Get the Preplance app for a seamless learning experience. Practice offline, get daily streaks, and stay ahead with real-time interview updates.
Get it on
Google Play
4.9/5 Rating on Store
Incident Response · Question Set
Classification & Detection interview questions for placements and exams.
Questions
14
Included in this set
Subject
Incident Response
Explore more sets
Difficulty
Mixed
Level of this set
Go through each question and its explanation. Use this set as a focused practice pack for Incident Response.
False positives waste analyst time by alerting on non-malicious actions. Reducing them requires tuning detection rules and improving contextual analysis.
For complete preparation, combine this set with full subject-wise practice for Incident Response. You can also explore other subjects and sets from the links below.
An IOC represents evidence that a system may be compromised. Examples include suspicious IPs, unusual file hashes, or outbound traffic to malicious domains.
An IDS observes and alerts on suspicious traffic, while an IPS takes active measures to block or drop that traffic in real-time. IPS helps automate containment.
A security incident occurs when confidentiality, integrity, or availability of data is compromised. Unauthorized access directly violates confidentiality and requires immediate investigation.
Incidents are classified using factors like severity (how serious it is), impact (what systems are affected), and priority (how urgently it must be addressed). This ensures consistent triage and escalation.
Alert sources usually include SIEM tools, IDS/IPS systems, antivirus software, and firewalls. Payroll software does not generate security alerts unless it’s being monitored through integrated security layers.
A SIEM (Security Information and Event Management) platform centralizes logs from servers, applications, and firewalls. It helps analysts spot suspicious patterns faster using correlation rules.
Any incident that disrupts business operations or compromises sensitive data is considered high or critical. It demands immediate containment and management attention.
Analysts often use pattern matching, filters, and correlation queries inside SIEM tools to spot suspicious login attempts or network anomalies. This helps detect attacks early.
Classification helps teams understand the seriousness and potential impact of an incident. It determines escalation paths, response priorities, and resource allocation, preventing overreaction to minor issues or underreaction to major ones.
A standard scale includes: • Informational – harmless alerts. • Low – small impact, no data loss. • Medium – localized impact or potential risk. • High – significant disruption. • Critical – large-scale or data breach. This helps standardize triage and communication.
Triage involves verifying the alert, gathering context, checking scope, and assessing severity. Analysts validate whether it’s a false positive or real threat, then escalate or close accordingly.
Common techniques include log correlation, anomaly detection, signature-based detection, and behavior-based analysis. Combining these improves accuracy and reduces false negatives.
Manual detection relies on human review of alerts and logs, which allows deep analysis but is slow. Automated detection uses SIEM and AI tools to catch threats faster but may require tuning to reduce false positives.