IBM A1000-132 Intermediate Practice Exam: Medium Difficulty 2025

A security analyst notices multiple failed login attempts from various IP addresses targeting a single user account, followed by a successful login from an unfamiliar geographic location. The SIEM has generated alerts for both the failed attempts and the successful login. What should be the analyst's FIRST priority action?

During an incident investigation, a SOC analyst discovers that malware has been present on a system for 45 days before detection. The malware has been beaconing to an external command and control server. What phase of the incident response lifecycle should the analyst focus on to prevent similar delays in the future?

A security operations center receives threat intelligence indicating that a new ransomware variant is targeting organizations in their industry. The intelligence includes file hashes, known C2 domains, and TTPs. How should the SOC operationalize this intelligence most effectively?

While analyzing security logs, an analyst observes that a web server is generating a high volume of HTTP 200 responses to requests containing SQL keywords in the URL parameters. The web application firewall logs show these requests were allowed through. What is the MOST likely scenario?

An organization has contained a security incident involving compromised credentials. Before moving to the eradication phase, what critical step must the incident response team complete?

A SOC analyst is evaluating whether to escalate an alert generated by an endpoint detection tool. The alert shows a PowerShell process executing with encoded command parameters on a finance department workstation. What additional context would be MOST valuable for making an accurate escalation decision?

An organization receives STIX-formatted threat intelligence from multiple sources. The security team wants to automate the ingestion and application of this intelligence across their security tools. What approach would best accomplish this objective?

A security operations team is designing a process for handling security incidents. They want to ensure that incidents are prioritized appropriately based on business impact. Which factor combination should have the HIGHEST priority when determining incident severity?

A SOC uses a SIEM system that aggregates logs from multiple sources. The team notices that their SIEM is generating numerous false positive alerts for a specific detection rule. What systematic approach should they take to improve the rule's accuracy while maintaining security coverage?

An analyst is investigating an alert about potential lateral movement in the network. They observe SMB connections from a workstation to multiple other workstations, followed by remote execution of processes. What additional evidence would BEST confirm malicious lateral movement rather than legitimate administrative activity?