Exercise 1: Predict-First Detection MCQs
Predict-First Detection MCQs
Eight questions on detection fundamentals from Lesson 5.6. For each question, predict your answer before looking at the options — that habit is what turns multiple-choice AP questions from gambles into scoring opportunities. After you answer, read the feedback on every option, not just the correct one: knowing why the distractors are wrong is half the point.
A developer adds the following logging line to an authentication endpoint so the SOC can investigate failed logins. Assume the logger ships to a centralized SIEM that is read by multiple teams, including contractors.logger.info("auth_failure: user=%s submitted=%s from=%s", user_email, submitted_password, source_ip)
The code is reviewed before merge. Which single change is the primary fix?
An incident response team is evaluating its detection program. Consider the following three claims about MTTD (mean time to detect) and MTTR (mean time to respond):
I. A program with low MTTD and high MTTR can still produce long dwell times.
II. Reducing MTTR requires a written playbook more than it requires new tooling.
III. False positive rate does not affect MTTD as long as analysts triage every alert.
Which of the statements is/are correct?
A SIEM engineer is onboarding a new application. The application emits logs in free-form syslog like this:<134>1 2026-04-18T14:23:09Z web-01 app 2847 - - User alice.nguyen logged in successfully from 198.51.100.42 after 2 MFA attempts
Version 2 of the application is about to ship. The vendor offers to change the log output to either (a) the same free-form text with slightly reworded messages, or (b) structured JSON with named fields for user, source_ip, outcome, and mfa_attempt_count. Which recommendation is correct?
A forensic investigator reviewing a breach sees the following sequence in correlated SIEM data. Clocks on each host are local-timezone and NOT synchronized via NTP:web-01 (US-East, local): 14:03:12 privilege_escalation user=alice
auth-srv (UTC): 18:01:47 auth_success user=alice source=new-device
auth-srv (UTC): 18:03:12 mfa_bypass_detected user=alice
Which statement about this evidence is correct?
A SIEM engineer writes the following correlation rule to detect brute-force login attempts:SELECT source_ip, COUNT(*) AS attempts
FROM auth_events
WHERE timestamp > NOW() - INTERVAL '5 minutes'
GROUP BY source_ip
HAVING COUNT(*) >= 10;
Three weeks later, the SOC reports that a credential-stuffing campaign was missed despite producing over 8,000 failed logins in 30 minutes. The rule was functioning correctly. Which single change would have caught this campaign?
A SOC is choosing which threat-intelligence signals to invest engineering time in. Consider these three detection investments:
I. Block a list of 50,000 known-bad IP addresses updated nightly from a threat feed.
II. Match file hashes against a database of malware samples from the last 180 days.
III. Alert whenever Microsoft Word spawns PowerShell with an encoded command argument.
Ranked from least to most painful for a determined attacker to evade, the correct order is:
An attacker phishes an administrator's session cookie via info-stealer malware, replays the stolen cookie, and authenticates to the admin console from a VPS in another country. MFA is configured on the account but the cookie skips the MFA challenge because the session is "already authenticated." The SIEM has correct data flowing from the identity provider, the web application, and the cloud provider.
Which detection would have caught this scenario while the attacker still had the session active?
The SOC is building detections for log-integrity attacks — cases where an attacker who gained root on a host attempts to cover their tracks by deleting or modifying local logs. Each of the following controls helps defend against post-breach log tampering EXCEPT:
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]