Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity v1.0

Refer to the exhibit.

A code analysis is performed by using the Semgrep tool. The tool reports that a security issue occurred during the connection to the database.
Which security vulnerability is flagged by the tool?

A security analyst suspects that the latest attack on one of company machines is of the memory resident kind, given the telemetry observed so far.
Which step must the analyst take next to confirm this suspicion?

A security engineer notices a user locked out of an email account after multiple failed sign-ins. Upon further investigation, it appears other users experienced the same issue. The lockout was caused by using incorrect credentials during authentication.
What is the indicator of the attack?

Refer to the exhibit.

The SOC lead received the scope of a penetration test conducted against the company's assets within the last 4 hours. Documentation does not seem to contain any authorized IP address range and the testing company must perform only a surface-level scan and database probing. As the SOC analysts review server logs to determine whether recent activities indicate an authorized penetration test or a possible attack, a few suspicious entries are discovered by the team.
Which two log entries points to a possibly successful unauthorized attack? (Choose two.)

A SOC team must prepare for a new phishing campaign that tricks users into clicking a malicious URL to download a file. When the file executes, it creates a Windows process that harvests user credentials. The team must configure the SIEM tool to receive an alert if a suspicious process is detected.
Which two rules must the team create in the SIEM tool? (Choose two.)

Refer to the exhibit.

Which technique is used by the attacker?

A security team receives a notification about uncommon and blocked web traffic. The team begins to investigate the proxy logs and discovers traffic from infrequently used user agents to domains that are categorized as malware.
What are two additional proxy log threat indicators? (Choose two.)

The security team detects an alert regarding a potentially malicious file name Financial_Data_123456789.pdf downloaded by a user. Upon reviewing SIEM logs and Cisco secure endpoint the team confirms that the file was obtained from an untrusted website. The hash analysis of the file returns an unknown status.
Which action must be done next?

The SOC team receives threat intelligence about a new ransomware variant spreading across businesses. After validating existing use cases regarding suspicious emails, a new use case is created based on known indicators of compromise related to the specific ransomware variant. The emphasis is on flagging the ransomware attack during the execution phase.
What should be monitored?

Refer to the exhibit.

The cybersecurity team at a company detects an ongoing attack directed at the web server that hosts the company website. The team analyzes the logs of the web application firewall and discovers several HTTP requests encoded in Base64. The team decodes the payloads and retrieves the HTTP requests.
What did the attackers use to exploit the server?

Refer to the exhibit.

A security engineer notices that a Windows Batch script includes calls to suspicious APIs.
How will the script affect the system when it is executed?

Refer to the exhibit.

The security team examines a Windows host after receiving an alert that the host authenticated over the network to another host by using a local admin account. The team discovers a process creation event in the sysmon logs of the host.
Which action did the host perform?

Refer to the exhibit.

A penetration test performed against a web application generates the error message.
Which two pieces of information are exposed? (Choose two.)

Refer to the exhibit.

Which level of the Pyramid of Pain and phase of the Threat Hunting Maturity Model is being used?