Eccouncil 312-39 practice test
Certified SOC Analyst Exam
Last exam update: Dec 02 ,2023
Question 1
Charline is working as an L2 SOC Analyst. One day, an L1 SOC Analyst escalated an incident to her for
further investigation and confirmation. Charline, after a thorough investigation, confirmed the
incident and assigned it with an initial priority.
What would be her next action according to the SOC workflow?
- A. She should immediately escalate this issue to the management
- B. She should immediately contact the network administrator to solve the problem
- C. She should communicate this incident to the media immediately
- D. She should formally raise a ticket and forward it to the IRT
Answer:
B
Question 2
Which of the following tool can be used to filter web requests associated with the SQL Injection
attack?
- A. Nmap
- B. UrlScan
- C. ZAP proxy
- D. Hydra
Answer:
B
Reference:
https://aip.scitation.org/doi/pdf/10.1063/1.4982570
Question 3
Which of the following process refers to the discarding of the packets at the routing level without
informing the source that the data did not reach its intended recipient?
- A. Load Balancing
- B. Rate Limiting
- C. Black Hole Filtering
- D. Drop Requests
Answer:
C
Reference:
https://en.wikipedia.org/wiki/Black_hole_(networking)#:~:text=In%20networking%2C%20black%
20holes%20refer,not%20reach%20its%20intended%20recipient.
Question 4
John as a SOC analyst is worried about the amount of Tor traffic hitting the network. He wants to
prepare a dashboard in the SIEM to get a graph to identify the locations from where the TOR traffic is
coming.
Which of the following data source will he use to prepare the dashboard?
- A. DHCP/Logs capable of maintaining IP addresses or hostnames with IPtoName resolution.
- B. IIS/Web Server logs with IP addresses and user agent IPtouseragent resolution.
- C. DNS/ Web Server logs with IP addresses.
- D. Apache/ Web Server logs with IP addresses and Host Name.
Answer:
D
Question 5
Which of the following contains the performance measures, and proper project and time
management details?
- A. Incident Response Policy
- B. Incident Response Tactics
- C. Incident Response Process
- D. Incident Response Procedures
Answer:
D
Question 6
Which
of the following technique protects from flooding attacks originated from the valid prefixes (IP
addresses) so that they can be traced to its true source?
- A. Rate Limiting
- B. Egress Filtering
- C. Ingress Filtering
- D. Throttling
Answer:
C
Reference:
http://www.mecs-press.org/ijcnis/ijcnis-v5-n5/IJCNIS-V5-N5-6.pdf
(3)
Question 7
Which of the following data source will a SOC Analyst use to monitor connections to the insecure
ports?
- A. Netstat Data
- B. DNS Data
- C. IIS Data
- D. DHCP Data
Answer:
A
Question 8
Which
of the following steps of incident handling and response process focus on limiting the scope and
extent of an incident?
- A. Containment
- B. Data Collection
- C. Eradication
- D. Identification
Answer:
A
Question 9
Which of the following stage executed after identifying the required event sources?
- A. Identifying the monitoring Requirements
- B. Defining Rule for the Use Case
- C. Implementing and Testing the Use Case
- D. Validating the event source against monitoring requirement
Answer:
D
Question 10
Which of the following attack can be eradicated by disabling of "allow_url_fopen and
allow_url_include" in the php.ini file?
- A. File Injection Attacks
- B. URL Injection Attacks
- C. LDAP Injection Attacks
- D. Command Injection Attacks
Answer:
B
Question 11
In which log collection mechanism, the system or application sends log records either on the local
disk or over the network.
- A. rule-based
- B. pull-based
- C. push-based
- D. signature-based
Answer:
A
Question 12
Identify the attack in which the attacker exploits a target system through publicly known but still
unpatched vulnerabilities.
- A. Slow DoS Attack
- B. DHCP Starvation
- C. Zero-Day Attack
- D. DNS Poisoning Attack
Answer:
C
Reference:
https://www.bullguard.com/bullguard-security-center/pc-security/computer-
threats/what-are-zero
- day-attacks.aspx
Question 13
Peter, a SOC analyst with Spade Systems, is monitoring and analyzing the router logs of the company
and wanted to check the logs that are generated by access control list numbered 210.
What filter should Peter add to the 'show logging' command to get the required output?
- A. show logging | access 210
- B. show logging | forward 210
- C. show logging | include 210
- D. show logging | route 210
Answer:
C
Question 14
Rinni, SOC analyst, while monitoring IDS logs detected events shown in the figure below.
What does this event log indicate?
- A. Directory Traversal Attack
- B. XSS Attack
- C. SQL Injection Attack
- D. Parameter Tampering Attack
Answer:
D
Reference:
https://infosecwriteups.com/what-is-parameter-tampering-5b1beb12c5ba
Question 15
Which of the following is a correct flow of the stages in an incident handling and response (IH&R)
process?
- A. Containment –> Incident Recording –> Incident Triage –> Preparation –> Recovery –> Eradication –> Post-Incident Activities
- B. Preparation –> Incident Recording –> Incident Triage –> Containment –> Eradication –> Recovery –> Post-Incident Activities
- C. Incident Triage –> Eradication –> Containment –> Incident Recording –> Preparation –> Recovery –> Post-Incident Activities
- D. Incident Recording –> Preparation –> Containment –> Incident Triage –> Recovery –> Eradication –> Post-Incident Activities
Answer:
B
Reference:
https://blog.elearnsecurity.com/the-4-steps-of-incident-handling-response.html