D483 ITAS 5222 Security Operations
Objective Assessment Review
(Questions & Solutions)
2025
1
, 1. Case: An international enterprise’s Security Operations Center
(SOC) is receiving thousands of alerts per day from its SIEM system.
The SOC manager is tasked with reducing the noise while ensuring
critical alerts are not missed.
Question: Which approach best achieves this objective?
a) Lowering the SIEM’s alert threshold indiscriminately
b) Developing and tuning correlation rules based on baseline network
behavior and threat intelligence
c) Disabling alerts flagged as “informational”
d) Relying solely on manual log review for critical events
Correct ANS: b) Developing and tuning correlation rules based on
baseline network behavior and threat intelligence
Rationale: Fine‑tuning SIEM correlation rules by incorporating
baseline behaviors and threat intelligence helps to prioritize high‑risk
events while reducing false positives.
---
2. Case: A SOC analyst detects a series of failed login attempts
followed by successful access from a known IP address on several
critical servers.
Question: Which indicator most strongly suggests a potential
account compromise?
a) Distributed Denial of Service (DDoS) traffic
b) Multiple failed login attempts preceding a successful login
c) Routine system updates
d) Scheduled maintenance activities
Correct ANS: b) Multiple failed login attempts preceding a
successful login
Rationale: Repeated login failures followed by success is a
common tactic used in credential stuffing or brute force attacks,
2
,signaling possible account compromise.
---
3. Case: An organization deploys a Security Orchestration,
Automation, and Response (SOAR) platform to improve incident
handling.
Question: What is the primary benefit of integrating a SOAR solution
into a SOC?
a) Eliminating the need for a SIEM system
b) Automating routine tasks to reduce response times and improve
efficiency
c) Increasing the volume of alerts for manual review
d) Replacing the role of security analysts entirely
Correct ANS: b) Automating routine tasks to reduce response
times and improve efficiency
Rationale: SOAR platforms complement SIEMs by automating
repetitive processes, enabling faster incident response and freeing
analysts to focus on more complex issues.
---
4. Case: A SOC is incorporating threat intelligence feeds into its
monitoring platform.
Question: Which of the following is a key advantage of integrating
threat intelligence into security operations?
a) It guarantees that no false positives will occur
b) It enables proactive identification and prioritization of threats by
correlating external indicators with internal events
c) It replaces the need for internal log analysis
d) It reduces the total number of alerts by 100%
Correct ANS: b) It enables proactive identification and
prioritization of threats by correlating external indicators with internal
3
, events
Rationale: Integrating threat intelligence allows organizations to
enrich internal logs with context about emerging threats, supporting
proactive threat detection and prioritization.
---
5. Case: In the wake of a security breach, a SOC is conducting a
forensic analysis to preserve evidence.
Question: Which practice is vital during forensic investigations to
ensure admissibility of evidence?
a) Modifying timestamps to clarify event sequences
b) Maintaining an unbroken chain of custody
c) Encrypting evidence files without logging the activity
d) Discarding non-critical log files immediately
Correct ANS: b) Maintaining an unbroken chain of custody
Rationale: Preserving a well-documented chain of custody is
essential in forensic investigations; it ensures that evidence remains
untampered and admissible in legal proceedings.
---
6. Case: A financial institution’s SOC is evaluating the benefits of
using behavioral analytics within its SIEM platform compared to
traditional signature‑based detection.
Question: Which of the following best describes the advantage of
behavioral analytics?
a) It only detects known threat signatures
b) It identifies anomalies in user and system behavior that might
indicate a previously unknown threat
c) It relies exclusively on static databases
d) It requires no configuration or tuning
Correct ANS: b) It identifies anomalies in user and system
4
Objective Assessment Review
(Questions & Solutions)
2025
1
, 1. Case: An international enterprise’s Security Operations Center
(SOC) is receiving thousands of alerts per day from its SIEM system.
The SOC manager is tasked with reducing the noise while ensuring
critical alerts are not missed.
Question: Which approach best achieves this objective?
a) Lowering the SIEM’s alert threshold indiscriminately
b) Developing and tuning correlation rules based on baseline network
behavior and threat intelligence
c) Disabling alerts flagged as “informational”
d) Relying solely on manual log review for critical events
Correct ANS: b) Developing and tuning correlation rules based on
baseline network behavior and threat intelligence
Rationale: Fine‑tuning SIEM correlation rules by incorporating
baseline behaviors and threat intelligence helps to prioritize high‑risk
events while reducing false positives.
---
2. Case: A SOC analyst detects a series of failed login attempts
followed by successful access from a known IP address on several
critical servers.
Question: Which indicator most strongly suggests a potential
account compromise?
a) Distributed Denial of Service (DDoS) traffic
b) Multiple failed login attempts preceding a successful login
c) Routine system updates
d) Scheduled maintenance activities
Correct ANS: b) Multiple failed login attempts preceding a
successful login
Rationale: Repeated login failures followed by success is a
common tactic used in credential stuffing or brute force attacks,
2
,signaling possible account compromise.
---
3. Case: An organization deploys a Security Orchestration,
Automation, and Response (SOAR) platform to improve incident
handling.
Question: What is the primary benefit of integrating a SOAR solution
into a SOC?
a) Eliminating the need for a SIEM system
b) Automating routine tasks to reduce response times and improve
efficiency
c) Increasing the volume of alerts for manual review
d) Replacing the role of security analysts entirely
Correct ANS: b) Automating routine tasks to reduce response
times and improve efficiency
Rationale: SOAR platforms complement SIEMs by automating
repetitive processes, enabling faster incident response and freeing
analysts to focus on more complex issues.
---
4. Case: A SOC is incorporating threat intelligence feeds into its
monitoring platform.
Question: Which of the following is a key advantage of integrating
threat intelligence into security operations?
a) It guarantees that no false positives will occur
b) It enables proactive identification and prioritization of threats by
correlating external indicators with internal events
c) It replaces the need for internal log analysis
d) It reduces the total number of alerts by 100%
Correct ANS: b) It enables proactive identification and
prioritization of threats by correlating external indicators with internal
3
, events
Rationale: Integrating threat intelligence allows organizations to
enrich internal logs with context about emerging threats, supporting
proactive threat detection and prioritization.
---
5. Case: In the wake of a security breach, a SOC is conducting a
forensic analysis to preserve evidence.
Question: Which practice is vital during forensic investigations to
ensure admissibility of evidence?
a) Modifying timestamps to clarify event sequences
b) Maintaining an unbroken chain of custody
c) Encrypting evidence files without logging the activity
d) Discarding non-critical log files immediately
Correct ANS: b) Maintaining an unbroken chain of custody
Rationale: Preserving a well-documented chain of custody is
essential in forensic investigations; it ensures that evidence remains
untampered and admissible in legal proceedings.
---
6. Case: A financial institution’s SOC is evaluating the benefits of
using behavioral analytics within its SIEM platform compared to
traditional signature‑based detection.
Question: Which of the following best describes the advantage of
behavioral analytics?
a) It only detects known threat signatures
b) It identifies anomalies in user and system behavior that might
indicate a previously unknown threat
c) It relies exclusively on static databases
d) It requires no configuration or tuning
Correct ANS: b) It identifies anomalies in user and system
4
