Chapter 87 · Quiz

Security Monitoring — Quiz

Six multiple-choice questions and four matching questions. Submit for instant scoring and explanations.

Question 1 of 6
A security analyst reviews authentication logs from the VPN gateway and notices 300 failed login attempts from 12 different IP addresses over 45 minutes, followed by a successful login. Each individual server's log shows fewer than 30 failed attempts from any single IP — below the per-source alert threshold. Which monitoring capability would have detected this as an attack?
Question 2 of 6
According to the IBM Security 2022 report cited in the Security+ curriculum, what is the average time for an organization to identify and contain a data breach, and what does this imply for log retention policy?
Question 3 of 6
A security team deploys a new SIEM with default alert rules and immediately begins receiving 3,000 alerts per day. Analysts start acknowledging alerts without investigation because volume is unmanageable. Two weeks later, a real attack indicator is dismissed as another probable false positive. What process should have been performed before activating high-volume alert rules?
Question 4 of 6
A database server that normally transfers 3–6 GB of data per day is detected transferring 85 GB to an external IP address in a 2-hour window on a Friday evening. The SIEM fires a High alert. What type of security event does this pattern most likely indicate, and what should be the immediate response?
Question 5 of 6
A security analyst needs to quickly determine how many systems in the environment are running a specific version of a web framework that was just disclosed as critically vulnerable. Which monitoring capability makes this query answerable within minutes?
Question 6 of 6
An organization retains security logs for 90 days. A breach is discovered in November and forensic investigation determines the attacker first gained access in February — nine months earlier. Investigators request the February through August logs to reconstruct lateral movement and identify the initial compromise vector. What is the likely outcome?

Matching

Match each description to the correct security monitoring concept.

1. Centralizes logs from firewalls, servers, VPN concentrators, and cloud services into one database for correlation and reporting
2. Isolates a compromised system from network communication to stop lateral spread while preserving the system for forensic analysis
3. The ongoing process of calibrating alert thresholds to reduce false positives and false negatives as the organization's baseline understanding improves
4. Retaining security log data over an extended period to support forensic investigation, compliance audits, and legal proceedings
A. SIEM
B. Quarantine
C. Alert tuning
D. Archiving