IBM A1000-132 Practice Exam: Test Your Knowledge 2025

A security analyst is reviewing firewall logs and notices multiple connection attempts from a single IP address to various ports on a web server within a 30-second window. What type of activity is MOST likely being observed?

During incident response, what is the PRIMARY purpose of maintaining a proper chain of custody for digital evidence?

Which of the following is an example of an Indicator of Compromise (IoC)?

What is the primary function of a Security Information and Event Management (SIEM) system?

An organization wants to establish a baseline for normal network behavior. What metric would be LEAST useful for this purpose?

A security analyst observes that a workstation is communicating with a known command and control (C2) server based on threat intelligence feeds. According to the incident response lifecycle, what phase should be initiated FIRST?

When analyzing security logs, an analyst notices repeated successful logins to a privileged account from different geographic locations within impossible timeframes (e.g., USA and China within 10 minutes). What attack vector is MOST likely occurring?

During a security incident investigation, which of the following data sources would provide the MOST comprehensive timeline of user activities on a Windows workstation?

A security team receives threat intelligence about a new ransomware variant targeting their industry. What is the MOST effective immediate action to take with this information?

What is the primary benefit of implementing a Security Orchestration, Automation, and Response (SOAR) platform in a security operations center?

An analyst is reviewing alerts and notices multiple false positives from a particular detection rule. What is the BEST approach to handle this situation?

During incident containment, a compromised server needs to remain accessible for forensic analysis but must be isolated from the production network. What is the BEST containment strategy?

What is the PRIMARY difference between tactical and strategic threat intelligence?

In a security operations center, what is the primary purpose of implementing a tiered escalation model?

An organization experiences a ransomware attack that encrypts critical files. During the recovery phase, what should be verified BEFORE restoring from backups?

A security analyst is investigating an alert for potential data exfiltration. The analysis shows large volumes of encrypted traffic to an external IP during non-business hours from a database server. What additional data source would be MOST valuable to correlate and validate this alert?

During a post-incident review, the team discovers that the attacker maintained persistence for three months before detection. The attacker used legitimate administrative tools and stayed within normal usage patterns. What type of detection strategy would have been MOST effective in identifying this threat earlier?

An incident response team is analyzing a sophisticated attack where the adversary used multiple techniques including credential dumping, lateral movement, and data staging. According to the MITRE ATT&CK framework, what is the PRIMARY value of mapping the observed TTPs to this framework?

A security operations center is implementing a new detection use case. The team needs to balance detection sensitivity to minimize both false positives and false negatives. In a high-security environment protecting critical infrastructure, what should be the PRIMARY consideration?

An analyst is investigating unusual network traffic patterns and suspects DNS tunneling is being used for command and control communications. Which combination of indicators would MOST strongly suggest DNS tunneling activity?