FlashGenius Logo FlashGenius
SecurityX CAS-005 ยท Domain 3 of 4

Security
Operations

The third domain (22%) โ€” covers SIEM/SOAR configuration, vulnerability management, incident response phases, digital forensics, and threat hunting with MITRE ATT&CK.

22%
Exam Weight
4
Concept Areas
12
Flashcards
8
Quiz Questions
๐Ÿ  Hub 1 ยท Engineering 2 ยท Architecture 3 ยท Operations 4 ยท GRC โš–๏ธ vs CISSP

What Domain 3 Covers

At 22%, Security Operations tests your ability to detect, investigate, and respond to threats. This includes building detection rules in SIEM, prioritizing vulnerability remediation, executing incident response procedures, and proactively hunting threats using adversary behavior frameworks.

Objective A

Configure & Tune SIEM/SOAR

Build detection rules, tune baselines, automate response playbooks.

Objective B

Manage Vulnerability Programs

Prioritize with CVSS/EPSS, integrate SCA and SBoM.

Objective C

Conduct IR & Threat Hunting

Execute PICERL phases, collect forensic evidence, hunt with MITRE ATT&CK.

SIEM SOAR PICERL MITRE ATT&CK IoC / IoA CVSS / EPSS Memory Forensics STIX / TAXII
๐Ÿ’ก
Exam focus: PICERL order is a guaranteed question. Know volatile vs non-volatile evidence collection order. Understand the IoC vs IoA distinction โ€” reactive artifact vs proactive behavior pattern.

Key Concept Areas

Click each card to expand. Four areas cover the full Domain 3 objective set.

1. SIEM Configuration & Monitoring โ–พ
Log Ingestion & Processing
  • Log sources โ€” Windows Event Logs, Syslog, NetFlow, cloud audit logs, EDR telemetry.
  • Normalization โ€” converting logs to a common schema for correlation across diverse sources.
  • Correlation rules โ€” detecting patterns across multiple sources (e.g., failed logins + success from new IP = credential stuffing).
  • Baseline building โ€” establishing normal behavior per user, device, and network segment.
  • Alert tuning โ€” reducing false positives by refining thresholds and adding contextual enrichment.
SOAR Automation
  • SOAR โ€” automates playbooks triggered by SIEM alerts; integrates ticketing, threat intel, and response actions.
๐Ÿ’ก
Study tip: Know the SIEM use case flow: log ingestion โ†’ normalization โ†’ correlation โ†’ alerting โ†’ SOAR playbook โ†’ ticket.
2. Vulnerability Management โ–พ
Scoring & Prioritization
  • CVSS โ€” 0-10 score measuring base, temporal, and environmental factors of a vulnerability.
  • EPSS โ€” probability a CVE will be exploited within 30 days. Use alongside CVSS for risk-based prioritization.
  • SCA in VM โ€” identifying vulnerable third-party dependencies, tied to SBoM.
  • SBoM in VM โ€” using bill of materials to track where vulnerable components are deployed across the environment.
  • Patch priority โ€” internet-facing systems, critical assets, CISA Known Exploited Vulnerabilities (KEV) catalog first.
๐Ÿ’ก
Study tip: CVSS measures severity; EPSS measures exploitation probability. High CVSS + high EPSS on internet-facing system = highest priority.
3. Incident Response & Digital Forensics โ–พ
PICERL Phases
  • Preparation โ†’ Identification โ†’ Containment โ†’ Eradication โ†’ Recovery โ†’ Lessons Learned
  • Containment must always precede eradication.
Digital Forensics
  • Evidence collection order โ€” volatile first (memory, running processes, network connections) before powering down.
  • Chain of custody โ€” documented evidence handling ensuring admissibility and integrity.
  • Memory forensics โ€” capturing RAM to analyze running processes, injected code, network connections, decrypted secrets (Volatility, WinPmem).
  • Disk forensics โ€” image with write blockers; never work on originals.
  • Malware analysis โ€” static (strings, PE headers, YARA) vs dynamic (sandbox, behavioral).
๐Ÿ’ก
Study tip: PICERL order is always tested. Containment must precede eradication. Volatile data collection must precede shutdown.
4. Threat Intelligence & Threat Hunting โ–พ
Intelligence Types
  • IoC โ€” artifact evidence an attack occurred (file hashes, malicious IPs, domain names). Reactive.
  • IoA โ€” behavioral evidence an attack is in progress (unusual process execution, lateral movement). Proactive.
  • MITRE ATT&CK โ€” knowledge base of adversary TTPs. Used for detection rule development, gap analysis, hunting hypotheses.
  • CTI levels โ€” Strategic (exec trends), Operational (campaign details), Tactical (specific IoCs/TTPs).
Threat Hunting
  • Threat hunting โ€” proactive search without specific trigger. Hypothesis-driven (TTP-based) or IoC-driven (artifact-based).
  • STIX โ€” standard format for threat intel; TAXII โ€” transport protocol for sharing STIX data.
๐Ÿ’ก
Study tip: IoC = artifact/evidence (reactive). IoA = behavior/pattern (proactive). MITRE ATT&CK maps attacker behavior โ€” learn to read it.

Flashcards

12 terms covering Domain 3's operations, forensics, and threat intelligence concepts. Click to flip.

Knowledge Check

Question 1 of 8 ยท Score: 0

๐ŸŽ‰

SecurityX CAS-005 ยท V1

Domain 4: Governance, Risk & Compliance (20%)

NIST frameworks, compliance-as-code, threat modeling, and supply chain risk.

๐Ÿ“ Practice Tests on FlashGenius Domain 4 โ†’ Official Exam Page