SECOPS 10: SOC Playbook (Not needed for the exam)

Question 1

Security analytics is accomplished by:

Answer 1

Collecting, correlating, and analyzing a wide range of data.

Question 2

BGP Black-holing

Answer 2

Blocks IP addresses in seconds

Question 3

IAM security device has an unexpected feature…

Answer 3

Device quarantine

Question 4

Plays

Answer 4

self-contained, fully documented, prescriptive procedures for finding and responding to undesired activity

Question 5

High Fidelity report

Answer 5

Guarantied true positive. Not a policy violation.

Question 6

Investigative report

Answer 6

Might be an infection, policy violation, or normal activity.

Anything less than 100% certainty is investigative.

Question 7

Can INV reports become HF?

Answer 7

Yes, with tuning over time.

Question 8

Play objective statement

Answer 8

Describes what a play is looking for and why it’s worthwhile to run.

Question 9

Query system

Answer 9

Basically a security system like a logging solution, SIEM, large data warehouse, etc.

Question 10

Data query

Answer 10

Specific syntax used on a security system to identify reported activity

Question 11

Play “action”

Answer 11

Actions to take during IR phase

Question 12

Play “analysis”

Answer 12

Documentation and training material needed to understand the query

Question 13

Play “reference”

Answer 13

Outside info like wiki or ticketing system