Domain 7 – Section A Review: Investigations and Monitoring

This section integrates:

• Investigation Types, Evidence Handling, and Digital Forensics
• Logging, Monitoring, SIEM Operations, and Anomaly Detection
• Configuration Baselines, CMDB, Change Control, and Drift Detection
• Foundational Operations Concepts (Least Privilege, Separation of Duties, PAM)
• Media Sanitization, Resource Protection, and VM Sprawl Management
• Incident Response Lifecycle and CSIRT Operations
• IDS/IPS, EDR, Honeypots, SOAR, and Zero-Day Mitigation

Domain 7 questions connect operational processes to security outcomes. A detection tool that generates alerts nobody reads is not a control. An incident response plan that has never been tested is an assumption. A configuration baseline that is never enforced is just documentation.

1. Operations Is Where Policy Meets Reality

Security operations translates governance decisions into daily practice. Every module in this section deals with the same challenge: how do you design processes that work consistently under pressure, across teams, and over time?

When facing a Domain 7 Section A question, trace the scenario through three lenses:

• Was the process defined? (Preparation, baselines, plans)
• Was the process followed? (Execution, compliance, consistency)
• Was the process validated? (Testing, auditing, lessons learned)

2. Evidence and Investigations Require Process Before Tools

The type of investigation determines the standard of evidence, which dictates how evidence must be collected and handled. Criminal investigations require beyond a reasonable doubt. Administrative actions require preponderance of evidence. When in doubt about which standard applies, prepare to the higher standard.

3. Detection Without Response Is Just Observation

Monitoring, logging, and detection generate information. That information has value only when someone or something acts on it. SIEM tuning, alert prioritization, SOAR automation, and staffed response capabilities close the loop between detection and action.

Section A Decision Pattern

When facing a Domain 7 Section A question:

1. Identify what went wrong — a detection failure, a process gap, an evidence handling error, or a response failure
2. Trace it to the root cause — missing baseline, broken chain of custody, untested plan, insufficient monitoring, or uncontrolled change
3. Select the answer that fixes the process, not just the symptom — governance and process improvement are preferred over purely technical fixes
4. Remember the lifecycle — preparation enables detection, detection triggers response, response feeds lessons learned, lessons learned improve preparation

Section A – Practice Questions

Question 1

A forensic analyst arrives at a compromised workstation that is still powered on. Running processes show active connections to an external IP address. The analyst’s manager instructs them to immediately unplug the network cable and power off the system to prevent further data loss.

What is the PRIMARY concern with this instruction?

A. Unplugging the network cable will alert the attacker that they have been detected
B. Powering off the system will destroy volatile evidence in RAM, including the active connections, running processes, and memory-resident malware
C. The system should be left running indefinitely to monitor the attacker’s activities
D. Only law enforcement should make the decision to power off a compromised system

Question 2

An organization’s SIEM generates 4,000 alerts per day. The SOC has staffing to investigate approximately 300. A post-breach analysis reveals that a genuine attack triggered an alert 21 days before discovery, but the alert was auto-closed because it fell below the priority threshold. The SIEM correlation rules have not been updated in 18 months.

What is the ROOT CAUSE of the detection failure?

A. Insufficient SOC staffing to investigate all alerts
B. The SIEM correlation rules were outdated and not tuned to reflect current threats, causing improper prioritization
C. The organization should have purchased a more advanced SIEM platform
D. Auto-closing alerts is inherently unsafe and should be disabled

Question 3

A configuration audit reveals that 25 production servers have configurations that differ from the approved baseline. The differences include open ports not in the baseline, disabled security agents, and modified authentication settings. The operations team explains that changes were made during various incidents over the past year and were never reverted.

What is the MOST effective corrective action?

A. Immediately reimage all 25 servers from the current golden image
B. Accept the current configurations as the new baseline
C. Evaluate each deviation, remediate unauthorized changes, and implement automated drift detection to prevent recurrence
D. Restrict the operations team from making configuration changes during incidents

Question 4

A financial analyst has been in the same role for eight years. She processes wire transfers, reconciles accounts, and generates the monthly audit report. She has never taken more than two consecutive days off. Her manager considers her indispensable and opposes any change to her responsibilities.

Which TWO controls are MOST important to implement?

A. Enhanced background screening and additional security training
B. Mandatory vacation and separation of duties for wire transfer processing and account reconciliation
C. Real-time transaction monitoring and physical access restrictions
D. Dual-factor authentication and encrypted communications for financial systems

Question 5

An organization is decommissioning a cloud environment after migrating to a new provider. The cloud data includes customer PII encrypted with customer-managed keys. The security team’s disposal plan is to delete all cloud storage accounts and request a certificate of data destruction from the departing provider.

What step is MISSING from this disposal plan?

A. The security team should request the provider degauss all physical storage media
B. The encryption keys should be destroyed before the storage accounts are deleted, ensuring crypto-shredding of all encrypted data
C. The organization should wait 90 days after deletion to verify no data remnants exist
D. All data should be downloaded to on-premises storage before cloud account deletion

Question 6

During a ransomware incident, the CSIRT successfully contains the spread by isolating the affected network segment. The incident manager wants to immediately begin restoring systems from backups. The technical lead objects, stating that eradication has not been completed.

Why is the technical lead’s objection correct?

A. Restoring from backups before the incident is fully documented will compromise the lessons learned process
B. If the attacker’s persistence mechanisms and initial access vector are not identified and removed, restored systems may be reinfected
C. The backups may be encrypted by the ransomware and therefore unusable
D. Regulatory notification must be completed before systems are restored

Question 7

An organization deploys a high-interaction honeypot on an internal network segment. Within 48 hours, the honeypot records multiple login attempts from an internal server using a service account. The service account is assigned to a legacy application that should not be communicating with the honeypot’s network segment.

What does this finding MOST likely indicate?

A. The honeypot is misconfigured and is interfering with the legacy application
B. The service account credentials have been compromised and an attacker is conducting lateral movement
C. The legacy application has a network misconfiguration that is routing traffic to the wrong segment
D. The honeypot should be moved to the DMZ to avoid false positives from internal systems

Question 8

A company’s incident response plan was last tested three years ago. Since then, the organization has migrated to cloud infrastructure, replaced its SIEM, hired a new CSIRT lead, and outsourced network monitoring to an MSSP. A tabletop exercise is scheduled for next month.

What is the MOST significant concern about the upcoming tabletop?

A. Three years is too long between exercises — the plan should have been tested after each major change
B. A tabletop exercise is insufficient — the organization needs a full red team simulation
C. The exercise should be postponed until the CSIRT lead has been in the role for at least one year
D. The MSSP should conduct the exercise since they handle monitoring

Question 9

An investigation into a suspected insider threat reveals that the suspect employee’s manager collected emails from the employee’s mailbox, copied files from their workstation to a USB drive, and stored everything in an unlocked desk drawer. The manager did not document any of these actions and handled the evidence alone.

What is the MOST critical problem with this evidence collection?

A. The manager should have used forensic imaging tools instead of file-level copying
B. The chain of custody is broken — undocumented collection, no integrity verification, and unsecured storage render the evidence unreliable for any legal proceeding
C. Only IT staff should handle digital evidence, not managers
D. The evidence should have been stored in a fireproof safe rather than a desk drawer

Question 10

A security architect is designing a detection strategy for an organization that processes payment card data. The architect proposes signature-based IDS, SIEM with correlation rules, and quarterly vulnerability scanning. The CISO asks what additional detection capability would address the gap in detecting previously unknown threats and attacker techniques that do not match existing signatures.

What should the architect recommend?

A. More frequent vulnerability scanning (weekly instead of quarterly)
B. A second signature-based IDS from a different vendor for redundancy
C. Behavioral analytics and EDR that detect anomalous activity regardless of whether it matches known attack patterns
D. Network packet capture on all segments for forensic analysis after incidents