What are common indicators of compromise (IOCs) you might look for in logs?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $25.99Unlock all

Enhance your cyber defense skills with the Security Blue Team Level 1 Test. Prepare with flashcards, multiple choice questions, and detailed explanations to ace your exam!

Multiple Choice

What are common indicators of compromise (IOCs) you might look for in logs?

Explanation:
Indicators of compromise in logs come from looking for signs attackers leave behind across authentication events, system changes, and network activity. When you review logs, you want to spot a mix of unusual or unauthorized actions that don’t fit normal behavior. Unusual user logins can signal account compromise, especially logins at odd times or from unexpected locations or devices. New or modified services or executables point to potential installation of malware or tampering with the system to maintain access. Anomalous outbound connections—connections to unfamiliar destinations, unusual ports, or after-hours traffic—can indicate data exfiltration or command-and-control activity. Privilege escalations show attempts to move from limited access to higher levels, which is a classic sign of attackers trying to deepen control. Unexpected process creations can reveal malicious programs starting up, sometimes in stealth, that shouldn’t be running. Suspicious IPs, especially those associated with known bad actors or unusual geographies, help flag connections that warrant investigation. These indicators are valuable because they represent different facets of an intrusion: who authenticated, what changed on the system, how the system is communicating, and who the attacker is trying to become. Other options tend to be too narrow or unrelated to typical log-based IOC detection; focusing only on failed logins misses broader compromise patterns, hardware temperature spikes aren’t log-based security signals, and the number of emails sent is context-dependent and not a broad IOC across logs.

Indicators of compromise in logs come from looking for signs attackers leave behind across authentication events, system changes, and network activity. When you review logs, you want to spot a mix of unusual or unauthorized actions that don’t fit normal behavior.

Unusual user logins can signal account compromise, especially logins at odd times or from unexpected locations or devices. New or modified services or executables point to potential installation of malware or tampering with the system to maintain access. Anomalous outbound connections—connections to unfamiliar destinations, unusual ports, or after-hours traffic—can indicate data exfiltration or command-and-control activity. Privilege escalations show attempts to move from limited access to higher levels, which is a classic sign of attackers trying to deepen control. Unexpected process creations can reveal malicious programs starting up, sometimes in stealth, that shouldn’t be running. Suspicious IPs, especially those associated with known bad actors or unusual geographies, help flag connections that warrant investigation.

These indicators are valuable because they represent different facets of an intrusion: who authenticated, what changed on the system, how the system is communicating, and who the attacker is trying to become. Other options tend to be too narrow or unrelated to typical log-based IOC detection; focusing only on failed logins misses broader compromise patterns, hardware temperature spikes aren’t log-based security signals, and the number of emails sent is context-dependent and not a broad IOC across logs.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy