deployment architecture the organization is planning to implement?
A. Cloud, MSSP Managed
B. DNS Footprinting
C. Network Sniffing
D. Port Scanning
19. Which of the following is a report writing tool that will help incident handlers to generate
B. MagicTree
C. IntelMQ
D. Malstrom
20. Which of the following Windows features is used to enable Security Auditing in
Windows?
A. Bitlocker
B. Windows Firewall
C. Local Group Policy Editor
D. Windows Defender
21. Which of the following attack can be eradicated by filtering improper XML syntax?
A. CAPTCHA Attacks
B. SQL Injection Attacks
22. Which of the following attack can be eradicated by using a safe API to avoid the use of
the interpreter entirely?
23. Shawn is a security manager working at Lee Inc Solution. His organization wants to
develop threat intelligent strategy plan. As a part of threat intelligent strategy plan, he
buy-in.
Which one of the following components he should include in the above threat intelligent
B. Threat trending
C. Threat buy-in
D. Threat boosting
24. Which of the following can help you eliminate the burden of investigating false positives?
25. Which of the following event detection techniques uses User and Entity Behavior
Analytics (UEBA)?
A. Rule-based detection
B. Heuristic-based detection
C. Anomaly-based detection
D. Signature-based detection
26. Identify the password cracking attempt involving a precomputed dictionary of plaintext
passwords and their corresponding hash values to crack the password.
A. Dictionary Attack
B. Rainbow Table Attack
C. Bruteforce Attack
D. Syllable Attack
27. Which of the log storage method arranges event logs in the form of a circular buffer?
A. FIFO
B. LIFO
C. non-wrapping
D. wrapping
28. An organization wants to implement a SIEM deployment architecture. However, they
have the capability to do only log collection and the rest of the SIEM functions must be
managed by an MSSP. Which SIEM deployment architecture will the organization adopt?
29. Banter is a threat analyst in Christine Group of Industries. As a part of the job, he is
currently formatting and structuring the raw data. He is at which stage of the threat
B. DoS Attack
C. DHCP starvation Attack
B. B. Firewall
C. C. Honeypot
A. Failure Audit
B. Warning
C. Error
D. Information
33. Which of the following factors determine the choice of SIEM architecture?
A. SMTP Configuration
B. DHCP Configuration
C. DNS Configuration
D. Network Topology
34. What does HTTPS Status code 403 represents?
A. Unauthorized Error
B. Not Found Error
35. Which of the following Windows event is logged every time when a user tries to access
the "Registry" key?
A. 4656
B. 4663
C. 4660
D. 4657
D. 3 and 1
37. Sam, a security analyst with INFOSOL INC., while monitoring and analyzing IIS logs,
C. XSS Attack
D. Directory Traversal Attack
engineering?
A. COBIT
B. ITIL
C. SSE-CMM
D. SOC-CMM
39. What does Windows event ID 4740 indicate?
B. TC Complete
C. Keepnote
D. Apility.io
41. A type of threat intelligent that find out the information about the attacker by misleading
files at /var/log/wtmp.
What Chloe is looking at?
A. Error log
B. System boot log
43. Which of the following threat intelligence is used by a SIEM for supplying the analysts
with context and "situational awareness" by using threat actor TTPs, malware campaigns,
B. 1 and 3
C. 3 and 4
D. 1 and 2
44. Properly applied cyber threat intelligence to the SOC team help them in discovering
TTPs.
What does these TTPs refer to?
45. Which of the following data source can be used to detect the traffic associated with Bad
Bot User-Agents?
C. Router Logs
D. Switch Logs
46. Daniel is a member of an IRT, which was started recently in a company named Mesh
Tech. He wanted to find the purpose and scope of the planned incident response
A. XSS Attack
B. SQL injection Attack
48. According to the Risk Matrix table, what will be the risk level when the probability of an
attack is very high, and the impact of that attack is major?
NOTE: It is mandatory to answer the question before proceeding to the next one.
A. High
B. Extreme
C. Low
D. Medium
49. Jason, a SOC Analyst with Maximus Tech, was investigating Cisco ASA Firewall logs and
term' command What does the security level in the above log indicates?
A. Warning condition message
D. Informational message
50. What is the correct sequence of SOC Workflow?
51. Wesley is an incident handler in a company named Maddison Tech. One day, he was
learning techniques for eradicating the insecure deserialization attacks.
http://technosoft.com.com/<script>alert("WARNING:
The application has encountered an error");. Identify the attack demonstrated in the
above scenario.
A. Cross-site Scripting Attack
D. Session Attack
53. Which of the following formula represents the risk levels?
A. Level of risk = Consequence × Severity
B. Level of risk = Consequence × Impact
54. In which of the following incident handling and response stages, the root cause of the
incident must be found from the forensic results?
A. Evidence Gathering
B. Evidence Handling
C. Eradication
D. Systems Recovery
55. Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((\
%3C)|)/|. What does this event log indicate?
A. Directory Traversal Attack
B. Parameter Tampering Attack
C. XSS Attack
D. SQL Injection Attack
56. Which of the following Windows Event Id will help you monitors file sharing across the
network?
A. 7045
B. 4625
C. 5140
D. 4624
57. The threat intelligence, which will help you, understand adversary intent and make
informed decision to ensure appropriate security in alignment with risk.
C. Denial-of-Service Attack
D. SQL Injection Attack
59. Which of the following fields in Windows logs defines the type of event occurred, such as
Correlation Hint, Response Time, SQM, WDI Context, and so on?
A. Keywords
B. Task Category
C. Level
D. Source
60. Which of the following tool is used to recover from web application incident?
A. CrowdStrike FalconTM Orchestrator
D. Proxy Workbench
Reporting, Retention, Alerting, and Visualization required for the SIEM implementation
and has to take collection and aggregation services from a Managed Security Services
Provider (MSSP).
What kind of SIEM is Robin planning to implement?
A. Self-hosted, Self-Managed
B. Self-hosted, MSSP Managed
C. Hybrid Model, Jointly Managed
D. Cloud, Self-Managed
62. What type of event is recorded when an application driver loads successfully in
Windows?
A. Error
B. Success Audit
C. Warning
D. Information
threats against the organization. He started collecting information from various sources,
such as humans, social media, chat room, and so on, and created a report that contains
malicious activity.
Which of the following types of threat intelligence did he use?
65. Which of the following is a default directory in a Mac OS X that stores security-related
logs?
A. /private/var/log
B. /Library/Logs/Sync
C. /var/log/cups/access_log
D. ~/Library/Logs
66. John, SOC analyst wants to monitor the attempt of process creation activities from any of
their Windows endpoints.
Which of following Splunk query will help him to fetch related logs associated with
process creation?
67. Harley is working as a SOC analyst with Powell Tech. Powell Inc. is using Internet
Information Service (IIS) version 7.0 to host their website.
Where will Harley find the web server logs, if he wants to investigate them for any
anomalies?
A. SystemDrive%\inetpub\logs\LogFiles\W3SVCN
B. SystemDrive%\LogFiles\inetpub\logs\W3SVCN
C. %SystemDrive%\LogFiles\logs\W3SVCN
D. SystemDrive%\ inetpub\LogFiles\logs\W3SVCN
68. What does the Security Log Event ID 4624 of Windows 10 indicate?
A. Service added to the endpoint
A. FISMA
B. HIPAA
C. PCI-DSS
D. DARPA
B. Client error
C. Success
D. Redirection
71. In which phase of Lockheed Martin's – Cyber Kill Chain Methodology, adversary creates a
B. Delivery
C. Weaponization
D. Exploitation
72. Identify the attack, where an attacker tries to discover all the possible information about
B. Man-In-Middle Attack
C. Ransomware Attack
D. Reconnaissance Attack
73. What does [-n] in the following checkpoint firewall log syntax represents?
fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime
endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert
B. Display both the date and the time for each log record
C. Display account log records only
D. Display detailed log chains (all the log segments a log record consists of)
74. Which of the following attack inundates DHCP servers with fake DHCP requests to
exhaust all available IP addresses?
75. Mike is an incident handler for PNP Infosystems Inc. One day, there was a ticket raised
regarding a critical incident and Mike was assigned to handle the incident. During the
process of incident handling, at one stage, he has performed incident analysis and
validation to check whether the incident is a true incident or a false positive.
D. Incident Disclosure
76. Which of the following is a correct flow of the stages in an incident handling and
response (IH&R) process?
A. Containment –> Incident Recording –> Incident Triage –> Preparation –>
Recovery –> Eradication –> Post-Incident Activities
B. Preparation –> Incident Recording –> Incident Triage –> Containment –>
Eradication –> Recovery –> Post-Incident Activities
C. Incident Triage –> Eradication –> Containment –> Incident Recording –>
Preparation –> Recovery –> Post-Incident Activities
D. Incident Recording –> Preparation –> Containment –> Incident Triage –>
Recovery –> Eradication –> Post-Incident Activities
77. Rinni, SOC analyst, while monitoring IDS logs detected events shown in the figure below.
78. Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs of
the company and wanted to check the logs that are generated by access control list
numbered 210.
What filter should Peter add to the 'show logging' command to get the required output?
B. DHCP Starvation
C. Zero-Day Attack
B. pull-based
C. push-based
D. signature-based
81. Which of the following attack can be eradicated by disabling of "allow_url_fopen and
83. Which of the following steps of incident handling and response process focus on limiting
the scope and extent of an incident?
A. Containment
B. Data Collection
C. Eradication
D. Identification
84. Which of the following data source will a SOC Analyst use to monitor connections to the
insecure ports?
A. Netstat Data
B. DNS Data
C. IIS Data
D. DHCP Data
85. Which of the following technique protects from flooding attacks originated from the
valid prefixes (IP addresses) so that they can be traced to its true source?
A. Rate Limiting
B. Egress Filtering
C. Ingress Filtering
D. Throttling
86. Which of the following contains the performance measures, and proper project and time
management details?
87. John as a SOC analyst is worried about the amount of Tor traffic hitting the network. He
wants to prepare a dashboard in the SIEM to get a graph to identify the locations from
where the TOR traffic is coming.
Which of the following data source will he use to prepare the dashboard?
88. Which of the following process refers to the discarding of the packets at the routing level
without informing the source that the data did not reach its intended recipient?
A. Load Balancing
B. Rate Limiting
C. Black Hole Filtering
D. Drop Requests
89. Which of the following tool can be used to filter web requests associated with the SQL
Injection attack?
A. Nmap
B. UrlScan
C. ZAP proxy
D. Hydra
90. Charline is working as an L2 SOC Analyst. One day, an L1 SOC Analyst escalated an
incident to her for further investigation and confirmation. Charline, after a thorough
problem
C. She should communicate this incident to the media immediately
Which alert should be given least priority as per effective alert triaging?
A. III
B. IV
C. II
D. I
93. InfoSystem LLC, a US-based company, is establishing an in-house SOC. John has been
given the responsibility to finalize strategy, policies, and procedures for the SOC.
Identify the job role of John.
A. Security Analyst – L1
B. Chief Information Security Officer (CISO)
C. Security Engineer
D. Security Analyst – L2
94. Which of the following service provides phishing protection and content filtering to
manage the Internet experience on and off your network with the acceptable use or
compliance policies?
A. Apility.io
B. Malstrom
C. OpenDNS
D. I-Blocklist
95. David is a SOC analyst in Karen Tech. One day an attack is initiated by the intruders but
96. Emmanuel is working as a SOC analyst in a company named Tobey Tech. The manager of
Tobey Tech recently recruited an Incident Response Team (IRT) for his company. In the
process of collaboration with the IRT, Emmanuel just escalated an incident to the IRT.
What is the first step that the IRT will do to the incident escalated by Emmanuel?
C. Incident Classification
D. Incident Prioritization
97. Identify the HTTP status codes that represents the server error.
A. 2XX
B. 4XX
C. 1XX
D. 5XX
98. Jony, a security analyst, while monitoring IIS logs, identified events shown in the figure
below.
B. XSS Attack
C. Directory Traversal Attack
B. Bruteforce Attack
C. Rainbow Table Attack
D. Birthday Attack
100. Which of the following attack can be eradicated by converting all non-alphanumeric
characters to HTML character entities before displaying the user input in search engines
and forums?
C. XSS Attacks
D. Session Management Attack
Answers:
1. B
2. A
3. A
4. B
5. C
6. D
7. A
8. D
9. D
10. C
11. D
12. D
13. B
14. A
15. C
16. B
17. C
18. C
19. B
20. C
21. D
22. A
23. C
24. D
25. C
26. B
27. D
28. C
29. B
30. A
Answers:
31. C
32. B
33. C
34. D
35. D
36. C
37. A
38. C
39. A
40. B
41. D
42. D
43. A
44. A
45. B
46. B
47. C
48. A
49. A
50. A
51. C
52. A
53. B
54. A
55. C
56. C
57. A
58. A
59. A
60. A
61. D
62. D
63. C
64. D
65. A
66. B
67. A
68. C
69. C
70. A
71. C
72. D
73. A
74. A
75. C
76. B
77. D
78. C
79. C
80. A
81. A
82. D
83. A
84. A
85. C
86. D
87. A
88. C
89. B
90. B
91. B
92. D
93. B
94. C
95. C
96. C
97. D
98. D
99. C
100. C.