AP Cybersecurity Unit 3 Lesson 5 Quiz
Unit 3 • 3.5 • Quiz
Quiz — IDS, IPS & SIEM
10 questions — Covers detection types, inline vs. passive deployment, SIEM correlation, and alert fatigue
Score: 0 / 10Complete all 10 questions to see your result
Question 1 of 10
✎ Predict first: Think about what a network IDS does vs. what an IPS does.
A network administrator reviews the following security architecture note:
"Our perimeter IDS is configured to monitor all inbound traffic and will automatically drop packets matching known exploit signatures before they reach internal systems."
What is incorrect about this statement?
"Our perimeter IDS is configured to monitor all inbound traffic and will automatically drop packets matching known exploit signatures before they reach internal systems."
What is incorrect about this statement?
A.A network IDS is a passive monitoring device; it detects and alerts but cannot block or drop traffic on its own.
B.Packet inspection at the perimeter is ineffective because encrypted traffic cannot be analyzed.
C.Signature-based detection is not a valid method for identifying exploit attempts.
D.Monitoring inbound traffic is insufficient; IDS must also monitor outbound traffic to be effective.
Question 2 of 10
✎ Predict first: Anomaly detection compares to a baseline. What must that imply?
Which of the following are characteristics of anomaly-based IDS detection?
I. It can detect zero-day attacks that have no existing signature.
II. It has a lower false positive rate than signature-based detection.
III. It requires a baseline model of normal behavior to compare against.
I. It can detect zero-day attacks that have no existing signature.
II. It has a lower false positive rate than signature-based detection.
III. It requires a baseline model of normal behavior to compare against.
A.I only
B.II only
C.I and III only
D.I, II, and III
Question 3 of 10
✎ Predict first: If a device can block traffic, where must it physically sit in the network?
A security engineer is deploying an IPS to protect a web server farm. The engineer connects the IPS to a SPAN (mirror) port on the distribution switch and configures automatic block rules. After deployment, the IPS generates alerts for confirmed attacks, but traffic from those attacks still reaches the web servers.
What is the most likely cause of this behavior?
What is the most likely cause of this behavior?
A.An IPS connected via SPAN port receives only a copy of traffic and cannot block the original packets; the device must be deployed inline.
B.The block rules require manual confirmation before they take effect, which delays automated blocking.
C.SPAN ports only mirror outbound traffic, so inbound attacks are not visible to the IPS.
D.The web server farm requires a host-based IPS in addition to the network IPS for blocking to work.
Question 4 of 10
✎ Predict first: What is a SIEM uniquely able to do that individual tools cannot?
A SIEM receives the following events within a 10-minute window from three separate log sources:
- Firewall: 120 outbound connections to the same external IP
- Endpoint: New process
svch0st.exe(note: zero not letter O) created under SYSTEM context - DNS: Query for
beacon.malservices[.]ruresolved successfully
A.Log normalization — converting events from different formats into a common schema
B.Event correlation — combining events across multiple sources to detect patterns invisible to individual tools
C.Anomaly detection — identifying behavior that deviates from a learned baseline
D.Threat intelligence integration — matching events against known indicators of compromise
Question 5 of 10
✎ Predict first: False positives are alerts on benign traffic. Which rule behaviors produce this?
A SOC team is troubleshooting high false positive rates in their IDS. Which of the following configuration choices would most likely contribute to excessive false positives?
I. A threshold rule that fires on any single failed login attempt.
II. Using signature-based detection for a well-known, stable exploit (e.g., EternalBlue).
III. Setting an anomaly detection sensitivity so high that any 10% deviation from baseline triggers an alert.
I. A threshold rule that fires on any single failed login attempt.
II. Using signature-based detection for a well-known, stable exploit (e.g., EternalBlue).
III. Setting an anomaly detection sensitivity so high that any 10% deviation from baseline triggers an alert.
A.I only
B.II only
C.I and III only
D.I, II, and III
Question 6 of 10
✎ Predict first: Think about what a host-based IDS can see that a network device cannot.
An attacker on an internal network uses a fully encrypted, certificate-pinned application to exfiltrate data to an external server. The organization has a network-based IDS deployed at the perimeter inspecting all outbound traffic. The exfiltration is not detected by the network IDS.
Which of the following best explains why the network IDS failed, and which control would have been more effective?
Which of the following best explains why the network IDS failed, and which control would have been more effective?
A.The network IDS was not tuned to inspect outbound traffic; a properly configured IDS would have detected the exfiltration.
B.The network IDS relies only on anomaly detection; signature-based detection would have identified the encrypted exfiltration channel.
C.The network IDS cannot process traffic at the required throughput; a higher-capacity IDS would have detected the activity.
D.Encrypted traffic cannot be inspected by a network IDS without SSL/TLS interception; a host-based IDS on the source machine could detect the file access and process behavior before encryption.
Question 7 of 10
✎ Predict first: Which systems generate security-relevant logs worth feeding into a SIEM?
A security architect is determining which log sources to feed into a new SIEM deployment. Which of the following would provide the most security value as SIEM data sources?
I. Firewall and perimeter device logs (allow/deny decisions, connection metadata)
II. Application performance monitoring (APM) metrics (CPU, memory, response time)
III. Authentication and identity provider logs (login events, MFA results, privilege changes)
I. Firewall and perimeter device logs (allow/deny decisions, connection metadata)
II. Application performance monitoring (APM) metrics (CPU, memory, response time)
III. Authentication and identity provider logs (login events, MFA results, privilege changes)
A.I and III only
B.II and III only
C.I and II only
D.I, II, and III
Question 8 of 10
✎ Predict first: If an IDS has not been updated, what kinds of attacks can it NOT detect?
An organization’s network IDS has not received a signature update in 8 months. The security team believes it is still fully protective because it has not generated any critical alerts. A penetration tester uses a recently published exploit (released 3 months ago) against an internal web server and gains access without triggering any IDS alert.
Which of the following best identifies the configuration failure demonstrated here?
Which of the following best identifies the configuration failure demonstrated here?
A.The IDS is deployed on a SPAN port and cannot block traffic; it should be replaced with an IPS.
B.Signature-based IDS can only detect attacks with matching signatures; outdated signatures create a detection blind spot for newer exploits.
C.The absence of critical alerts indicates the IDS is functioning correctly; the penetration test used a technique designed to evade all IDS systems.
D.The web server’s traffic is encrypted, preventing the IDS from analyzing the exploit payload.
Question 9 of 10
✎ Predict first: An inline IPS sits in the traffic path. What are the risks of that placement?
Which of the following are valid concerns about deploying an IPS in inline mode?
I. If the IPS fails, it may become a single point of failure and take down the network segment it protects.
II. An IPS introduces latency because all traffic must be inspected before forwarding.
III. An IPS with poorly tuned rules may block legitimate business traffic, causing operational disruption.
I. If the IPS fails, it may become a single point of failure and take down the network segment it protects.
II. An IPS introduces latency because all traffic must be inspected before forwarding.
III. An IPS with poorly tuned rules may block legitimate business traffic, causing operational disruption.
A.I only
B.II only
C.I, II, and III
D.I and III only
Question 10 of 10
✎ Predict first: If analysts are overwhelmed with alerts, what happens to the serious ones?
A SIEM generates an average of 20,000 alerts per day. The SOC has 4 analysts who can each thoroughly investigate 15 alerts per shift. The SIEM’s correlation rules have not been reviewed or tuned in 14 months. An analyst discovers that a confirmed APT breach (which began 6 days ago) was detected by the SIEM on day 1 but was never investigated.
This scenario is best described as a consequence of which security problem?
This scenario is best described as a consequence of which security problem?
A.Signature drift — outdated detection rules that no longer match current attack techniques
B.Single point of failure — over-reliance on the SIEM as the sole detection mechanism
C.False negative rate — the SIEM failed to detect the attack in its initial stage
D.Alert fatigue — excessive alert volume causes analysts to miss or skip legitimate high-priority detections
0 / 10
IDS, IPS & SIEM Quiz Score
Complete all 10 questions to see your result.
AP Cybersecurity · Unit 3 · Lesson 3.5 · Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]