1. A security analyst notices that employees are using BitTorrent over port 443 to bypass firewall rules that block the standard BitTorrent port. Which firewall capability would detect and block this traffic, and what does it examine that traditional firewalls do not?
2. An analyst investigating a phishing incident examines email metadata and finds that the message display name shows "CEO@company.com" but the email headers show the message was relayed through a server in a foreign country with a failed DMARC check. What does this metadata reveal?
3. A SIEM correlation rule fires an alert: "Account logged in successfully from the US at 14:00 UTC and from China at 14:08 UTC." No VPN or shared account is involved. What is this type of detection called, and what does it indicate?
4. A security operations center needs to review failed VPN authentication attempts over the past 90 days for a forensic investigation. Which tool provides this historical analysis capability, and why are dashboards insufficient for this task?
5. During an incident investigation, an analyst needs to determine the exact protocol used by malware to communicate with its command-and-control server, including the complete content of each packet. Which log source provides this level of detail?
6. An IPS alert fires for a buffer overflow exploit attempt targeting a specific vulnerability (CVE-XXXX) on a web server. The vulnerability scanner data in the SIEM shows that the targeted server was patched for CVE-XXXX last week. How does this correlation affect incident priority?
Matching: Log Sources and Their Primary Value
Match each log source (1–4) to its primary security value (A–D).
1VPN concentrator logs
2File metadata
3OS security logs
4Wireless access point logs
AReveals author name, creation/modification dates, and revision history that may persist in documents even after sanitization attempts
BProvides detailed authentication events, account lockouts, privilege escalation, and audit log clearing events; extremely verbose and requires filtering before SIEM forwarding
CRecords user authentication, tunnel establishment/teardown, source IP addresses, and per-session data volumes; useful for detecting credential stuffing and large data transfers over VPN
DCaptures client associations, authentication events, and channel changes; used to detect rogue clients, de-authentication attacks, and evil twin access points