Website Intrusion Methods
Detection Systems
SOC Thinking
Log Analysis Lab
Incident Report
100

What type of attack tricks users into revealing passwords through fake emails or websites?

What is phishing?

100

What system collects logs from many devices into one place for analysis?

 SIEM

100

What does SOC stand for?

Security Operations Center

100

What do logs record?

Events or activities occurring on a system or network

100

What is the purpose of an incident report?

To document a cybersecurity incident and the response.

200

What attack repeatedly guesses passwords until the correct one is found?

brute-force attack

200

What security tool monitors network traffic and alerts on suspicious activity but does not automatically block it?

IDS (Intrusion Detection System)

200

What is the first step a SOC analyst takes after receiving a security alert?

identify or investigate the alert

200

Which log entry would most likely indicate a successful login?

Authentication success or Login Successful

200

What section explains what happened during the incident?

The Incident Summary.

300

An attacker inserts malicious JavaScript into a website that executes in visitors' browsers. What attack is this?

Cross-Site Scripting (XSS)

300

What security tool can automatically block malicious traffic after detecting it?

IPS (Intrusion Prevention System)

300

Why should analysts verify alerts before escalating them?

To determine whether the alert is a true positive or false positive.

300

Why are timestamps important during investigations?

They help reconstruct the timeline of an attack.

300

Why should incident reports use objective language instead of opinions?

Because reports should contain facts supported by evidence.

400

A web application displays database error messages after the URL is modified with ' OR '1'='1. Which vulnerability allowed the attacker to manipulate the database query?

SQL Injection (SQL)

400

A SIEM generates hundreds of alerts from the same infected computer every minute. What cybersecurity term describes this overwhelming number of notifications that analysts must prioritize?

alert fatigue

400

Two alerts occur:

  • Malware detected on one device.
  • Five failed logins from another employee.

Only one incident can be investigated immediately. Which should receive higher priority and why?

The malware incident, because it indicates an active compromise with potential impact to systems and data.

400

The logs show:

  • 10:02 — User logs in from New York.
  • 10:06 — Same user logs in from Germany.
  • 10:08 — Security log cleared.
  • 10:10 — 4 GB uploaded externally.

What attacker technique is most strongly suggested by this sequence?

Account compromise followed by defense evasion and data exfiltration.

400

A report states:
"The attacker probably used ransomware because the employee said their computer looked weird."

What is the biggest problem with this statement?

It contains unsupported assumptions instead of evidence-based findings.

500

An attacker uploads a file named invoice.pdf.php to a website that only checks the file extension before storing uploads. The server executes the file as code, giving the attacker remote access.

malicious file upload (web shell upload)

500

A security tool detects three events on the same computer within a few minutes: a suspicious email attachment is opened, a new unknown program starts running, and the computer begins sending large amounts of data to an outside server. Why is it important to investigate these events together instead of separately?

Because the combined events suggest a possible cyberattack, helping analysts understand the full sequence of the attack instead of treating each alert as an unrelated issue.

500

A user reports slow performance, while the SIEM reports failed logins, unusual PowerShell execution, and large outbound encrypted transfers from the same host. According to SOC methodology, what should be the analyst's next priority after confirming these events are related?

Begin incident response, including containment of the affected endpoint while preserving evidence.

500

Firewall logs show denied inbound connections, while endpoint logs show malware execution and DNS logs reveal communication with a known malicious domain. Why is relying only on firewall logs likely to produce an incomplete investigation?

Because multiple log sources must be correlated to understand the complete attack, including endpoint compromise and command-and-control communication.

500

During an incident investigation, a SOC analyst records the time the attack started, the actions taken by the attacker, and the steps the security team used to stop the threat. Which section of the incident report should contain this information?

The Incident Timeline.