Endpoint Monitoring

Question 1

The practice of observing and analyzing host-level activity for signs of malicious behavior.

Answer 1

Endpoint monitoring

Question 2

A security solution that collects real-time data from endpoints and detects suspicious behavior.

Answer 2

Endpoint Detection and Response (EDR)

Question 3

A basic tool that monitors endpoints for malware using known signatures.

Answer 3

Antivirus

Question 4

A centralized platform that manages security policies, agent configurations, and alerting across endpoints.

Answer 4

Endpoint security manager

Question 5

Logs that record local user logins, process launches, and system changes.

Answer 5

Host-based logs

Question 6

Log data that shows which user account started a process and when.

Answer 6

Security log (Event ID 4688 in Windows)

Question 7

Suspicious behavior where a script spawns a system process (e.g., PowerShell → cmd.exe).

Answer 7

Process chaining

Question 8

Endpoint activity indicating persistence via registry modification or startup folder use.

Answer 8

Persistence mechanism

Question 8

An alert triggered when a program tries to access memory used by another program.

Answer 8

Memory injection detection

Question 9

Endpoint behavior where malware disables security tools or logging.

Answer 9

Defense evasion

Question 10

The file type or artifact that stores logs and events from Windows endpoints.

Answer 10

.evtx (Windows Event Log file)

Question 11

Tool used to monitor Linux endpoint logs in real time.

Answer 11

journalctl

Question 12

The process of collecting and analyzing security-relevant artifacts from a single host.

Answer 12

Host forensics

Question 13

A suspicious event where a non-administrator account gains privileged access.

Answer 13

Privilege escalation

Question 14

Detecting commands such as net user or whoami from scripts on a host.

Answer 14

Reconnaissance behavior

Question 15

The process used to ensure endpoint logs are not tampered with.

Answer 15

Log integrity verification

Question 16

Monitoring technique used to detect ransomware encrypting multiple files rapidly.

Answer 16

File access anomaly detection

Question 17

Tool used to monitor file changes, hashes, and unauthorized modifications.

Answer 17

File Integrity Monitoring (FIM)

Question 18

Endpoint activity showing encoded PowerShell or base64 strings.

Answer 18

Obfuscated command execution

Question 19

Suspicious access to C:\Users<user>\AppData\Temp or similar directories may indicate:

Answer 19

Malware staging

Question 20

A known clean file altered by an attacker to evade detection.

Answer 20

Living off the land (LOLBin)

Question 21

The use of a system tool (like regsvr32.exe) for malicious purposes.

Answer 21

Living off the land technique

Question 22

The component responsible for sending endpoint log data to a SIEM.

Answer 22

Log forwarder (e.g., Winlogbeat, NXLog)

Question 23

A suspicious pattern of failed login attempts on an endpoint.

Answer 23

Brute-force attack

Question 24

Alert showing a rarely used binary executed from a temporary or user directory.

Answer 24

Execution anomaly

Question 25

The tool that collects telemetry across endpoints and creates behavior baselines.

Answer 25

Extended Detection and Response (XDR)

Question 26

Endpoint event showing file encryption followed by ransom note creation.

Answer 26

Ransomware indicator

Question 27

A change in startup programs or scheduled tasks on an endpoint.

Answer 27

Persistence indicator

Question 28

Log entries showing unknown IPs initiating RDP sessions on multiple hosts.

Answer 28

Lateral movement detection

Question 29

A collection of logs, alerts, and telemetry focused on user devices and servers.

Answer 29

Endpoint telemetry

Question 30

A method attackers use to hide in plain sight by renaming tools like cmd.exe to svchost.exe.

Answer 30

Masquerading

Question 31

Use of rare or unsigned executables that do not match a known software baseline.

Answer 31

Application whitelisting violation

Question 32

Threat actor behavior that manipulates registry keys or local group policies.

Answer 32

System configuration tampering

Question 33

A user opening an unusual file type like .scr, .hta, or .vbs from email.

Answer 33

Potential malware execution

Question 34

Endpoint alert triggered by unexpected network traffic from a non-networking process.

Answer 34

Outbound beaconing

Question 35

Executables found in non-standard directories such as %TEMP% or %APPDATA%.

Answer 35

Suspicious file location

Question 36

Monitoring tool that can terminate malicious processes and isolate infected hosts.

Answer 36

EDR response feature

Question 37

The process of reviewing alerts to determine if they are true positives or false positives.

Answer 37

Alert triage

Question 38

An endpoint monitoring control that ensures removable devices are logged or restricted.

Answer 38

Device control policy

Question 39

The endpoint event that may indicate credential dumping activity.

Answer 39

LSASS memory access attempt