Halloween Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

ECCouncil 312-39 Certified SOC Analyst (CSA) Exam Practice Test

Page: 1 / 10
Total 100 questions

Certified SOC Analyst (CSA) Questions and Answers

Question 1

In which of the following incident handling and response stages, the root cause of the incident must be found from the forensic results?

Options:

A.

Evidence Gathering

B.

Evidence Handling

C.

Eradication

D.

Systems Recovery

Question 2

Where will you find the reputation IP database, if you want to monitor traffic from known bad IP reputation using OSSIM SIEM?

Options:

A.

/etc/ossim/reputation

B.

/etc/ossim/siem/server/reputation/data

C.

/etc/siem/ossim/server/reputation.data

D.

/etc/ossim/server/reputation.data

Question 3

Identify the attack when an attacker by several trial and error can read the contents of a password file present in the restricted etc folder just by manipulating the URL in the browser as shown:

http://www.terabytes.com/process.php./../../../../etc/passwd

Options:

A.

Directory Traversal Attack

B.

SQL Injection Attack

C.

Denial-of-Service Attack

D.

Form Tampering Attack

Question 4

Jane, a security analyst, while analyzing IDS logs, detected an event matching Regex /((\%3C)|<)((\%69)|i|(\% 49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/|.

What does this event log indicate?

Options:

A.

Directory Traversal Attack

B.

Parameter Tampering Attack

C.

XSS Attack

D.

SQL Injection Attack

Question 5

Which of the following tool is used to recover from web application incident?

Options:

A.

CrowdStrike FalconTM Orchestrator

B.

Symantec Secure Web Gateway

C.

Smoothwall SWG

D.

Proxy Workbench

Question 6

Which of the following formula represents the risk levels?

Options:

A.

Level of risk = Consequence × Severity

B.

Level of risk = Consequence × Impact

C.

Level of risk = Consequence × Likelihood

D.

Level of risk = Consequence × Asset Value

Question 7

If the SIEM generates the following four alerts at the same time:

I.Firewall blocking traffic from getting into the network alerts

II.SQL injection attempt alerts

III.Data deletion attempt alerts

IV.Brute-force attempt alerts

Which alert should be given least priority as per effective alert triaging?

Options:

A.

III

B.

IV

C.

II

D.

I

Question 8

Identify the HTTP status codes that represents the server error.

Options:

A.

2XX

B.

4XX

C.

1XX

D.

5XX

Question 9

Ray is a SOC analyst in a company named Queens Tech. One Day, Queens Tech is affected by a DoS/DDoS attack. For the containment of this incident, Ray and his team are trying to provide additional bandwidth to the network devices and increasing the capacity of the servers.

What is Ray and his team doing?

Options:

A.

Blocking the Attacks

B.

Diverting the Traffic

C.

Degrading the services

D.

Absorbing the Attack

Question 10

Which of the following directory will contain logs related to printer access?

Options:

A.

/var/log/cups/Printer_log file

B.

/var/log/cups/access_log file

C.

/var/log/cups/accesslog file

D.

/var/log/cups/Printeraccess_log file

Question 11

Sam, a security analyst with INFOSOL INC., while monitoring and analyzing IIS logs, detected an event matching regex /\\w*((\%27)|(\’))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix.

What does this event log indicate?

Options:

A.

SQL Injection Attack

B.

Parameter Tampering Attack

C.

XSS Attack

D.

Directory Traversal Attack

Question 12

Which of the following formula is used to calculate the EPS of the organization?

Options:

A.

EPS = average number of correlated events / time in seconds

B.

EPS = number of normalized events / time in seconds

C.

EPS = number of security events / time in seconds

D.

EPS = number of correlated events / time in seconds

Question 13

Which of the following stage executed after identifying the required event sources?

Options:

A.

Identifying the monitoring Requirements

B.

Defining Rule for the Use Case

C.

Implementing and Testing the Use Case

D.

Validating the event source against monitoring requirement

Question 14

David is a SOC analyst in Karen Tech. One day an attack is initiated by the intruders but David was not able to find any suspicious events.

This type of incident is categorized into?

Options:

A.

True Positive Incidents

B.

False positive Incidents

C.

True Negative Incidents

D.

False Negative Incidents

Question 15

Which of the following event detection techniques uses User and Entity Behavior Analytics (UEBA)?

Options:

A.

Rule-based detection

B.

Heuristic-based detection

C.

Anomaly-based detection

D.

Signature-based detection

Question 16

What does HTTPS Status code 403 represents?

Options:

A.

Unauthorized Error

B.

Not Found Error

C.

Internal Server Error

D.

Forbidden Error

Question 17

Which of the following attack inundates DHCP servers with fake DHCP requests to exhaust all available IP addresses?

Options:

A.

DHCP Starvation Attacks

B.

DHCP Spoofing Attack

C.

DHCP Port Stealing

D.

DHCP Cache Poisoning

Question 18

Which of the following can help you eliminate the burden of investigating false positives?

Options:

A.

Keeping default rules

B.

Not trusting the security devices

C.

Treating every alert as high level

D.

Ingesting the context data

Question 19

Which of the following attack can be eradicated by disabling of "allow_url_fopen and allow_url_include" in the php.ini file?

Options:

A.

File Injection Attacks

B.

URL Injection Attacks

C.

LDAP Injection Attacks

D.

Command Injection Attacks

Question 20

Which of the following factors determine the choice of SIEM architecture?

Options:

A.

SMTP Configuration

B.

DHCP Configuration

C.

DNS Configuration

D.

Network Topology

Question 21

Which of the following threat intelligence is used by a SIEM for supplying the analysts with context and "situational awareness" by using threat actor TTPs, malware campaigns, tools used by threat actors.

1.Strategic threat intelligence

2.Tactical threat intelligence

3.Operational threat intelligence

4.Technical threat intelligence

Options:

A.

2 and 3

B.

1 and 3

C.

3 and 4

D.

1 and 2

Question 22

According to the forensics investigation process, what is the next step carried out right after collecting the evidence?

Options:

A.

Create a Chain of Custody Document

B.

Send it to the nearby police station

C.

Set a Forensic lab

D.

Call Organizational Disciplinary Team

Question 23

Which of the following security technology is used to attract and trap people who attempt unauthorized or illicit utilization of the host system?

Options:

A.

De-Militarized Zone (DMZ)

B.

Firewall

C.

Honeypot

D.

Intrusion Detection System

Question 24

Which of the following data source can be used to detect the traffic associated with Bad Bot User-Agents?

Options:

A.

Windows Event Log

B.

Web Server Logs

C.

Router Logs

D.

Switch Logs

Question 25

According to the Risk Matrix table, what will be the risk level when the probability of an attack is very high, and the impact of that attack is major?

NOTE: It is mandatory to answer the question before proceeding to the next one.

Options:

A.

High

B.

Extreme

C.

Low

D.

Medium

Question 26

Shawn is a security manager working at Lee Inc Solution. His organization wants to develop threat intelligent strategy plan. As a part of threat intelligent strategy plan, he suggested various components, such as threat intelligence requirement analysis, intelligence and collection planning, asset identification, threat reports, and intelligence buy-in.

Which one of the following components he should include in the above threat intelligent strategy plan to make it effective?

Options:

A.

Threat pivoting

B.

Threat trending

C.

Threat buy-in

D.

Threat boosting

Question 27

The Syslog message severity levels are labelled from level 0 to level 7.

What does level 0 indicate?

Options:

A.

Alert

B.

Notification

C.

Emergency

D.

Debugging

Question 28

Identify the attack, where an attacker tries to discover all the possible information about a target network before launching a further attack.

Options:

A.

DoS Attack

B.

Man-In-Middle Attack

C.

Ransomware Attack

D.

Reconnaissance Attack

Question 29

Which of the following is a correct flow of the stages in an incident handling and response (IH&R) process?

Options:

A.

Containment –> Incident Recording –> Incident Triage –> Preparation –> Recovery –> Eradication –> Post-Incident Activities

B.

Preparation –> Incident Recording –> Incident Triage –> Containment –> Eradication –> Recovery –> Post-Incident Activities

C.

Incident Triage –> Eradication –> Containment –> Incident Recording –> Preparation –> Recovery –> Post-Incident Activities

D.

Incident Recording –> Preparation –> Containment –> Incident Triage –> Recovery –> Eradication –> Post-Incident Activities

Question 30

Which of the following attack can be eradicated by filtering improper XML syntax?

Options:

A.

CAPTCHA Attacks

B.

SQL Injection Attacks

C.

Insufficient Logging and Monitoring Attacks

D.

Web Services Attacks

Page: 1 / 10
Total 100 questions