Blog

Which two of the following statements about IOAs are true? (Choose two.) IOAs do not point to an attack that already happened; they point to an attack that might be…

What are the two general types of SOC reports? (Choose two.) management report progress report operational report executive report Explanation & Hint: The two general types of SOC (Security Operations…

What are two common alert dispositions? (Choose two.) true positive false positive malware clean undetected Explanation & Hint: Two common alert dispositions in the context of security operations are: True…

What can Tier 1 SOC analysts do to avoid potential errors due to inaccuracies in reconstructing the investigation activities? Escalate the investigation to a tier 2 SOC analyst for verification.…

An incident report typically starts with which section? Executive Summary Technical Summary Investigation Details Comments Supportive Documents Explanation & Hint: An incident report typically starts with an Executive Summary. This…

Which four of the following should be included along with each reported investigation action? (Choose four.) timestamp label for the data relevant data rationale recommendation external references Explanation & Hint:…

What is a common type of SOC performance metric? time-based threat-based attack-based alert-based Explanation & Hint: A common type of SOC (Security Operations Center) performance metric is time-based. This includes…

A threat investigation report is an example of which type of SOC report? management report progress report operational report executive report technical report Explanation & Hint: A threat investigation report…

Which statement is correct about case closing notes? They should include all the details about each discovered artifact related to the incident. They should support the analyst’s verdict. They should…

Which two security solutions or tools typically include built-in robust reporting and dashboards functionalities? (Choose two.) SIEM XDR antivirus firewall IPS Explanation & Hint: The two security solutions or tools…

What is commonly used by a SOC to engage the IR team as soon as possible? incident report initial notification case report progress report dashboard alert Explanation & Hint: To…

The alert verdict and the closing notes are usually also visible to the external stakeholders as part of which one of these? SOC Periodic Performance Operations Report SOC Dashboard SOC…

What is the time to investigate (TTI)? The time it takes to determine if an alert is a true positive or false positive The time it takes a security analyst…

In an organization, who typically develops the plays in the playbook? a team of SOC security analysts a team of SOC managers a team of incident response handlers a team…

Referring to the play that is shown here, which section contains the data query that the analyst runs to generate the desired report? objective working action analysis reference Explanation &…

Referring to the play that is shown here, which three statements are correct? (Choose three.) This play is a high-fidelity report/event. The data source is from the IDS. The data…

What is the main function of the playbook management system? tracks the attacks progress tracks the play progress and life cycle provides a centralized logging facility to run queries against…

Regarding the plays in a playbook, match the description to the section of a play. action ==> documents the actions to take during the incident response phase reference ==> provides the bulk…

What is the typical next step after the analyst runs the plays in the playbook? collection and analysis information sharing detection mitigation and remediation Explanation & Hint: The typical next…

Which section of the play is intended to provide background information and a good reason why the play exists? report identification working action analysis reference objective Explanation & Hint: The…