Investigating an Incident Flashcards
Objective 4.9: Given a scenario, you must be able to use data sources to support an investigation
Your organization has deployed a SIEM to monitor security events. You need to configure it properly to ensure meaningful alerts while avoiding excessive data overload. What is the best approach?
A) Collect all log data from every system on the network.
B) Adjust the SIEM’s sensitivity level to balance security monitoring and resource usage.
C) Disable correlation features to reduce processing load.
D) Increase the alert threshold to ignore authentication failures.
✅ Correct Answer: B - Adjust the SIEM’s sensitivity level to balance security monitoring and resource usage.
🔹 Explanation of Options:
(A)❌ Collecting all logs is impractical and will overload the SIEM, leading to performance issues.
(B)✅ Adjusting sensitivity levels ensures that only the most relevant security events are logged, improving efficiency.
(C)❌ Disabling correlation reduces the ability to detect patterns in attacks, weakening security.
(D)❌ Ignoring authentication failures could prevent detection of brute-force attacks or unauthorized access attempts.
A security analyst needs to investigate failed login attempts on Linux servers. Which tool should they use?
A) NetFlow
B) NXLog
C) JournalCTL
D) Syslog-ng
✅ Correct Answer: C - JournalCTL
🔹 Explanation of Options:
(A)❌ NetFlow is for network traffic monitoring, not system logs.
(B)❌ NXLog is a log management tool but not specific to Linux.
(C)✅ JournalCTL queries system logs in Linux (journald), making it the best choice.
(D)❌ Syslog-ng centralizes logs but lacks the same filtering capabilities as JournalCTL.
Your security team needs to detect data exfiltration in real-time. Which monitoring tool is the best choice?
A) NetFlow
B) sFlow
C) IPFIX
D) Journald
✅ Correct Answer: B - sFlow
🔹 Explanation of Options:
(A)❌ NetFlow provides detailed traffic summaries but has export delays.
(B)✅ sFlow captures random packet samples immediately, making it ideal for real-time monitoring.
(C)❌ IPFIX is mainly used for billing and accounting rather than real-time security monitoring.
(D)❌ Journald is a Linux log system, not a network monitoring tool.
Your SIEM is receiving logs from multiple sources, but timestamps are inconsistent across different logs. What is the best solution?
A) Convert all timestamps to UTC.
B) Ignore logs with different time formats.
C) Configure the SIEM to detect local time zones automatically.
D) Only analyze logs using the company’s default time zone.
✅ Correct Answer: A - Convert all timestamps to UTC
🔹 Explanation of Options:
(A)✅ Standardizing timestamps to UTC ensures logs from different time zones align properly.
(B)❌ Ignoring logs could result in missing key security events.
(C)❌ Automatic time zone detection may cause inconsistencies and conflicts.
(D)❌ Restricting to one time zone can cause discrepancies when investigating global events.
Which log type would be most useful for investigating whether an attacker has accessed restricted files?
A) Authentication logs
B) Web logs
C) DNS logs
D) System logs
✅ Correct Answer: A - Authentication logs
🔹 Explanation of Options:
(A)✅ Authentication logs track user login attempts, providing insight into unauthorized access.
(B)❌ Web logs record website visits but don’t track file access.
(C)❌ DNS logs track domain name requests, not file access.
(D)❌ System logs provide general OS events but may not directly show file access patterns.
A network admin needs a standardized method to export network flow data for both billing and security monitoring. Which tool should they use?
A) NetFlow
B) sFlow
C) IPFIX
D) NXLog
✅ Correct Answer: C - IPFIX
🔹 Explanation of Options:
(A)❌ NetFlow is Cisco-proprietary, while IPFIX is an open standard.
(B)❌ sFlow captures sampled data but lacks detailed billing capabilities.
(C)✅ IPFIX is a universal flow export standard used in billing and security monitoring.
(D)❌ NXLog is for log management, not network flow exporting.
An analyst is investigating a suspected phishing attack. What type of metadata would be most useful?
A) File metadata
B) Mobile metadata
C) Email metadata
D) Web metadata
✅ Correct Answer: C - Email metadata
🔹 Explanation of Options:
(A)❌ File metadata provides details about documents, not phishing emails.
(B)❌ Mobile metadata tracks call details, irrelevant to phishing emails.
(C)✅ Email metadata helps analyze sender details, email headers, and timestamps to track phishing sources.
(D)❌ Web metadata shows website visits but doesn’t trace phishing emails.
Which log management tool is best for a company that needs Windows, Linux, and Unix compatibility?
A) Syslog-ng
B) NXLog
C) JournalCTL
D) NetFlow
✅ Correct Answer: B - NXLog
🔹 Explanation of Options:
(A)❌ Syslog-ng is mainly for Unix/Linux, not cross-platform.
(B)✅ NXLog works across Windows, Linux, and Unix, making it the best choice.
(C)❌ JournalCTL is Linux-specific and cannot manage Windows logs.
(D)❌ NetFlow is for network traffic monitoring, not log management.
Your SIEM is slowing down due to excessive log data. What is the best way to optimize performance?
A) Reduce sensor sensitivity to collect fewer logs.
B) Disable log collection from low-priority systems.
C) Increase storage and processing power to handle all logs.
D) Implement log filtering to collect only relevant security events.
✅ Correct Answer: D - Implement log filtering to collect only relevant security events
🔹 Explanation of Options:
(A)❌ Reducing sensitivity might cause important events to be missed.
(B)❌ Disabling low-priority logs could lead to blind spots in security monitoring.
(C)❌ Increasing storage is a temporary fix but doesn’t improve efficiency.
(D)✅ Log filtering ensures that only the most critical logs are collected.
A company has deployed Splunk to monitor security threats across its infrastructure. Which of the following best describes Splunk’s primary function?
A) A security appliance that actively blocks threats.
B) A big data platform that collects and indexes security-related data.
C) A firewall designed to filter malicious network traffic.
D) A replacement for SIEM solutions.
✅ Correct Answer: B - A big data platform that collects and indexes security-related data
🔹 Explanation of Options:
(A)❌ Splunk is not a security appliance; it analyzes and visualizes data but does not block threats.
(B)✅ Splunk is a powerful data analytics tool that collects, indexes, and processes security data from multiple sources.
**(C)❌ Firewalls control traffic flow, but Splunk is used for log analysis and security insights.
**(D)❌ While Splunk integrates with SIEM tools, it does not fully replace traditional SIEM solutions.
A security analyst logs into Splunk and needs a quick summary of security alerts across multiple systems. What feature should they use?
A) Raw log data view
B) Dashboards
C) Command-line interface
D) Packet capture utility
✅ Correct Answer: B - Dashboards
🔹 Explanation of Options:
(A)❌ Raw log data is useful but not as efficient for quick summaries.
**(B)✅ Dashboards provide a graphical overview of system activity, making them ideal for incident response.
(C)❌ A command-line interface can query data but lacks visual summaries.
(D)❌ Packet capture utilities analyze network traffic but are not a part of Splunk’s dashboard feature.
A company’s Splunk dashboard is showing a rising number of threat counts over the past 24 hours. What does this indicate?
A) The organization is detecting an increased number of security threats.
B) The system is experiencing hardware failure.
C) The company’s antivirus software is malfunctioning.
D) The Splunk server is under a denial-of-service (DoS) attack.
✅ Correct Answer: A - The organization is detecting an increased number of security threats
🔹 Explanation of Options:
(A)✅ A rise in threat counts means more malicious activity is being detected.
(B)❌ Hardware failures are unrelated to threat counts.
(C)❌ Antivirus issues would likely generate different alerts, not an increase in threat counts.
(D)❌ A DoS attack would cause performance issues but wouldn’t directly increase threat counts in Splunk.
Which of the following best describes the Single Pane of Glass concept in Splunk?
A) A tool that blocks cyberattacks before they happen.
B) A dashboard that consolidates security data from multiple systems into one view.
C) A physical security camera monitoring system.
D) A new type of firewall security protocol.
✅ Correct Answer: B - A dashboard that consolidates security data from multiple systems into one view
🔹 Explanation of Options:
(A)❌ Splunk does not proactively block attacks; it analyzes security data.
**(B)✅ A Single Pane of Glass provides a unified view of multiple data sources, helping analysts respond efficiently.
(C)❌ Security camera monitoring systems are unrelated to Splunk.
**(D)❌ Firewalls operate at the network level, while the Single Pane of Glass concept is for data visualization.
Which of the following data sources can be ingested into Splunk?
A) Firewalls
B) Intrusion Detection Systems (IDS)
C) Endpoint security logs
D) All of the above
✅ Correct Answer: D - All of the above
🔹 Explanation of Options:
(A)✅ Firewalls generate logs on network traffic, which can be analyzed in Splunk.
(B)✅ IDS alerts can be ingested into Splunk for correlation with other security data.
(C)✅ Endpoint security logs provide insights into malware infections and unauthorized access.
(D)✅ Splunk collects data from multiple sources, making (D) the best answer.
A security analyst wants to monitor security incidents over time using Splunk. What feature should they use?
A) Packet inspection tools
B) Dashboards
C) SIEM correlation rules
D) Antivirus scan logs
✅ Correct Answer: B - Dashboards
🔹 Explanation of Options:
(A)❌ Packet inspection tools focus on real-time network traffic, not long-term trends.
**(B)✅ Dashboards help visualize security trends over time, making them the best choice.
(C)❌ SIEM correlation rules help analyze attack patterns but do not provide trend visualization.
**(D)❌ Antivirus scan logs show malware detection history but do not present broad security trends.
A company wants to track trends in malicious activity using Splunk. What feature should they use?
A) Threat Counts
B) Packet captures
C) System error logs
D) DNS cache records
✅ Correct Answer: A - Threat Counts
🔹 Explanation of Options:
(A)✅ Threat Counts track security threats over time and help assess trends in attacks.
(B)❌ Packet captures analyze network traffic but are not used for tracking trends.
(C)❌ System error logs focus on hardware/software issues, not security threats.
(D)❌ DNS cache records track website lookups, not malicious activity trends.
A security analyst starts an incident investigation and needs a central starting point to gather security insights. What should they use?
A) Command-line queries
B) The Splunk Dashboard
C) Network firewall settings
D) System performance logs
✅ Correct Answer: B - The Splunk Dashboard
🔹 Explanation of Options:
(A)❌ Command-line queries are powerful but not an ideal starting point.
**(B)✅ Dashboards provide an overview of security incidents, making them the best starting point.
(C)❌ Network firewall settings focus on access control, not security analysis.
(D)❌ System performance logs track hardware and application performance, not security threats.
Your organization uses an automated report system to track security incidents. Which of the following best describes an automated report?
A) A manually written document prepared by an IT analyst.
B) A report that is automatically generated by a security tool at scheduled intervals.
C) A document created only after a major security breach.
D) A report that only logs hardware failures.
✅ Correct Answer: B - A report that is automatically generated by a security tool at scheduled intervals.
🔹 Explanation of Options:
(A)❌ Automated reports are system-generated, not manually written.
**(B)✅ Automated reports are generated at set intervals by security tools like EDR, SIEM, or antivirus software.
(C)❌ Reports are generated regularly, not just after major incidents.
(D)❌ They track security threats, not just hardware failures.
Which of the following is NOT typically included in an automated security incident report?
A) Report ID
B) Executive Summary
C) User Social Security Numbers
D) Incident Details
✅ Correct Answer: C - User Social Security Numbers
🔹 Explanation of Options:
(A)✅ A Report ID is a unique identifier for tracking incidents.
(B)✅ The Executive Summary gives a brief overview of the report.
(C)❌ Sensitive personal data like SSNs should never be included in security reports.
(D)✅ Incident Details contain timestamps, affected systems, and actions taken.
In an automated security report, incidents are categorized by severity levels. A brute-force attack on an admin account leading to multiple failed login attempts would most likely be classified as:
A) Informational
B) Moderate
C) High
D) Critical
✅ Correct Answer: C - High
🔹 Explanation of Options:
(A)❌ Informational alerts track non-threatening events like software installations.
(B)❌ Moderate alerts are for suspicious activity that needs review but is not immediately dangerous.
(C)✅ High alerts include multiple failed login attempts, indicating a possible brute-force attack.
(D)❌ Critical alerts involve confirmed major threats (e.g., ransomware execution or confirmed data breach).
An automated security report flags a critical alert for suspicious file access at 4:53 AM, outside of normal working hours. What is the best first step in investigating this incident?
A) Immediately delete the affected user account.
B) Verify whether the activity matches known ransomware patterns.
C) Ignore it, as employees may work late hours.
D) Restart the file server to clear any suspicious processes.
✅ Correct Answer: B - Verify whether the activity matches known ransomware patterns.
🔹 Explanation of Options:
(A)❌ Deleting the account immediately may disrupt operations. Investigation is needed first.
(B)✅ Matching the behavior to known ransomware footprints helps determine if the alert is a true security threat.
(C)❌ Ignoring alerts without investigation can allow security breaches to go undetected.
(D)❌ Restarting the server doesn’t address the cause of the suspicious activity.
A security report identifies a malicious IP address communicating with an internal system. What automated response would be most appropriate?
A) Blocking the IP address to prevent further communication.
B) Sending a report and waiting for manual intervention.
C) Notifying the user and allowing them to decide whether to block the connection.
D) Deleting all network logs related to the suspicious activity.
✅ Correct Answer: A - Blocking the IP address to prevent further communication.
🔹 Explanation of Options:
(A)✅ Automatically blocking a malicious IP is a standard incident response action.
(B)❌ Waiting for manual intervention could allow further damage.
(C)❌ Users should not decide whether to block a security threat.
(D)❌ Deleting logs hides evidence and hinders investigations.
An automated report flags unusual outbound traffic from a database server to an external IP address. What should the security team do next?
A) Assume it is a scheduled backup and ignore it.
B) Analyze the destination IP to determine if it is a trusted source.
C) Reset all user passwords in the organization.
D) Permanently disconnect the database server.
✅ Correct Answer: B - Analyze the destination IP to determine if it is a trusted source.
🔹 Explanation of Options:
(A)❌ Assuming it’s a backup without verification is a security risk.
(B)✅ Investigating the destination IP helps determine if the traffic is benign or malicious.
(C)❌ Resetting all passwords is unnecessary unless a confirmed breach has occurred.
(D)❌ Disconnecting the database permanently would disrupt business operations.
An automated report flags that user msmith installed FileZilla FTP software on Workstation 22. What is the best first step in investigating this?
A) Immediately fire the employee for violating policy.
B) Check if the file hash matches a known safe version.
C) Assume it was a legitimate installation and take no further action.
D) Format the workstation to eliminate any possible threats.
✅ Correct Answer: B - Check if the file hash matches a known safe version.
🔹 Explanation of Options:
(A)❌ Firing an employee without investigation is an overreaction.
(B)✅ Verifying the file hash ensures the software was not modified or malicious.
(C)❌ Assuming legitimacy without verification is a security risk.
(D)❌ Formatting the workstation is unnecessary unless a threat is confirmed.