SOC Monthly Quiz

Analyze the email headers for sender details and authentication records

Immediately block the user’s account

Click the link to check where it leads

Ask the user to reply to the email for verification

Pay the ransom to retrieve the files

Re-image the device

Ask the user to rename the encrypted files

Disconnect the infected machine from the network

Upgrade the server hardware

Upgrade rule on WAF

Review web server logs and check for signs of successful exploitation

Block IP to prevent SQL attacks

It blocks all incoming and outgoing traffic by setting the firewall to its strictest mode.

It turns off the Windows Defender Firewall for all network profiles (Domain, Private, and Public).

It disables only the Domain profile of Windows Firewall, leaving Private and Public profiles active.

It resets the firewall rules to their default settings without disabling the firewall.

Disable failed login alerts in the SIEM to reduce noise from brute-force attempts.

Add the attacker’s IP to a global "safe list" to monitor their activity.

Block the attacker's IP, enforce account lockout policies, and enable multi-factor authentication (MFA).

Change the RDP port from 3389 to a random high-number port to evade attackers

Review SIEM and proxy logs to confirm the source, destination, and nature of the data transfer.

Contact the employee FLM directly and ask them to explain their activity.

Disable all outbound internet access to prevent further uploads.

Immediately block the user’s account

Reset the password for all users in the organization to prevent widespread compromise.

Immediately lock the account, force a password reset, and review the account's recent activity.

Notify the account owner to change their password immediately and continue monitoring the account for further activity.

Immediately block all PowerShell execution on the system to stop potential malicious actions.

Notify the user to stop running PowerShell scripts, as it may be a common user mistake.

Decode the Base64 script, review its content, and analyze its behavior in a sandbox environment.

Restart the system and clear the temporary directory to remove traces of the script.

Disable PubkeyAuthentication and rely solely on password-based authentication for simplicity.

Disable ChallengeResponseAuthentication and rely on password authentication only.

Disable Password Authentication and enforce the use of public key authentication only.

Modify the /etc/ssh/sshd_config file to allow only Challenge-Response authentication

An alert indicating a successful brute-force login attack when there was none

An alert about unusual traffic that is determined to be caused by a DDoS attack

An alert indicating malware detected in a sandbox environment

An alert indicating a legitimate login attempt by an authorized user