Practice Test 1

Question 1

According to the Microsoft Kubernetes Attack Matrix, which technique corresponds to the persistance tactic?

BITS Jobs
Cluster-admin binding
DLL Side-Loading
Writable hostpath mount

Answer 1

Writable hostpath mount

Question 2

Which Azure Kubernetes Service activity is recorded in the Activity log by default?

Pod assigmnet
Cluster Creation
Autoscaling events
API server

Answer 2

The first place one would be inclined to peruse when analyzing Kubernetes activity in the AKS service may be the Activity Log. This data only contains information regarding the management place activity of the AKS service itself, in other words, when a cluster is created, modified, or deleted-not the underlying Kubemetes components’ activity.

Diagnostic settings can be enabled to provide a more thorough view of the Kubernetes infrastructure. This includes:
* kube-apiserver: Data related to validation and configuration for the Kubernetes API objects (e.g., pods, services)
* kube-scheduler: Pod-to-node assignment activity
* cluster-autoscaler: Autoscaling activity

Question 3

What command would reveal the metadata for objects stored in the reports container shown in the following image?

lovelynovemberstorage | storage browser
Blob containers
* reports

• Get-AzStorageContainer -Context Private I Where-Object reports -ne 0
• az storage blob details —container-name reports —account-name tasha
• Get-AzBlobContainer -Container “reports” I -Metadata
• az storage blob list —container-name reports —account-name lovelynovemberstorage

Answer 3

The command az storage blob list -container-name $CONTAINERNAME account-name $ACCOUNTNAME provides useful blob metadata.

Question 4

The Azure Cognitive Search esearch.score metric provides what information?

The relevance of the provided search criteria
The accessibility of the targeted data sources
The percentage of the search completed so far
The number of records matching the search criteria

Answer 4

The @search.score metric is the output of a similarity ranking algorithm in Azure Cognitive Search. Simply put, this applies a relevancy score to the retrieved document to aid in ranking which retrieved result is more relevant to the search conducted. The higher the number, the more relevant. However, when searching for the existence of a string, the relevancy score of greater than 0 should be an indication that you have found a document with the search in question.

Question 5

Which of the following describes the Azure NSG Flow log traffic shown below?
“1665426195,91.240.118.75,10.0.0.4,49931,51315,T,I,D,B,,,,”

UDP traffic
Beginning of flow
Allowed traffc
Outbound traffic

Answer 5

The flow tuple structure for Azure NSG Flow logs is:
Timestamp (UNIX Epoch)
* Source IP
* Destination IP
* Source Port
* Destination Port
* Protocol (TCP, UDP)
* Trafic Flow Onbound, Outbound)
* Trafic Decision (Allow, Deny)
NSG Flow Log Version 2 only
* **Flow State (Begin, Continue, End) **
* Packets (Source Destination)
* Bytes (Source Destination)
* Packets (Destination Source)
* Bytes (Destination Source)

Question 6

What tool can improve logs by removing unnecessary fields and adding valuable details such as IP to hostname resolution?

Logstash
Event Hubs
EventBridge
ElastiCache

Answer 6

Logstash is able to perform log enrichment. Logs can be redirected at Logstash so it can enrich them by removing unnecessary data (lowering the data transit) and adding relevant information.

EventBridge is useful for coordinating other components. It would be possible to perform log enrichment using lambda functions if EventBridge is configured to call this action. However, EventBridge does not provide enrichment by itself.

Azure’s Event Hubs can also forward logs to other systems, but it is not a log enrichment tool. ElastiCache is an unrelated tool intended to improve the performance of web pages by facilitating in-memory cache.

Question 7

What can be determined from the VPC flow log below?
2 56425 eni-3333aa2 10.2.3.3 10.2.4.2 001 4 336141856 1666133655 1666133660 ACCEPT OK

There was TCMPUX traffic from 10.2.4.2 to 10.23.3
There was ICMP traffic from 10.2.4.2 to 10.2.3.3
There was ICMP traffic from 10.2.3.3 to 10.2.4.2
There was TCMPUX traffic from 10.23.3 to 10.2.4.2

Answer 7

There was ICMP traffic from 10.2.3.3 to 10.2.4.2

Question 8

Which service offers both Application-based and Network-based traffic distribution across a Cluster of servers?

Azure CDN
Azure Load Balancer
AWS CloudFront
AWS Elastic Load Balancing

Answer 8

AWS Elastic Load Balancing allows developers to create highly available workloads. Developers also have the flexibility to select between different types of load balancers:

• Application Load Balancer: This allows for content-based routing and traffic routing
• Network Load Balancer: Distributes TCP/UDP/TLS traffic amongst target groups

CDNs like Azure CDN and AWS CloudFront cache content across various regions or availability zones. Azure Load Balancer is a network-based service and does not provide application load balancing.

Question 9

What is the maximum amount of time that a new log can capture traffic from the AWS management console before sending it to a S3 bucket?

10 minutes
5 hours
1 hour
5 minutes

Answer 9

When creating a flow log, a maximum aggregation interval can be set. This determines the amount of time a now is captured, and a log record created. The maximum amount of time is 10 minutes. The other options are not valid for this setting.

Question 10

What is Dockers default logging driver?

json-file
logentries
local
syslog

Answer 10

json-file

Question 11

IP addresses, domain names, and file hashes would fall under what detection category?

Discrete
Atomic
Incremental
Statistical
Behavioral

Answer 11

Atomic

Question 12

How will the output of the following command be displayed to the user?

$ aws cloudtrail lookup-events - -lookup-attributes AttributeKey=EventName, AttributeValue=ListBuckets

JSON
Gzip
Base64
csv
XML

Answer 12

JSON

Question 13

Which dashboard provides the following status information?

Compliance status
Rules
33 Noncompliant rule(s)
8Compliant rule(s)

Resources
29 Noncompliant resource(s)
2Compliant resource(s)

Microsoft Defender
AWS GuardDuty
AWS Config
Microsoft Sentinel

Answer 13

The main dashboard of the AWS Config page shows its bias as a compliance service. A “compliant rule” is a rule that specifies some configuration requirement for a service.

Question 14

What does the ‘2’ at the beginning of the following AWS VPC flow log signify?
2 490123987333 eni-300-f966c 10.10.1.11 10.10.2.22 49152 3389 6 20 3072 1433807350 1433180982 ACCEPT OK

Version
Interface identifier
Protocol
Packet number

Answer 14

Version

Question 15

What service can provide monitoring for poor network performance of a user interface using canaries?

CloudTrail
CloudWatch
VPC flow logs
Pacu

Answer 15

CloudWatch

Question 16

What needs to be taken into account when sending VPC Flow logs to its destination?

Delivery to a S3 bucket is instantaneous
CloudWatch services take up to 5 minutes to publish logs
CloudWatch can ingest a maximum of 200 MB at a time
S3 bucket has a maximum log size of 100 MB

Answer 16

CloudWatch services take up to 5 minutes to publish logs

Question 17

What automated response action typically requires a human operator to complete?

Instance Deletion
Log collection
Notification Action
Secret rotation

Answer 17

Instance Deletion

Question 18

Which of the following is expected to incur additional costs when using a CDN service?

Restricting access to content with geolocation blocking
Allowing the use of both HTTP POST and GET request methods
Requesting on-demand cache updates for expired content
Caching more than one type of static content for client access

Answer 18

This static content is stored on the CDN node for a user-defined period. The disadvantage is that if the file is updated on the origin server, the CDN node will not request the new file until after the old one expires. There are ways around this: you can initiate an on-demand data expiration. However, this technique should be used sparingly as it does cost the customer each time clearing the CDN cache is invoked.

Question 19

An analyst is investigating a UEBA trigger in Microsoft Sentinel. Which field would provide more information on why the activity was tagged as anomalous?

Activitylnsights
AlertEvidence
Threatlntelligencelndicator
ActivityType

Answer 19

The Activitylnsights field within the BehaviorAnalystics provides more context to the UEBA alert and more details on why the behavior was identified as anomalous. The ActivityType field provides the high-level view of the activity that occurred. Threatlntelligencelndicator table holds data relating to threat intelligence that the analysts have imported. AlertEvidence is an event type for Microsoft 365 Defender.

Question 20

Which log file does a Debian-based Linux system use to capture SSH login attempts?

/var/log/syslog
/var/log/secure
/var/log/kern.log
Ivar/log/auth.log

Answer 20

/var/log/auth.log

Question 21

Which Azure Storage Container access level will provide full read access to the container and its blobs?

Private
Container
Blob

Answer 21

Container

Question 22

What is an AWS trail?

The metadata associated with an API call
A method for delivering log events to an S3 bucket
An archive service for managing log retention
The network traffic sent to and from a VPC

Answer 22

A method for delivering log events to an S3 bucket

A “trail” is an AWS resource in the CloudTrail service that describes what kinds of events to save, the bucket to save it to, and potentially other actions when an event is generated.

By default, CloudTrail is storing ninety days of management events.

Question 23

An engineer wants to look at both the current and historical configuration for software running on a virtual machine. Which solution can provide this?

AWS Config integrated with System Manager
Cloud Control API
Truffle Hog integrated with a SIEM
Athena

Answer 23

AWS Config integrated with System Manager

Question 24

Which command completes the docker instruction below used to capture system activity?

In -s <command></command> /var/log/syslog

/etc/rsyslog
stdout
stderr
/proc/l/fd/l

Answer 24

By default, system activity data is written to /var/log/syslog when captured using a syslog daemon. Since a docker container is only interested in stdout and stderr of the main process (process ID 1), collecting log data from any other binaries running inside the container must be sent to /proc/l/fd/l.

The docker instruction - In -s /proc/l/fd/l /var/log/syslog- creates a symbolic link so that any data intended to be written to the syslog log file will, instead, be written to /proc/l/fd/l (the stdout of process ID 1).

Question 25

Which Windows event channel provides logs on privilege escalation? Setup System Security Application

Answer 25

Security

Question 26

What would help an analyst determine the direction of VPC flow log traffic? Using a KQL query on the FlowDirection_s field Using fields available in version 5 Sending the logs to Azure Log Analytics Comparing Flow states to determine direction

Answer 26

**Version 5** of VPC Flow Logs includes additional fields to help understand the direction of the traffc. These fields include flow direction and traffc direction options. NSG Flow Logs can be sent to Azure Log Analytics, whereas VPC Flow Logs can be sent to either a S3 bucket or CloudWatch. Writing a KQL query for the field FlowDirection_s would allow for searching NSG Flow Lows for flow direction. Flow states help with NSG logs to show if the now is beginning, continuing, or ending.

Question 27

Which Azure service supports full packet captures to and from a virtual machine? Defender for Endpoint Network Watcher Firewall Manager Event Bridge

Answer 27

Network Watcher

Question 28

Which of the following are diagnostic logging categories used by Azure App Services? Success and Failure HTTP and Console Metrics and Access Data and Insights

Answer 28

After enabling diagnostic logging in Azure App Services, categories of logs include **HTTP and Console**. Metrics and Web Access logs are collected by AWS Amplify.

Question 29

How do mathematical expression alarms differ from static threshold alarms? Math expression alarms combine more than one metric Math expression alarms require customer-defined queries for evaluation Static threshold alarms require customer-defined queries for evaluation Static threshold alarms combine more than one metric

Answer 29

Math expression alarms combine more than one metric

Question 30

Which OWASP security risk is being displayed in the string below? http[:]//gizmoswifi[.]org/app/accountview?id=' or 1'='1 Injection attack Insuffcient logging Server-Side request forgery Cross-Site scripting

Answer 30

Injection attack

Question 31

Tactics represent which of the following in the MITRE ATT&CK framework? The goals of an attacker How an attack is performed The mitigations of an attack How an attacker is detected

Answer 31

ATT&CK, which stands for Adversary Tactics, Techniques, and Common Knowledge, attempts to bring order to the chaos of cataloging and describing how attackers operate in infrastructure. Framework Tactics are the **"goals" of the attacker**. For example, an attacker wants to gain "Initial Access" to an organization or seeks "Exfiltration" of an organization's data.

Question 32

What is the IP address 169.254.169.254 used for in cloud environments? Metadata service in cloud compute instances Publicly accessible DNS server Reserved RFC 1918 private IP address Blackhole network traffic routing

Answer 32

The correct answer is that IP address "169.254.169.254" is a loopback **metadata service that runs on cloud computing instances**. Both AWS and Azure use this IP address to provide metadata access to the hypervisor. The other choices are not relevant to this IP address.

Question 33

How can CloudWatch Logs Insights query application logs that use a delimited string format? The Logs Insights tool will automatically discover fields and values in strings The log strings must be escaped with backspace characters before sending to CloudWatch The Logs Insights parse command must be used to identify fields in log strings The log contents must be converted to CWL format by the application's CloudWatch agent

Answer 33

AWS provides the CloudWatch Logs Insights tool as part of CloudWatch, a user interface that makes it easier to query across logs. A handful of log types are pre-parsed and the specific fields in the message can be used. Or if the log entry is JSON, Logs Insights can automatically discover the field/value pairs. However, the vast majority of third-party logs will have some file format that will be impossible for Logs Insights to discover and parse. Therefore, the **parse command** must be used. For example: - Glob: parse @message "[*] *The error was: *" as level, config, exception - Regex: parse @message The error was: (? The CloudWatch Logs Insight Query syntax is a stripped-down query language to craft the queries.

Question 34

An engineer wants to run the following command for a specific Azure VM. Why is the following Azure Run command failing this objective? az vm run-connand invoke -g GCTD --cormand-id "RunShe11Script" --scripts "cat /etc/passwd" The resource group is not specified The run-command syntax is incorrect The script is improperly formatted The name of the Azure VM is missing

Answer 34

The name of the Azure VM is missing

Question 35

Based on the following response, what configuration is set on the EC2 host?

Answer 35

Recognizing "destination_port" and "dst_port" from different event sources are the same field

Question 41

Which PowerShelI module must be installed to use the Search-UnifiedAuditLog cmdlet for Microsoft 365 services? Az.Monitor SecMgmtlnsightsConnector ExchangeOnlineManagement Microsoft. Graph

Answer 41

To programmatically access this data outside of the graphical user interface that is the Compliance admin center, a PowerShell cmdlet is available to retrieve and query the audit log called Search-UnifiedAuditLog. This cmdlet requires the use of another cmdlet called **Connect-ExchangeOnline (part of the ExchangeOnlineManagement module)** in order to query Microsoft 365 services.

Question 42

Which AWS service can respond to events and automatically make changes to compute resources? Lambda CloudTrail Kinesis EventBridge

Answer 42

Lambda

Question 43

What is the significance of the source identifier in the following GuardDuty finding? "i-08b8c4d919cb23a57 is performing SSH brute force attacks against 100.26.147.241." A previous GuardDuty incident recorded the same source Trafic originated from AWS backbone infrastructure A suppression filter is applied An EC2 instance initiated the traffic

Answer 43

The GuardDuty finding's details show all the information about this finding that GuardDuty knows. The target, or potential actor, details anything known about the perpetrator or victim of the attack. It will usually be an "actor" and may include the IP address perpetrating the SSH Brute Force. However, in the above event, GuardDuty detects one of our EC2s attempting to do a brute-force attack, and uses the instance identifier. So in this case, it is showing who our **EC2 instance** is brute force attacking.

Question 44

What is the process of adding context and specificity to individual log entries? Data cleansing Event correlation Field normalization Data enrichment

Answer 44

Data enrichment

Question 45

What can be determined from the output of the following command? az provider operation list Federation settings Resource permissions Unregistered extensions Session history

Answer 45

Similar to AWSs actions, Azure provides users with resource provider operations. These **resource permissions** are used to determine which requests can be allowed or denied on a particular resource by a requestor. There are numerous available in Azure and can be retrieved a few different ways: * Microsoft documentation: This outlines all possible operations and what they perform in Azure. * Azure Portal: When attempting to create a custom role, there is an option to "Download all permissions". This download contains a CSV file with every available permission. * Azure CLI: Run the az provider operation list command.

Question 46

What happens when the following command is run? $ aws ec2 describe-instance-status - -instance-id i-0gad34522c9b0058b HTTP API calls are sent through a REST interface REST API calls are sent to the service endpoint Python commands are sent to the API gateway The Python runtime sends a script to the instance

Answer 46

**Each command through the CLI creates a set of REST API calls to the AWS service endpoints.** The AWS CLI is a Python tool that makes it easier to interact with the AWS API without having to deal with REST interfaces. Each command roughly translates to an AWS call. The results are translated and displayed in JSON, text, YAML or in a table format. The AWS CLI version 2 is now considered the standard version, but version 1 of the CLI is still available and is being updated at the moment. The AWS CLI commands follow a similar pattern. $ aws ec2 create-key-pair -key-name "test"

Question 47

What is the AWS SDK for Python built on? Botocore .NET Kotlin C++

Answer 47

The Python SDK is probably the most used in AWS. **Botocore** is a low-level SDK that interacts directly with the AWS service nodes. Boto3 is another Python library that is built on Botocore and provides a higher-level abstraction. Boto3 makes it very simple to interact with AWS services without having to worry about the REST connections. Boto3 is typically what Python developers use.

Question 48

Which protocol is supported for accessing Azure file share storage? HTTP NFS RDP SSH

Answer 48

Azure Storage has several options to collect activity depending on which storage types are in use. For File Shares data can be accessed over Server Message Block (SMB) or Network File System (NFS) connections

Question 49

What can be determined from the provided CloudWatch agent configuration? "agent" :{ "metrics collection interval" : 15, "logfile": "", "debug": true Metrics will be buffered in memory for 15 minutes Region will default to US-EAST-I Agent logs will be sent to stderr

Answer 49

Since the logfile field has an empty string, the agent logs will **go to stderr**. Region field is left out so it will default to the region the EC2 is in. The metrics_collection_interval is set to 15, so metrics will be collected every 15 seconds.

Question 50

What does a customer need to create a custom compliance rule in AWS Config? * SecurityHub's rule wizard * An imported rule in JSON format that enables resource monitoring in the Config portal * A Lambda function to evaluate resources and return the results to AWS Config * A custom extension

Answer 50

AWS has a large number of standard rules already defined and available to be applied. The customer can also **create their own custom rules using AWS Config and Lambda**. A Lambda function performs the evaluation and returns the results in a standard format that AWS Config recognizes.

Question 51

While hunting for unusual files in the folder, what file would match the following regular expression criteria? C:\\Windows\\System32\\[0-9a-zA-Z]{9}\.exe abcdefghi.exe 9.exe 1 bQ9.exe 0123456789.exe

Answer 51

**abcdefghi.exe** At a high-level, C:\\Windows\\System32\\[0-9a-zA-Z{9}\.exe is explained as: * The literal directory path to be searched (notice the escaped \ characters). * [0-9a-zA-Z]: Square brackets indicate an OR operator for the characters or character ranges inside of it. In this case, it is specifying any number or mixed-case letters. * {9}: Curly braces with a number indicate how many of the proceeding arguments to consider a match. In this case, exactly 9 letters or numbers in a row. * .exe: The literal extension (notice the escaped . character).

Question 52

What needs to be defined when making a call to CloudWatch's PutLogEvents API? A log stream A storage bucket An EventBridge target A Lambda function

Answer 52

A log stream

Question 53

Which network option is required when using Fargate? bridge awsvpc host overlay

Answer 53

awsvpc

Question 54

What access should be assigned to an IAM role used by internal forensic investigators? Write access to network configurations Write access to buckets with production data Create snapshots of any system Create and configure new VPCs

Answer 54

Create snapshots of any system

Question 55

What does the AWS GuardDuty Malware Protection process use to identify potential malware on an EC2 instance? A host-based agent API interception A container A snapshot

Answer 55

Malware Protection findings will take a **snapshot** of VMs and EKS containers to analyze the files. Any files deemed "suspicious" will create a "SuspiciousFile" finding type. Kicked off by some GuardDutyfindings, a scan is made of the container or virtual machine, looking for a known malware file. If one is found, a Malware Protection finding is generated with information about the file and the finding itself. The Malware Protection process has the benefit of operating without the need for an agent. The detection process can be run anytime because AWS API supports snapshots and systems analysis.

Question 56

Which service can be accessed using an authenticated HTTP request to query for any Microsoft 365 artifact? Exchange Admin Center Graph API Azure Monitor Sentinel

Answer 56

Graph API

Question 57

The following header value would be included in which type of request? -H metadata : true Executing an extension with the Azure CLI Finding an AWS customer's account ID Obtaining an Azure managed identity token Modifying the configuration of an AWS EC2 instance

Answer 57

Azure has its own metadata service the requires a custom header: -H Metadata:true This creates a custom header and sends it as part of the HTTP GET request. The value of the header must be Metadata:true to signify in the request that )æs, we know this is for metadata and nothing else. Without the header, the Azure metadata service will drop the query. When the cloud resource is in need of credentials, it can ask Azure, via the local metadata service, for a bearer token which has a default lifetime of twenty-four hours. An attacker could acquire this token which will give them the same rights as a managed identity-ranging from very low-level to Owner permissions.

Question 58

Azure CLI extensions are written in which language? PowerShell Python KQL NodeJS

Answer 58

Azure's command line tool allows you to create an "extension". These extensions, written in Python, are called from a command line.

Question 59

What can be determined from the given log? Event 4624, Microsoft Windows security auditing. Subject: Security ID: SYSTEM Account Name: Account Domain: WORKGROUP Logon ID: 0X3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: Virtual Account: NO Elevated Token: YES Impersonation Level: IMPERSONATION New Logon: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Process Information: Process ID: 0x3ec Process Name: C:\Windows\System32\servcies.exe A user failed an interactive log on A remote desktop login failed A scheduled task was run by the system account A service successfully authenticated

Answer 59

An event ID of 4624 indicates a successful logon. The logon type of 5 shows that it was a service logon along with the process of services.exe.

Question 60

What URI encoded query is stored within the search parameter in the below URL? https : / 'future- search. search. windows. net/ indexes/ azureblob- index/docs ? api - version=202ø-ø6-3ø-Preview &search=%2F%5CDd%7B3%7D-%5Cd%7B2%7D- %5Cd%7B4X7D%2F&X24se1ect=metadata storage name JMESPath Lucene KQL Bot03

Answer 60

Lucene

Question 61

What is required for AWS Inspector to assess an EC2 instance? Container repository CLI extension Security Hub add-on Systems Manager agent Simple Notification Service

Answer 61

AWS Inspector can perform host assessments when an SSM (Systems Manager) agent is installed and activated.

Question 62

Which of the following allows a customer to collect logs from Azure Storage? Querying Log Analytics through Graph Using default Azure Storage settings Configuring Diagnostic Settings Enabling Sentinel integrations

Answer 62

Azure customers must navigate to the Diagnostics Settings of the Azure Storage account and enable the necessary logs and metrics they want to collect and also send that data to a location of their choosing. The options are another Azure Storage account, Azure Log Analytics workspace, Azure Event Hub, or a partner solution. If sending the data to Azure Log Analytics, each of the four offerings from Azure Storage have their own associated table.

Question 63

Which Microsoft Admin Center contains the Content Search service for running keyword queries against all inbound email messages? Intune Compliance Entra Exchange

Answer 63

The various components of Microsoft 365 can be configured using a multitude of admin centers. The Compliance Admin Center is used primarily for meeting compliance needs, which includes maintaining a running list of all Microsoft 365 activity in a Unified Audit Log and providing capabilities to search for data of interest within documents stored in Sharepoint, email received or sent by users, or Teams/Skype messages. The **Exchange** Admin Center provides tools for monitoring and controlling mail flow, but does not have capabilities to review content unless an email is quarantined by the spam filters. Intune offers services to control managed endpoints. Entra is the cloud hosted identity service provided by Microsoft. While some of these Admin Centers may contain links to the Content Search service, the feature resides in the Compliance Admin Center.

Question 64

Consider the URL below. What OWASP category does the attempted attack belong http://goodguys.org/loadlmage?filename=../../../etc/passwd Vulnerable and outdated components Broken access control Cryptographic failure

Answer 64

Broken access control

Question 65

In the MITRE ATT&CK Azure AD Matrix, which sub-technique falls under Initial Access, Persistence, Privilege Escalation, and Defense Evasion? Unsecured Credentials Account Manipulation Valid Accounts Brute Force

Answer 65

The MITRE ATT&CK Azure AD Matrix is focused on how Azure's main directory service is targeted by real world adversaries. **Valid Accounts** is sub-technique included under Initial Access, Persistence, Privilege Escalation, and Defense Evasion.

Question 66

Which log file would contain artifacts from a dictionary attack on an Ubuntu SSH connection? Ivar/log/secure /var/log/kern.log Ivar/log/auth.log /var/log/cron

Answer 66

Ubuntu is a Debian-based system, therefore, security related logs including SSH logins are kept in the /var/log/authlog log. RHEL-based systems use the log /var/log/secure. Information on scheduled tasks are kept in /var/log/cron while kernel events are kept in the /var/log/vern.log.

Question 67

What is the cause of the connection error shown in the screenshot? aws configure AHS Access Key ID AKIA4ZD7VDFJF7YUX40N AHS secret Access Key k0QM1jsYZ8dLNNDa5HBhavz9Vb4gp+HYbgQL Default region name [us-west-1a]: us-east-3 Default output format [None]: glacs aws ec2 create-key-patr --key-name "test" Could not connect to the endpoint URL: "https://ec2.us*east*3.amazonaws.com/" Qiac» Unauthorized operation The ec2 instance name must be specific Incorrect region

Answer 67

Incorrect region

Question 68

What can be inferred from the following CloudFront access log record? 2022-1e-e1 DFW3 443 203.0.113.41 GET d280b1i8p0d4k. cloudfront .net /authicon.ico 401 - python- requests/2.23.e - Error d280b1i8p0d4k.c10udfront.net http 301 0.065 - HTTP/I.I The server error message is base64 encoded The retumed HTTP status code error is 301 The CloudFront server's ip address is 203.0.113.41 The requesting client received 443 bytes of data

Answer 68

Even if CloudFront is inline between an attacker and a web server, the web server's access logs may only contain data related to CloudFront and not the "real" attacker's system. CloudFront logging can fill in these gaps. These logs can contain a lot of information including: * [sc-bytes]: Number of bytes retumed to the requesting client (for example: 443) which follows after the time and date * [sc-status]: HTTP response code from CloudFront follows after the requested file path (for example: 401) * [cs-bytes]: Number of bytes (ie. 301) sent by the requestor which follows after the layer 7 protocol such as HTTP or HTTPS

Question 69

Which HTTP method is required to retrieve a TOKEN value using the AWS IMDSv2 API? PUT GET POST CONNECT

Answer 69

In November 2019, AWS announced the Instance Metadata Service Version 2 (IMDSv2), which adds a layer of security to metadata service calls. A request must use an HTTP PUT command to /latest/api/token to retum a TOKEN value. Applications that are vulnerable to SSRF usually perform a GET, the requirement for a PUT addresses this issue.

Question 70

Which of the following is the starting point of a threat hunting process? Investigating an active incident Eradicating network vulnerabilities Matching a malware signature Creating an attack hypothesis

Answer 70

Creating an attack hypothesis

Question 71

Which AWS solution pushes logs from a cloud platform into a corporate SIEM? CloudWatch Kinesis Athena Cloudtrail

Answer 71

Kinesis

Question 72

When stored in an Azure Storage container, what unique identifier is used to label and organize the parent folders containing Azure Network Security Group now data? Machine Hostname MAC Address IP Address Correlation ID

Answer 72

The directory structure of the insights-logs-networksecuritygroupflowevent Azure Storage container is quite unusuaL The structure begins with the folder resourceid= and has many subfolders until you arrive at the actual flow data: The SUBSCRIPTIONS, subscription ID of the Azure account, RESOURCEGROUPS, resource group name which contains the NSG, PROVIDERS, MICROSOFT.NETWORK, NETWORKSECURITYGROUPS, the name of the NSG, a breakdown of the time of the flow record (year, month, day, hour, and minute), and then the MAC address of the cloud resource creating the flow data.

Question 73

What file format is Azure Network Security Group now data stored in when output to Azure Storage? PCAP XML GZIP JSON

Answer 73

Azure's Network Watcher service provides the option to capture Network Security Group (NSG) now data. This data can be output to two different locations: an Azure Storage container and/or an Azure Log Analytics workspace. The flow data stored in an Azure Storage container is saved in a container called insights- logsnetworksecuritygroupflowevent. The directory structure of the insights-logs- networksecuritygroupflowevent Azure Storage container is quite unusual. The flow data is aggregated and stored in a JSON-formatted file containing one or more flow records for the given time. The data should be moved to a system or application which can be used to parse the data more adequately.

Question 74

An external IP address is blocked after an alert triggered for a brute force attack. What automation tool could have completed this action? UEBA tool System configuration manager Network Access Control List SOAR platform

Answer 74

SOAR platform

Question 75

What is the "Create metric filter" action shown in the image used to configure? Edit retention setting(s) Create metric filter Create contributor insights rules Create data protection policy Subscription filters Export data to Amazon S3 View all exports to Amazon S3 CloudWatch log group action GuardDuty data source action Azure Log Analytics operation CloudTrail insights logging

Answer 75

Cloudwatch log groups are a collection of log streams. Actions that can be applied to log groups include: Create metric filter: CloudWatch metrics will monitor events across CloudWatch logs. A metric filter is really a way to count activities in logs.