Refer to the exhibit.

An attacker scanned the server using Nmap. What did the attacker obtain from this scan?

1. A. Identified a firewall device preventing the pert state from being returned.
2. B. Identified open SMB ports on the server
3. C. Gathered information on processes running on the server
4. D. Gathered a list of Active Directory users

Correct Answer: C

A SOC analyst is investigating an incident that involves a Linux system that is identifying specific sessions. Which identifier tracks an active program?

1. A. application identification number
2. B. active process identification number
3. C. runtime identification number
4. D. process identification number

Correct Answer: D

Refer to the exhibit.

Which type of log is displayed?

1. A. IDS
2. B. proxy
3. C. NetFlow
4. D. sys

Correct Answer: A
You also see the 5-tuple in IPS events, NetFlow records, and other event data. In fact, on the exam you may need to differentiate between a firewall log versus a traditional IPS or IDS event. One of the things to remember is that traditional IDS and IPS use signatures, so an easy way to differentiate is by looking for a signature ID (SigID). If you see a signature ID, then most definitely the event is a traditional IPS or IDS event.

An engineer is investigating a case of the unauthorized usage of the “Tcpdump” tool. The analysis revealed that a malicious insider attempted to sniff traffic on a specific interface. What type of information did the malicious insider attempt to obtain?

1. A. tagged protocols being used on the network
2. B. all firewall alerts and resulting mitigations
3. C. tagged ports being used on the network
4. D. all information and data within the datagram

Correct Answer: C

A user received a malicious attachment but did not run it. Which category classifies the intrusion?

1. A. weaponization
2. B. reconnaissance
3. C. installation
4. D. delivery

Correct Answer: D