Text preview & study summary
Server+ PBQ Lab: SOC Investigation and Incident Response War Room
A free sample of 1 question from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
In this Security+ PBQ lab, the learner steps into a SOC war-room investigation after several noisy alerts fire across endpoint, identity, email, firewall, and DLP systems. The challenge is to correlate evidence, identify the true compromise chain, preserve useful forensic data, contain the correct host and user session, and avoid broad or destructive response actions that make the incident harder to prove. This lab tests incident response, log correlation, threat hunting, endpoint evidence, identity containment, and scoped remediation under realistic alert noise.
Explanation
The correct answer is “Phishing-driven endpoint compromise with scoped incident response.”
This answer is correct because the evidence points to a complete incident chain, not a single isolated alert. The affected workstation, FIN-WS-014, receives or interacts with a suspicious mail attachment, then shows a suspicious parent-child process relationship: an Office or mail-related application launches scripting behavior, which then leads to a dropped payload, persistence, and outbound network activity. That sequence is a classic endpoint compromise pattern because the execution path begins with user-facing content and then transitions into command execution, persistence, and external communication.
The endpoint evidence matters because it identifies the actual compromised asset. The file server appears in the case because finance files were accessed or staged, but the file server is not the initial infected system. Treating the file server as the root cause would miss the workstation that launched the malicious process and maintained command-and-control activity. The correct response must isolate the compromised workstation, not randomly disrupt the system that merely contains the data being accessed.
The identity evidence also supports the correct answer. The attacker is not only running malware locally; the incident includes use of a valid user context or active session. That means endpoint isolation alone is incomplete. A clean response requires revoking the affected user’s active sessions or tokens, resetting credentials, and making sure the attacker can no longer reuse the same authenticated access path. This is why the correct answer includes both endpoint containment and identity containment.
The network and DLP evidence complete the story. Outbound HTTPS traffic, repeated suspicious destination activity, DNS/proxy/firewall events, and a high-volume transfer pattern indicate command-and-control or attempted exfiltration. The DLP/file-access events show that sensitive finance data was accessed or staged. However, those events only become meaningful when correlated with the endpoint and identity timeline. By themselves, they could look like normal user activity, normal HTTPS traffic, or a file-server issue. Together, they prove a phishing-led compromise with attempted data exposure.
The correct answer also emphasizes preserving evidence before destructive action. In a real incident response workflow, immediately wiping the endpoint may stop the symptom but destroys volatile evidence such as running processes, active connections, memory artifacts, and command history. A clean Security+ response should collect volatile evidence or an endpoint triage bundle before reimaging or wiping the host. That is why the best answer is not merely “remove malware” or “reimage the computer.” It follows the proper incident response order: investigate, preserve, contain, eradicate, recover, and validate.
The scoped response portion is equally important. The correct solution blocks the malicious indicators, purges the phishing message by message ID or attachment hash, isolates the affected workstation, and contains the affected user session. It avoids broad actions like blocking all outbound HTTPS, purging all mail from a vendor domain, disabling unrelated users, or isolating core infrastructure. Those broad actions may appear decisive, but they create unnecessary business impact and do not prove the root cause.
Why the other answers are wrong
An answer focused on isolating the file server and blocking all outbound HTTPS is wrong because it mistakes a downstream data access target for the compromised endpoint. The file server is involved because sensitive files were accessed or staged, but the process execution, persistence, and outbound C2 activity originate from the workstation. Blocking all outbound HTTPS is also too broad. It may suppress symptoms, but it breaks legitimate business traffic and does not represent a scoped, evidence-based containment action.
An answer that treats the case as an old IDS false positive is wrong because it ignores the correlated timeline. The lab includes noisy IDS activity, but the true incident has matching endpoint execution, suspicious identity activity, DNS/proxy/firewall evidence, and DLP/file-access events. A single old IDS signature without matching evidence should be deprioritized, but the larger event chain cannot be dismissed as a false positive.
An answer that focuses on the noisy failed-login account is wrong because those failed logins are not tied to the endpoint process tree, phishing message, file access, or outbound beaconing. They are included as realistic SOC noise. Security analysts must distinguish unrelated authentication noise from the identity activity connected to the compromised workstation and affected finance user.
An answer that says to kill the suspicious process only is wrong because process termination is not full containment. The persistence mechanism may relaunch the payload, the user session may remain valid, the phishing message may still exist in other mailboxes, and the external indicators may remain reachable. Killing a process can be part of eradication, but by itself it does not address persistence, identity abuse, mail exposure, or network containment.
An answer that recommends immediate wipe or reimage as the first action is wrong because it destroys volatile evidence before the incident is fully understood. Reimaging may eventually be appropriate during eradication or recovery, but doing it before collecting triage evidence weakens the investigation and makes it harder to prove root cause, scope, and impact.
An answer that recommends purging all mail from the sender domain is wrong because it is overbroad. The correct mail response should target the malicious message by message ID, attachment hash, or other precise indicator. Purging an entire sender domain could remove legitimate business correspondence and create avoidable operational impact.
An answer that recommends blocking an entire CDN, all HTTPS, or all external traffic is wrong for the same reason. It is not scoped to the confirmed malicious indicators. The clean action is to block the known malicious domain, IP, URL, or file hash based on the correlated evidence. Security+ expects containment that is effective but proportionate.
Phishing-driven endpoint compromise with scoped incident response wins because it is the only one that handles the incident as a full chain: phishing delivery, endpoint execution, persistence, suspicious network communication, identity/session abuse, data staging, scoped containment, evidence preservation, and validation.
