Which of the following would be a Computed Indicator?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which of the following would be a Computed Indicator?

Explanation:
A Computed Indicator is a value produced by applying a calculation to raw data, creating a fingerprint or derived attribute that helps identify artifacts across systems. The hash of a malicious file fits this idea perfectly because you generate it by computing a cryptographic hash over the file’s contents, yielding a fixed, reproducible string that uniquely represents that exact file. This fingerprint can be used to detect or block the same file on other systems, regardless of its name or location. The other options aren’t computed indicators in the same sense. An IP address is an observed attribute seen in traffic—useful for correlation, but it’s a direct artifact rather than something produced by processing data. Email addresses are similar personal identifiers observed in logs. Decoded data in a custom C2 protocol is data obtained after extracting or decoding payload content; while it reveals the commands, it’s not a calculated fingerprint like a hash, and it can vary with the encoding/structure of the protocol.

A Computed Indicator is a value produced by applying a calculation to raw data, creating a fingerprint or derived attribute that helps identify artifacts across systems. The hash of a malicious file fits this idea perfectly because you generate it by computing a cryptographic hash over the file’s contents, yielding a fixed, reproducible string that uniquely represents that exact file. This fingerprint can be used to detect or block the same file on other systems, regardless of its name or location.

The other options aren’t computed indicators in the same sense. An IP address is an observed attribute seen in traffic—useful for correlation, but it’s a direct artifact rather than something produced by processing data. Email addresses are similar personal identifiers observed in logs. Decoded data in a custom C2 protocol is data obtained after extracting or decoding payload content; while it reveals the commands, it’s not a calculated fingerprint like a hash, and it can vary with the encoding/structure of the protocol.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy