Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›CAS-004›Objectives›Security Operations
Objective 2.0

Security Operations

CAS-004 Practice Questions

Use this page to practise Security Operations questions for this certification. Focus on how the exam tests security operations in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

CAS-004 Security Operations — Key Topics

Security Operations questions on this certification test your ability to deploy and manage security operations concepts in scenario-based situations.

  • Core Security Operations concepts and how they apply in real-world cloud scenarios.
  • How to deploy security operations correctly and verify the outcome.
  • Troubleshooting security operations issues by interpreting error output and system state.
  • Cloud best practices and Security Operations design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Security Operations

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

CAS-004 Security Operations — Practice Questions

30 questions from this objective

Question 2easymultiple choice
Full question →

A security analyst receives an alert indicating an internal host is sending outbound traffic on TCP port 25 to multiple external IP addresses. Which action should the analyst take first to investigate potential data exfiltration?

Question 3mediummultiple choice
Full question →

A SOC analyst is reviewing a large volume of failed login attempts across multiple user accounts from a single external IP address. The attempts use common usernames and passwords over SSH (port 22). Which security control would be most effective at preventing this type of attack?

Question 4hardmultiple choice
Full question →

An organization deploys a new web application that stores sensitive data in a backend database. During a penetration test, the tester discovers that the application is vulnerable to SQL injection via a search field. Which of the following design changes would best mitigate this vulnerability without significantly impacting functionality?

Question 5mediummultiple choice
Full question →

A security engineer is configuring a SIEM and wants to reduce false positives while ensuring that real attacks are detected. Which of the following approaches would best achieve this balance?

Question 6easymultiple choice
Full question →

During a security incident, a forensic investigator needs to capture the contents of volatile memory on a compromised server. Which of the following tools should the investigator use?

Question 7mediummulti select
Full question →

Which TWO of the following are best practices for securing a cloud-based identity and access management (IAM) system? (Select exactly 2.)

Question 8hardmulti select
Full question →

Which THREE of the following are effective techniques for detecting advanced persistent threats (APTs) within a network? (Select exactly 3.)

Question 9hardmultiple choice
Full question →

A security analyst reviews the above Windows security events from a domain controller. What is the most likely conclusion about the activity?

Exhibit

Refer to the exhibit.

```
Event: 4625 (An account failed to log on)
Account Name: Administrator
Source Network Address: 10.10.10.50
Logon Type: 3 (Network)
Status: 0xC000006D (bad username or password)

Event: 4624 (An account was successfully logged on)
Account Name: jsmith
Source Network Address: 10.10.10.50
Logon Type: 2 (Interactive)

Event: 4672 (Special privileges assigned to new logon)
Account Name: jsmith
Privileges: SeTcbPrivilege, SeDebugPrivilege

Event: 5140 (A network share object was accessed)
Account Name: jsmith$
Accesses: WriteData (or AddFile)
Share Name: \\*\C$
```
Question 10mediummultiple choice
Full question →

A cloud security engineer reviews the above S3 bucket policy. Which of the following is the most significant security concern?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket123/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket123/*",
      "Principal": "*"
    }
  ]
}
```
Question 11mediummultiple choice
Full question →

A security analyst notices repeated failed login attempts from a single IP address across multiple user accounts. Which of the following is the BEST immediate action to mitigate this attack?

Question 12hardmultiple choice
Full question →

A SOC analyst is reviewing an alert about a suspicious process execution on a critical server. The alert shows that cmd.exe spawned from Microsoft Word. Which of the following is the BEST next step for the analyst?

Question 13easymultiple choice
Read the full NAT/PAT explanation →

An organization wants to implement a solution that automatically detects and blocks malicious traffic based on known signatures and behavioral anomalies. Which of the following should be deployed?

Question 14hardmultiple choice
Full question →

A security engineer needs to design a solution to detect and respond to insider threats involving unauthorized data exfiltration via USB devices. Which of the following is the MOST effective approach?

Question 15mediummulti select
Full question →

A security analyst is investigating a potential data breach. The logs show that an attacker used a compromised service account to access sensitive files on a file server. Which TWO actions should the analyst take FIRST to contain the incident? (Choose TWO.)

Question 16hardmultiple choice
Full question →

A large enterprise has deployed a security information and event management (SIEM) system that ingests logs from all critical servers, network devices, and endpoints. The SIEM is configured to correlate events and generate alerts for suspicious activities. Recently, the SOC team has been overwhelmed by a high volume of false positive alerts, particularly from the web server farm. The false positives are mainly triggered by legitimate web crawling and scanning activities from partners and internal tools. The SOC manager wants to reduce false positives without missing real threats. As the security architect, you are asked to recommend a solution. Which of the following is the BEST course of action?

Question 17mediummultiple choice
Read the full VPN explanation →

A small business runs its critical line-of-business application on a single Windows server located in a local data center. The server is accessed by employees remotely via RDP over a VPN. Recently, the server has been experiencing slow performance, and the administrator notices high CPU usage from a process named 'svchost.exe'. The administrator suspects malware but is not sure. The business has no security tools beyond Windows Defender. Management wants to minimize downtime and ensure the server is back to full operation as soon as possible. Which of the following is the BEST course of action for the administrator to take first?

Question 18easymulti select
Full question →

Which TWO of the following are key components of a successful incident response plan according to NIST SP 800-61?

Question 19hardmultiple choice
Full question →

Based on the exhibit, which type of attack is most likely occurring?

Exhibit

Refer to the exhibit.

Exhibit:
```
Jul 15 10:23:45 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=admin
Jul 15 10:23:47 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:49 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:51 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:53 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:55 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:57 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:24:00 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
```
Question 20mediummultiple choice
Full question →

A security analyst at a financial institution is investigating a potential data exfiltration incident. The organization uses a zero-trust network architecture with micro-segmentation. The analyst notices that a database server with sensitive customer financial data has been communicating with an external IP address (198.51.100.45) over port 443 during non-business hours. The database server is not supposed to initiate outbound connections; all outbound traffic is logged and blocked by default except for specific allowlisted IPs and ports. The analyst reviews the firewall logs and finds that the outbound connection to 198.51.100.45 was allowed because the source port was 443, which is an allowed port for inbound HTTPS traffic. The database server is not a web server and does not run any HTTPS services. Which of the following is the best course of action for the analyst to take first?

Question 21mediumdrag order
Full question →

Drag and drop the steps to set up a SIEM alert for a failed login threshold into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 22mediummatching
Full question →

Match each security tier or model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Highest privilege assets like domain controllers

Server and application administration

User workstations and devices

Separates admin accounts by sensitivity

Never trust, always verify

Question 23easymultiple choice
Full question →

A security analyst observes anomalous outbound network traffic from a server that normally only performs internal functions. According to the incident response plan, what should the analyst do first?

Question 24mediummultiple choice
Full question →

A company wants to reduce the mean time to detect (MTTD) for security incidents. Which technology is most effective for this purpose?

Question 25hardmultiple choice
Full question →

During a ransomware incident, the organization discovers that all production backups have been encrypted by the attacker. What is the most effective recovery approach?

Question 26easymultiple choice
Full question →

A forensic analyst needs to collect volatile data from a live Windows system. In which order should the analyst collect the following data? (Order of volatility)

Question 27mediummultiple choice
Full question →

A SOC manager is considering implementing a SOAR platform. Which is the primary benefit of SOAR in day-to-day operations?

Question 28hardmultiple choice
Full question →

After containing a confirmed security incident, the incident response team must plan for eradication. What must be done before eradication begins?

Question 29easymultiple choice
Full question →

A SOC analyst is investigating a potential lateral movement within the network. Which log source is most critical for detecting lateral movement using pass-the-hash or pass-the-ticket attacks?

Question 30mediummultiple choice
Read the full DNS explanation →

A threat hunter hypothesizes that a sophisticated attacker is using DNS tunneling for command and control. Which data source would most likely confirm this activity?

Question 31hardmultiple choice
Full question →

During a forensic investigation, the examiner discovers that the chain of custody documentation was not properly maintained for a critical hard drive. What is the most likely consequence?

More Security Operations questions available in the full practice test.

Continue Practising →
←

Previous objective

Security Architecture

All CAS-004 Objectives

  • 1.Security Architecture
  • 2.Security Operations