CSA | Certified SOC Analyst - Dump testing

Which of the following tool can be used to filter web requests associated with the SQL Injection attack?

Identify the attack in which the attacker exploits a target system through publicly known but still unpatched vulnerabilities.

What is the correct sequence of SOC Workflow?

Charline is working as an L2 SOC Analyst. One day, an L1 SOC Analyst escalated an incident to her for further investigation and confirmation. Charline, after a thorough investigation, confirmed the incident and assigned it with an initial priority. What would be her next action according to the SOC workflow?

An attacker exploits the logic validation mechanisms of an ecommerce website. He successfully purchases a product worth $100 for $10 by modifying the URL exchanged between the client and the server. Original URL: http://www.buyonline.com/product.aspx? profile=12&debit=100 Modified URL: http://www.buyonline.com/product.aspx? profile=12&debit=10 Identify the attack depicted in the above scenario.

Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((\<)|<)((\i|i|(\I))((\m|m|(\M))((\g)|g| (\G))[^\n]+((\>)|>)/|. What does this event log indicate?

Identify the attack when an attacker by several trial and error can read the contents of a password file present in the restricted etc folder just by manipulating the URL in the browser as shown: http://www.terabytes.com/process.php./../../../../etc/passwd

Properly applied cyber threat intelligence to the SOC team help them in discovering TTPs. What does these TTPs refer to?

Identify the attack, where an attacker tries to discover all the possible information about a target network before launching a further attack.

What is the process of monitoring and capturing all data packets passing through a given network using different tools?

Which attack works like a dictionary attack, but adds some numbers and symbols to the words from the dictionary and tries to crack the password?

Identify the password cracking attempt involving a precomputed dictionary of plaintext passwords and their corresponding hash values to crach the password.

Which of the following attack inundates DHCP servers with fake DHCP requests to exhaust all available IP addresses?

In which log collection mechanism, the system or application sends log records either on the local disk or over the network.

Which of the log storage method arranges event logs in the form of a circular buffer?

Which of the following fields in Windows logs defines the type of event occurred, such as Correlation Hint, Response Time, SQM, WDI Context, and so on?

Identify the event severity level in Windows logs for the events that are not necessarily significant, but may indicate a possible future problem.

What type of event is recorded when an application driver loads successfully in Windows?

Which of the following Windows features is used to enable Security Auditing in Windows?

The Syslog message severity levels are labelled from level 0 to level 7. What does level 0 indicate?

The Syslog message severity levels are labelled from level 0 to level 7. What does level 1 indicate?

Which of the following is a default directory in a Mac OS X that stores security-related logs?

Jason, a SOC Analyst with Maximus Tech, was investigating Cisco ASA Firewall logs and came across the following log entry: May 06 2018 21:27:27 asa 1: %ASA -5 - 11008: User 'enable_15' executed the 'configure term' command What does the security level in the above log indicates?

What does [-n] in the following checkpoint firewall log syntax represents? Fw log [-f [-t]] [-n] [-l] [-o] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-u unification_scheme_file] [-m unification_mode(initial|semi|raw)] [-a] [-k (alert name|all)] [- g] [logfile]

Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs of the company and wanted to check the logs that are generated by access control list numbered 210. What filter should Peter add to the 'show logging' command to get the required output?

Which of the following are the responsibilities of SIEM Agents? 1. Collecting data received from various devices sending data to SIEM before forwarding it to the central engine. 2. Normalizing data received from various devices sending data to SIEM before forwarding it to the central engine. 3. Co-relating data received from various devices sending data to SIEM before forwarding it to the central engine. 4. Visualizing data received from various devices sending data to SIEM before forwarding it to the central engine.

Which of the following stage executed after identifying the required event sources?

Which of the following formula is used to calculate the EPS of the organization?

Which of the following factors determine the choice of SIEM architecture?

An organization wants to implement a SIEM deployment architecture. However, they have the capability to do only log collection and the rest of the SIEM functions must be managed by an MSSP Which SIEM deployment architecture will the organization adopt?

Robin , a SOC engineer in a multinational company, is planning to implement a SIEM. He realized that his organization is capable of performing only Correlation, Analytics, Reporting, Retention, Alerting, and Visualization required for the SIEM implementation and has to take collection and aggregation services from a Managed Security Services Provider (MSSP). What kind of SIEM is Robin planning to implement?

John , a SOC analyst, while monitoring and analyzing Apache web server logs, identified an event log matching Regex /(\.|(%|%25)2E)(\.|(%|%25)2E)(\/| (%|%25)2F|\\|(%|%25)5C)/i. What does this event log indicate?

Which of the following data source can be used to detect the traffic associated with Bad Bot UserAgents?

Harley is working as a SOC analyst with Powell Tech. Powell Inc. Is using Internet Information Service (IIS) version 7.0 to host their website. Where will Harley find the web server logs, if he wants to investigate them for any anomalies?

John as a SOC analyst is worried about the amount of Tor traffic hitting the network. He wants to prepare a dashboard in the SIEM to get a graph to identify the locations from where the TOR traffic is coming. Which of the following data source will he use to prepare the dashboard?

Which of the following data source will a SOC Analyst use to monitor connections to the insecure ports?

Which of the following attacks causes sudden changes in file extensions or increase in file renames at rapid speed?

1 Juliea a SOC analyst, while monitoring logs, noticed large TXT, NULL payloads. What does this indicate?

John, a SOC analyst, wants to monitor the attempt of process creation activities from any of their Windows endpoints. Which of following Splunk queries will help him fetch the logs associated with process creation?

What does the Security Log Event ID 4624 of Windows 10 indicate?

Which of the following can help you eliminate the burden of investigating false positives?

If the SIEM generates the following four alerts at the same time: I. Firewall blocking traffic from getting into the network alerts II. SQL injection attempt alerts III. Data deletion attempt alerts IV. Brute-force attempt alerts Which alert should be given least priority as per effective alert triaging?

Which of the following threat intelligence helps cyber security professionals such as security operations managers, network operations center and incident responders to understand how the adversaries are expected to perform the attack on the organization, and the technical capabilities and goals of the attackers along with the attack vectors?

Which of the following threat intelligence is used by a SIEM for supplying the analysts with context and "situational awareness" by using threat actor TTPs, malware campaigns, tools used by threat actors. 1. Strategic threat intelligence 2. Tactical threat intelligence 3. Operational threat intelligence 4. Technical threat intelligence

John, a threat analyst at GreenTech Solutions, wants to gather information about specific threats against the organization. He started collecting information from various sources, such as humans, social media, chat room, and so on, and created a report that contains malicious activity. Which of the following types of threat intelligence did he use?

Shawn is a security manager working at Lee Inc Solution. His organization wants to develop threat intelligent strategy plan. As a part of threat intelligent strategy plan, he suggested various components, such as threat intelligence requirement analysis, intelligence and collection planning, asset identification, threat reports, and intelligence buy-in. Which one of the following components he should include in the above threat intelligent strategy plan to make it effective?

Banter is a threat analyst in Christine Group of Industries. As a part of the job, he is currently formatting and structuring the raw data. He is at which stage of the threat intelligence life cycle?

Which of the following is a Threat Intelligence Platform?

The threat intelligence, which will help you, understand adversary intent and make informed decision to ensure appropriate security in alignment with risk. What kind of threat intelligence described above?

Which of the following process refers to the discarding of the packets at the routing level without informing the source that the data did not reach its intended recipient?

Which of the following is a correct flow of the stages in an incident handling and response (IH&R) process?

Daniel is a member of an IR T, which was started recently in a company named Mesh Tech. He wanted to find the purpose and scope of the planned incident response capabilities. What is he looking for?

A type of threat intelligent that find out the information about the attacker by misleading them is known as:

Sam, a security analyst with INFOSOL INC., while monitoring and analyzing IIS logs, detected an event matching regex /\\w*((\%27)|(\'))((\%6F)|o|(\%4F)) ((\%72)|r|(\%52))/ix. What does this event log indicate?

Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((\%3C)|<)((\%69)|i|(\% 49))((\%6D)|m|(\%4D)) ((\%67)|g|(\%47))[^\n]+((\%3E)|>)/|. What does this event log indicate?

Which of the following contains the performance measures, and proper project and time management details?

Which of the following security technology is used to attract and trap people who attempt unauthorized or illicit utilization of the host system?

Mike is an incident handler for PNP Infosystems Inc. One day, there was a ticket raised regarding a critical incident and Mike was assigned to handle the incident. During the process of incident handling, at one stage, he has performed incident analysis and validation to check whether the incident is a true incident or a false positive. Identify the stage in which he is currently in

Emmanuel is working as a SOC analyst in a company named Tobey Tech. The manager of Tobey Tech recently recruited an Incident Response Team (IRT) for his company. In the process of collaboration with the IR T, Emmanuel just escalated an incident to the IR T. What is the first step that the IRT will do to the incident escalated by Emmanuel?

Which of the following formula represents the risk

Which of the following formula represents the risk levels?

According to the Risk Matrix table, what will be the risk level when the probability of an attack is very low and the impact of that attack is major?

According to the Risk Matrix table, what will be the risk level when the probability of an attack is very high, and the impact of that attack is major?

Which of the following steps of incident handling and response process focus on limiting the scope and extent of an incident?

In which of the following incident handling and response stages, the root cause of the incident must be found from the forensic results?

Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is affected by a DoS/DDoS attack. For the containment of this incident, Ray and his team are trying to provide additional bandwidth to the network devices and increasing the capacity of the servers. What is Ray and his team doing?

Which of the following technique protects from flooding attacks originated from the valid prefixes (IP addresses) so that they can be traced to its true source?

Which of the following technique involves scanning the headers of IP packets leaving a network to make sure that the unauthorized or malicious traffic never leaves the internal network?

Which of the following service provides phishing protection and content filtering to manage the Internet experience on and off your network with the acceptable use or compliance policies?

Which of the following attack can be eradicated by disabling of "allow_url_fopen and allow_url_include" in the php.ini file?

Which of the following attack can be eradicated by using a safe API to avoid the use of the interpreter entirely?

Which of the following attack can be eradicated by converting all non-alphanumeric characters to HTML character entities before displaying the user input in search engines and forums?

Wesley is an incident handler in a company named Maddison Tech. One day, he was learning techniques for eradicating the insecure deserialization attacks. What among the following should Wesley avoid from considering?

Which of the following attack can be eradicated by filtering improper XML syntax?

Which encoding replaces unusual ASCII characters with "%" followed by the character’s two-digit ASCII code expressed in hexadecimal?

Which of the following tool is used to recover from web application incident?

Which of the following is a set of standard guidelines for ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection?

David is a SOC analyst in Karen Tech. One day an attack is initiated by the intruders but David was not able to find any suspicious events. This type of incident is categorized into ?

Which of the following directory will contain logs related to printer access?

Which of the following command is used to enable logging in iptables?

Which of the following commands is used to view iptables logs on Ubuntu and Debian distributions?

Which of the following commands is used to view iptables logs on CentOS/RHEL and Fedora distributions?

What does the HTTP status codes 1XX represent?

InfoSystem LLC, a US-based company, is establishing an in-house SOC. John has been given the responsibility to finalize strategy, policies, and procedures for the SOC. Identify the job role of John

In which phase of Lockheed Martin’s – Cyber Kill Chain Methodology, adversary creates a deliverable malicious payload using an exploit and a backdoor?

What does HTTPS Status code 403 represent?

Which of the following Windows event is logged every time when a user tries to access the "Registry" key?

Which of the following framework describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering?

What does Windows event ID 4740 indicate?

Chloe, a SOC analyst with Jake Tech, is checking Linux systems logs. She is investigating files at /var/log/wtmp. What Chloe is looking at?

Identify the HTTP status codes that represent the client error.

Identify the HTTP status codes that represent the server error.

Which of the following Windows Event ID will help you monitor file sharing across the network?

Where will you find the reputation IP database, if you want to monitor traffic from known bad IP reputation using OSSIM SIEM?

Bonney's system has been compromised by a gruesome malware. What is the primary step that is advisable to Bonney in order to contain the malware incident from spreading?

According to the forensics investigation process, what is the next step carried out right after collecting the evidence?

Which one of the following is the correct flow for Setting Up a Computer Forensics Lab?

Which of the following is a report writing tool that will help incident handlers to generate efficient reports on detected incidents during incident response process?

Which of the following event detection techniques uses User and Entity Behavior Analytics (UEBA)?