lab 24

Question 1

What are the Technique(s) reference codes for a logon failure event? (Select two)

T1078
T5309
T1531
T1507

Answer 1

T1078
T1531

Question 2

What is the description for the security alert for the clearing of the Application and System logs?

The audit log was cleared
A Windows log file was cleared
Event viewer logs were cleared
A log file was cleared

Answer 2

The audit log was cleared

Question 3

What sources can be used by wazuh to detect suspicious activity? (Select all that apply)

OS logs
application logs
network equipment logs
cloud logs

Answer 3

OS logs
application logs
network equipment logs
cloud logs

Question 4

What was the MITRE ATT&CK tactic identified by wazuh related to the deletion of an audit log?

Persistence
Privilege Escalation
Lateral Movement
Defense Evasion

Answer 4

Defense Evasion

Question 5

The phase of an Incident Response Plan that creates a record of events or notifies the security personnel about violations is?

Analysis
Detection
Eradication
Containment

Answer 5

Detection

Question 6

Once the security team is made aware of a potentially violating incident, what is the next phase in Incident Response?

Preperation
Analysis
Eradication
Recovery
Lessons learned

Answer 6

Analysis

Question 7

Potential signs of security breaches or malicious activities within an IT infrastructure are known as?

IoCs (Indicators of Compromise)
Event records
False positives
Registry values

Answer 7

IoCs (Indicators of Compromise)