A SOC analyst at a pharmaceutical company is investigating a high-severity alert from their SIEM. The alert triggered on a correlation rule that detects a successful VPN login from an un-recognized IP address followed within two minutes by the execution of `powershell.exe -e JABj...`. The Base64 encoded string is too long to be fully displayed in the alert summary. What is the analyst's most critical immediate next step to determine the nature of the potential incident?
A junior SOC analyst is tasked with creating a new SIEM correlation rule to detect potential SQL injection attacks. The analyst proposes the following logic: "Alert if a web server log from the external DMZ contains the string 'UNION SELECT' OR '1=1'." Why is this rule likely to be ineffective in a modern SOC?
A SOC team for a global logistics company has integrated several new threat intelligence feeds into their TIP. An analyst observes a sudden, massive spike in alerts related to malicious IP addresses, overwhelming the Tier 1 team. Upon investigation, many of these IPs belong to a major Content Delivery Network (CDN). Which TWO of the following actions should the analyst prioritize to mitigate this issue while maintaining security posture? (Select TWO)
During a threat hunting exercise, a SOC analyst is proactively searching for signs of lateral movement. The analyst formulates a hypothesis that an attacker is using PsExec for remote command execution. Which data source would be MOST valuable for validating this hypothesis?
A SOC Manager is reviewing the monthly metrics and notices that the Mean Time to Detect (MTTD) has increased significantly, while the Mean Time to Respond (MTTR) has remained stable. What is the MOST likely cause for this trend?
True or False: In the Cyber Kill Chain model, the 'Installation' phase always occurs before the 'Command and Control' phase.
An organization's incident response policy mandates that after containing a malware outbreak on several workstations, the next step is 'Eradication'. Which of the following activities is a core part of the Eradication phase?
A SOC analyst needs to write a query in a Splunk-based SIEM to find all successful RDP login events (EventCode=4624) from IP addresses outside of the company's designated country code (US). Which of the following Splunk queries is the best approach to accomplish this?
A financial services firm is required to comply with a regulation that mandates a log retention period of seven years for all authentication and transaction logs. The firm's current SIEM solution stores all data in 'hot' storage for fast querying, which is becoming prohibitively expensive for long-term retention. What is the most appropriate architectural solution for the SOC to propose?
A SOC analyst is investigating an alert indicating that a sensitive file was accessed on a file server from a user account that has been dormant for over a year. Which attack methodology concept does this activity MOST closely align with?