Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Computers & IT

SOC Analyst Quiz: Check Your Incident Response and SIEM Skills

Quick, free SOC test with 15 questions. Instant results and next-step tips.

Editorial: Review CompletedCreated By: Mads Ejsing AndreasenUpdated Aug 23, 2025
Difficulty: Moderate
Questions: 20
Learning OutcomesStudy Material
Colorful paper art illustrating a quiz on SOC Analyst Knowledge Assessment

This SOC analyst quiz helps you check your incident response, threat analysis, and SIEM basics in minutes. Get instant scores plus guidance on next steps and study areas. Want to broaden your security toolkit? Try our ethical hacking quiz to explore offensive tactics, or go deeper on structured problem solving with the pace model quiz.

Which of the following best describes a phishing attack?
An automated malware installation on a device without user interaction.
A social engineering attempt to trick users into revealing credentials.
An exploit that takes advantage of unpatched software vulnerabilities.
A network scan to find open ports on a host.
Phishing is a social engineering technique where attackers trick users into divulging sensitive information. It relies on deceptive messages rather than automated exploits or scanning.
What is an indicator of a brute-force attack in system logs?
Large outbound data transfers to an unknown external IP.
A sudden spike in CPU usage over time.
Frequent DNS lookups for random domain names.
Multiple consecutive failed login attempts from the same source.
Brute-force attacks generate repeated failed login attempts in logs as attackers try many credential combinations. Other symptoms like CPU usage spikes or DNS lookups do not specifically indicate brute-forcing.
What does SIEM stand for?
Security Incident Email Manager
Secure Internet Exchange Module
Security Information and Event Management
System Incident Event Monitor
SIEM stands for Security Information and Event Management, which collects and analyzes security data across an organization. The other options are not standard industry terms.
Which protocol is commonly used to share threat intelligence data between organizations?
SNMP
FTP
STIX/TAXII
SMTP
STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Intelligence Information) are standards for threat intelligence exchange. SMTP, FTP, and SNMP serve different purposes.
Which protocol ensures encrypted communication for web traffic?
HTTPS
HTTP
SSH
FTP
HTTPS uses TLS/SSL to encrypt web traffic between browsers and servers. HTTP, FTP, and SSH serve different functions and only SSH is encrypted but not for web traffic.
In a SIEM platform, what is the primary purpose of log normalization?
Aggregating logs into a centralized database.
Converting logs into a common format for consistent analysis.
Masking sensitive fields before analysis.
Encrypting logs for secure storage.
Log normalization standardizes diverse log formats into a unified structure, enabling consistent correlation and analysis. Encryption, masking, and aggregation are separate processes.
Which MITRE ATT&CK tactic involves moving from one system to another within a network?
Persistence
Reconnaissance
Lateral Movement
Exfiltration
Lateral Movement refers to techniques adversaries use to move within a network and compromise additional hosts. Reconnaissance gathers information, persistence maintains access, and exfiltration steals data.
Which metric assesses the trustworthiness of a threat intelligence source?
Latency
Confidence
Relevance
Volume
Confidence measures the reliability and accuracy of intelligence from a source. Volume and latency relate to data quantity and timeliness, while relevance indicates applicability rather than trustworthiness.
In incident response, which phase involves containment, eradication, and recovery?
Preparation
Response
Identification
Lessons Learned
The Response phase in incident response includes containment, eradication of threats, and recovery to restore systems. Preparation occurs before incidents and Lessons Learned follows recovery.
Which network management protocol operates on UDP port 161?
SMTP
LDAP
SNMP
SSH
SNMP (Simple Network Management Protocol) uses UDP port 161 for management queries and traps. SMTP handles email, LDAP directory services, and SSH remote access on different ports.
Which log analysis approach compares current activity against historical patterns to detect anomalies?
Anomaly Detection
Signature-Based Detection
Whitelist Validation
Heuristic Matching
Anomaly Detection flags deviations from established baselines by comparing present behavior to historical norms. Signature-based, heuristic, and whitelist methods use predefined rules or known good lists.
Which type of SIEM correlation rule is used to detect when a threshold of events is met within a time window?
Rule Prioritization
Event Normalization
Stateful Correlation
Threshold-Based Correlation
Threshold-Based Correlation triggers alerts when event counts exceed a defined threshold in a given timeframe. Stateful correlation tracks event sequences, while normalization and prioritization serve other functions.
Which incident response phase focuses on gathering context and details about an event?
Recovery
Detection and Analysis
Preparation
Containment
The Detection and Analysis phase involves identifying and understanding the nature, scope, and impact of an incident. Containment and recovery follow analysis, while preparation happens beforehand.
What is a primary benefit of using encrypted VPN tunnels for remote connections?
It always increases network throughput.
It eliminates the need for endpoint security.
It reduces overall network latency.
It protects data from eavesdropping by encrypting traffic.
Encrypted VPN tunnels secure remote connections by encrypting data, preventing interception and eavesdropping. They do not inherently boost throughput, replace endpoint security, or lower latency.
When analyzing DNS logs, which record type may indicate DNS tunneling?
CNAME records for domain aliases.
Standard A records mapping names to IPs.
MX records for mail exchange servers.
TXT records carrying large or encoded data payloads.
Attackers often use DNS TXT records to tunnel data because they allow arbitrary text payloads. A, MX, and CNAME records serve standard resolution functions and carry predictable information.
In a SIEM correlation rule definition, which component specifies the time window for aggregating related events?
Action
Filter
Source
Timeframe
The Timeframe parameter defines the sliding window during which events are aggregated and correlated. Filters select events, actions respond to matches, and source identifies log input.
Which challenge often arises when evaluating multiple threat intelligence feeds for actionable insights?
Limited login attempts
Lack of encryption
Low port scan volumes
High false positive rates
High false positive rates can overwhelm analysts and reduce trust in threat intelligence outputs. Port scans, encryption, and login attempts are unrelated to feed evaluation challenges.
In an advanced persistent threat scenario, which indicator most strongly suggests stealthy lateral movement?
Use of valid credentials on multiple hosts in sequence.
Scanning the network for open ports.
Installation of a known malware signature.
Large data exfiltration to an external IP.
Stealthy lateral movement often leverages legitimate credentials to avoid detection. Port scanning, large exfiltration, or known malware signatures are less indicative of covert lateral access.
Which principle is central to a Zero Trust network architecture?
Never trust, always verify.
Segment networks only at the perimeter.
Trust but verify once per session.
Default permit all internal traffic.
Zero Trust enforces continuous verification of all users and devices, regardless of location. Default permitting, perimeter-only segmentation, or one-time checks contradict its core philosophy.
In packet capture analysis, a high volume of SYN packets without corresponding ACKs most likely indicates what?
An application-layer protocol downgrade.
A SYN flood denial-of-service attack.
A normal TCP handshake process.
A successful session hijacking attempt.
Excessive SYN packets without ACK responses are characteristic of a SYN flood DDoS attack attempting to exhaust server resources. A normal handshake includes ACKs; protocol downgrades and hijacking exhibit different patterns.
0
{"name":"Which of the following best describes a phishing attack?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Which of the following best describes a phishing attack?, What is an indicator of a brute-force attack in system logs?, What does SIEM stand for?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Learning Outcomes

  1. Identify common security incident types and their indicators.
  2. Analyse system logs using SIEM best practices.
  3. Evaluate threat intelligence feeds for actionable insights.
  4. Apply incident response strategies to real-world scenarios.
  5. Demonstrate understanding of network security protocols.

Cheat Sheet

  1. Recognize Common Security Incident Types and Their Indicators - Spotting different security woes like malware infections, unauthorized access, and data breaches is half the battle! Keep an eye out for repeated failed logins or strange file modifications to catch trouble early. Events & Logs Explainer
  2. Master SIEM Best Practices for Log Analysis - SIEM systems are your magnifying glass on all those logs flooding in. Define clear goals, centralize your data streams, and regularly tweak your rules to cut through the noise and surface real threats! SIEM Best Practices
  3. Evaluate Threat Intelligence Feeds for Actionable Insights - Your feeds should be like morning news - fresh, relevant, and accurate! Compare multiple sources, check their reliability, and integrate the juiciest alerts into your SIEM to stay one step ahead of cyber baddies. Events & Logs Explainer
  4. Apply Incident Response Strategies to Real-World Scenarios - Theory is cool, but drills are cooler! Simulate data breaches or malware outbreaks with your team, then analyze what went right (or hilariously wrong). Rehearsal builds confidence and quick reactions under pressure. SIEM Response Tips
  5. Understand Network Security Protocols - TLS, SSL, IPsec, SSH… they might sound like alphabet soup, but they're your network's bodyguards! Learn how each protocol encrypts and authenticates data to keep prying eyes at bay. Protocols 101
  6. Implement Structured Logging Practices - Chaos in logs? No thanks! Adopt consistent formats and log levels like INFO, WARN, and ERROR so you can filter, search, and analyze with lightning speed. Structured logs = supercharged investigations. Logging Best Practices
  7. Ensure Proper Log Management and Retention - Collecting logs is great, but storing them securely and shredding old ones on schedule is even better. Stick to retention policies for compliance and have that historical trail ready for forensic deep dives. Log Management Tips
  8. Automate Alerting and Incident Response Workflows - Banish manual drudgery by setting up your SIEM to fire off alerts and trigger playbooks automatically. Less busywork = more time hunting threats and leveling up your security game. Automated Workflows
  9. Regularly Train Staff on Security Protocols - Cyber villains never sleep, so your training shouldn't either! Host fun quizzes, live demos, and threat hunts to keep the team sharp and ready to swoop in at the first sign of trouble. Training Essentials
  10. Integrate SIEM with Other Security Tools - A one-tool wonder is nice, but an all-star lineup is unbeatable! Hook up intrusion detection, endpoint protection, and vulnerability scanners to your SIEM for a superhero-level defense. Unified Security
Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Technology Quizzes

Powered by: Quiz Maker