SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Practice Test 2026 - Free Practice Questions and Study Guide

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all
Session length

1 / 20

What is an Indicator of Compromise (IOC) primarily used to describe?

Describes attacker tools and tradecraft using a precise language that can be understood by both humans and security tools, often including Boolean expressions to identify malware.

Indicators of Compromise are observable artifacts that suggest a system may have been breached. They are described in a precise, standardized way so security personnel and automated tools can act on them. This includes attacker tools and tradecraft expressed in a language that humans and security systems can understand, often using boolean logic to combine indicators and detect malware or intrusions. Examples include malware file hashes, IP addresses, domain names, file names, mutexes, registry changes, and YARA rules, all used to build detections and hunt for threats.

The other options don’t fit because they describe metrics or artifacts that aren’t indicators of compromise: network bandwidth statistics are general network metrics, a timeline is a sequence of events, and an incident report template is documentation.

Network bandwidth usage statistics during an attack

The game's timeline of an attack

A general incident report template

Next Question
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy