🚨 Detection, Analysis & Response - CBRCOR Practice Questions

Learn SIEM tuning, correlation rules, playbook development, SOAR, orchestration, and automated response for security operations.

9Questions Available
1Exam Domains

Practice Detection & Response Questions Now

Start a timed practice session focusing on Detection, Analysis & Response topics from the CBRCOR question bank.

Start CBRCOR Practice Quiz →

CBRCOR Detection & Response Question Bank (9 Questions)

Browse all 9 practice questions covering Detection, Analysis & Response for the CBRCOR certification exam. Each question includes the full answer and a detailed explanation to help you understand the concepts.

  1. Question 1Automation

    What does a SOAR (Security Orchestration, Automation, and Response) platform provide?

    ANetwork device configuration
    BAutomated playbooks for incident response, case management, and orchestration of security tools
    CAntivirus scanning only
    DPhysical access control
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    SOAR platforms automate repetitive SOC tasks through playbooks (automated workflows), orchestrate multiple security tools (SIEM, firewall, EDR), manage incidents/cases, and provide metrics — reducing response time and analyst workload.

  2. Question 2Automation

    What is a SOAR (Security Orchestration, Automation, and Response) platform used for?

    ANetwork monitoring
    BAutomating and orchestrating security workflows, playbooks, and incident response actions
    CDatabase management
    DApplication development
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    SOAR platforms automate repetitive security tasks, orchestrate tool integrations, execute response playbooks, and streamline incident management, improving SOC efficiency and response speed.

  3. Question 3Automation

    How can SOAR (Security Orchestration, Automation, and Response) improve incident response?

    AReplace all analysts
    BAutomate repetitive tasks (enrichment, containment, notification), orchestrate tool integration, and standardize response workflows
    COnly generate reports
    DMonitor networks only
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    SOAR automates repetitive IR tasks (IP reputation lookups, blocking, ticket creation), orchestrates multiple security tools, and executes playbooks — reducing response time and analyst fatigue.

  4. Question 4Automation

    What is SOAR (Security Orchestration, Automation, and Response)?

    AA monitoring tool
    BA platform that integrates security tools, automates repetitive tasks, and orchestrates incident response workflows
    CA SIEM replacement
    DA firewall management system
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    SOAR connects security tools (SIEM, EDR, firewall, ticketing), automates repetitive tasks (enrichment, blocking, notification), and orchestrates complex response workflows — reducing MTTR and analyst fatigue.

  5. Question 5Automation

    What is a SIEM correlation rule?

    AA firewall access control list
    BA logic rule that identifies threats by correlating multiple events across sources based on defined conditions and thresholds
    CAn encryption algorithm
    DA network routing rule
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    SIEM correlation rules trigger alerts when specific event patterns occur across multiple log sources (e.g., 5 failed logins followed by a success from the same IP within 10 minutes). They combine events that individually seem benign but together indicate a threat.

  6. Question 6Automation

    What is a security automation playbook?

    AA physical security manual
    BA predefined, automated workflow that executes a series of response actions when triggered by specific security events
    CA network diagram
    DAn employee training document
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    A security playbook is an automated workflow (in SOAR or scripting) triggered by specific events. It executes predefined steps: enrich alerts with threat intel, check reputation databases, isolate endpoints, create tickets, and notify analysts.

  7. Question 7Processes

    What is the difference between a playbook and a runbook in incident response?

    AThey are identical
    BA playbook provides strategic decision guidance for an incident type; a runbook provides detailed step-by-step technical procedures
    CPlaybooks are automated; runbooks are always manual
    DRunbooks are for management; playbooks are for analysts
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Playbooks provide strategic-level guidance for handling incident types (decisions, escalation criteria). Runbooks provide granular, step-by-step technical procedures (specific commands, tool usage, checklists) for executing playbook actions.

  8. Question 8Automation

    What is the purpose of automated playbook execution in a SOAR platform?

    AManual documentation
    BExecute predefined response actions automatically when specific triggers or conditions are met
    CHardware provisioning
    DUser onboarding
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Automated playbooks execute predefined sequences of actions (block IP, isolate host, create ticket, notify team) when triggered by specific alerts or conditions, ensuring rapid, consistent response.

  9. Question 9Automation

    Which API standard is commonly used by SIEM and SOAR platforms for sharing threat intelligence?

    ASOAP
    BSTIX/TAXII
    CGraphQL
    DgRPC
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information) are the standard formats and protocols for sharing cyber threat intelligence between platforms.

Key Detection & Response Concepts for CBRCOR

siemsoarcorrelationplaybookorchestrationautomationresponse

CBRCOR Detection & Response Exam Tips

Detection, Analysis & Response questions in CBRCOR are typically scenario-based. Focus on service-level decision making aligned to official exam objectives. Priority concepts: siem, soar, correlation, playbook, orchestration, automation.

What CBRCOR Expects

  • Anchor your answer in select the most practical, secure, and scalable answer for the stated scenario.
  • Detection & Response scenarios for CBRCOR are frequently mapped to Domain 3 (30%), so read the objective carefully before picking controls or architecture.
  • Expect multi-service scenarios where Detection & Response interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated service question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and managed-service best practices.

High-Value Detection & Response Concepts

  • Know the core Detection & Response building blocks cold: siem, soar, correlation, playbook.
  • Review the edge-case features and limits for orchestration, automation; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Detection & Response pairs with Threat Analysis, Forensics & IR in real deployment patterns.
  • For CBRCOR, explain why the chosen Detection & Response design meets reliability, security, and cost expectations better than the alternatives.

Common CBRCOR Traps

  • Watch for answers that partially solve the requirement but miss operational constraints.
  • Questions in Processes often include distractors that look correct for Detection & Response but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Detection & Response implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Processes (30%) outcomes for CBRCOR?
  • Can you explain security and access boundaries for Detection & Response without relying on default-open assumptions?
  • Can you describe how Detection & Response integrates with Threat Analysis and Forensics & IR during failure, scaling, and monitoring events?

Exam Domains Covering Detection & Response

Domain 3Processes30%

Related Resources

🎯 Free CBRCOR Mock Exam📝 Threat Analysis Questions📝 Forensics & IR Questions

More CBRCOR Study Resources

← CBRCOR Study Hub30-Day Study PlanFull Practice Exam