CS0-003 Exam Questions and Answers

A SIEM correlation rule for impossible travel is creating noise from VPN users. Which refinements should improve fidelity? (Choose two.)

Disable all identity alerts

Require a second signal such as new device, failed MFA, or mailbox rule creation

Combining identity anomalies reduces false positives.

Add trusted VPN egress ranges as named/known locations

Known corporate VPN egress can explain apparent travel.

Treat every VPN login as malicious

Why: Impossible-travel detections work best when legitimate network paths are accounted for and multiple risk signals are correlated.

A SOC is onboarding endpoint logs into a SIEM. Which fields are most important for process-chain investigations? (Choose three.)

Parent process name and command line

Parent context shows how execution began.

Monitor refresh rate

User and host identifiers

Identity and asset context support scoping and response.

Child process command line

Command line arguments reveal suspicious execution behaviour.

Why: Endpoint process telemetry needs parent, child, user, and host context to reconstruct execution chains.

A threat hunter suspects data exfiltration over HTTPS from a database server. Which data sources are most useful? (Choose two.)

Database audit logs showing queried objects and accounts

Database logs reveal whether sensitive data was accessed before transfer.

Printer toner status

Building temperature logs

NetFlow or proxy logs showing destination, volume, and timing

Flow/proxy data establishes transfer pattern and destination.

Why: Exfiltration analysis needs both network movement and source-data access context.

A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)

Suppress alerts only with documented criteria and expiry

Time-bound suppression preserves governance.

Delete noisy detections permanently without review

Route every alert directly to executives

Add enrichment such as asset criticality and threat-intel context

Enrichment helps analysts prioritize real risk.

Why: Noise reduction should be controlled, documented, and supported by better context.

Which signals strengthen an alert for Kerberoasting activity? (Choose two.)

Unusual volume of TGS requests for many service principals

Kerberoasting often generates broad service-ticket requests.

Requests from a workstation that does not normally administer services

Abnormal source context increases suspicion.

A user changing their desktop wallpaper

Successful DHCP lease renewal

Why: Kerberoasting detection depends on unusual Kerberos service-ticket behaviour and source context.

A detection engineer is writing a Sigma rule for suspicious rundll32 usage. Which fields should be included? (Choose two.)

Command line containing unusual DLL path or URL pattern

Command-line arguments distinguish abuse from normal use.

Desk phone extension

Laptop battery health

Image or process name matching rundll32.exe

The executed binary is central to the behaviour.

Why: Behavioural rules need executable identity and command-line context.

Want more Security Operations practice?

All Vulnerability Management questions

Domain 2: Vulnerability Management

A vulnerability manager is prioritizing remediation. Which factors should influence risk-based priority? (Choose three.)

Internet exposure of the affected asset

External reachability increases likelihood of attack.

Alphabetical order of the CVE identifier

Known exploitation in the wild

Active exploitation increases urgency.

Business criticality of the affected service

Impact depends on the service supported by the asset.

Why: Risk-based vulnerability management weighs exploitability, exposure, and impact rather than using a single raw score.

Which conditions should push a vulnerability higher in the remediation queue? (Choose three.)

The asset supports a critical business process

Business impact increases priority.

The affected asset is internet-facing

External exposure increases attack opportunity.

Exploitation is observed in the wild

Active exploitation increases likelihood.

The CVE number is easy to remember

Why: Priority should reflect exploitability, exposure, and business impact.

A scanner reports a critical issue on a network device. Which steps help validate the finding before closure? (Choose two.)

Suppress all network-device findings permanently

Close it because the device is expensive

Confirm the firmware or software version on the device

Version evidence verifies whether the vulnerable build is present.

Check vendor advisory applicability and configuration requirements

Some findings depend on enabled features or specific configurations.

Why: Validation should confirm version, configuration, and vendor applicability.

Which items belong in a vulnerability exception request? (Choose three.)

Business justification for delayed remediation

Justification explains why normal remediation cannot occur.

A request to remove the asset from inventory

Expiration or review date

Time limits prevent exceptions becoming permanent by default.

Compensating controls

Controls reduce risk while the vulnerability remains.

Why: Exception governance requires justification, controls, ownership, and review.

A web application DAST scan reports stored XSS. Which evidence helps confirm exploitability? (Choose two.)

Payload persists and executes when another user views the affected page

Stored execution against another user validates impact.

The vulnerable parameter and output encoding context are identified

Context shows why the payload executes.

The server has a large disk

The application uses HTTPS

Why: Stored XSS validation depends on persistence, execution context, and affected users.

Which pipeline controls help prevent vulnerable dependencies reaching production? (Choose two.)

SBOM generation and review for released builds

SBOMs support dependency tracking and downstream risk review.

Manual badge checks at the office door

Software composition analysis with policy gates

SCA identifies dependency CVEs before deployment.

DNS MX record rotation

Why: Dependency risk is best managed through CI/CD visibility and enforceable gates.

Want more Vulnerability Management practice?

All Incident Response and Management questions

Domain 3: Incident Response and Management

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

Memory image or live response data

Fileless activity may exist mainly in memory.

Active network connections and running processes

Live state helps reconstruct behaviour.

A list of cafeteria purchases

A printed office map

Why: Volatile evidence should be prioritized when fileless malware is suspected.

A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)

Reset affected credentials and revoke active sessions

This cuts off stolen-session and password access.

Delete all user mailboxes

Disable DNS for the entire company indefinitely

Search for mailbox rules or OAuth grants created after compromise

Attackers often create persistence in mailbox or app permissions.

Why: Credential-theft response should remove access and check for persistence.

Which actions belong in eradication after a confirmed web-shell compromise? (Choose two.)

Remove the web shell and close the exploited vulnerability

Both malicious artefact and entry path must be addressed.

Reconnect the server before checking persistence

Rotate credentials exposed to the compromised web server

Server compromise may expose application or service credentials.

Only block the analyst's IP address

Why: Eradication removes malicious artefacts, closes entry paths, and addresses exposed credentials.

What should be included in incident scoping for ransomware? (Choose three.)

Initial infected host and user context

The starting point helps identify root cause.

The brand of office chairs near the server room

Backup integrity and last known clean restore point

Recovery depends on clean backups.

Shares or systems touched by the compromised account

Access path shows spread.

Why: Ransomware scoping must identify origin, spread, and recoverability.

A legal hold is issued during an investigation. Which actions support it? (Choose two.)

Preserve relevant logs, mailboxes, images, and tickets

Potential evidence must be retained.

Let each team decide informally what to delete

Purge audit logs to save storage

Suspend routine deletion for in-scope evidence

Retention controls prevent accidental loss.

Why: Legal hold requires controlled preservation of relevant evidence.

A tabletop exercise reveals that no one knows who can approve public statements. What should be updated? (Choose two.)

The office seating plan only

Contact list and escalation matrix

Responders need current contacts and escalation paths.

The malware signature database only

Incident communication plan with named approval roles

Communication authority must be explicit.

Why: Tabletop findings should improve playbooks, contacts, and decision authority.

Want more Incident Response and Management practice?

All Reporting and Communication questions

Domain 4: Reporting and Communication

A CISO wants a concise incident update during active containment. Which elements should be included? (Choose three.)

Every raw log line collected so far

Containment actions completed and pending

Status shows risk reduction progress.

Known decisions or approvals needed

Escalation points help leadership act.

Current impact and affected services

Leadership needs business impact.

Why: Executive incident updates should be brief, factual, and decision-oriented.

A vulnerability dashboard for executives should avoid raw technical overload. Which views are useful? (Choose two.)

A list of scanner process IDs

Unfiltered plugin-output text

Critical exposure trend by business service

Trends show whether risk is moving.

SLA compliance and overdue remediation by owner

This supports accountability.

Why: Executive vulnerability reporting should summarize trend, accountability, and business risk.

When briefing legal and privacy teams after a suspected data exposure, which details matter? (Choose two.)

Data types and jurisdictions potentially affected

Notification duties depend on data and jurisdiction.

A complete list of unrelated server patches

Speculation about attacker identity without evidence

Timeline of discovery, containment, and known access

Timing and scope affect legal obligations.

Why: Legal/privacy briefings should be evidence-based and focused on notification-relevant facts.

A remediation report shows repeated SLA breaches by one business unit. Which recommendations are appropriate? (Choose two.)

Automatically accept all future risk permanently

Review ownership, resourcing, and change-window constraints

Persistent breaches often reflect operational blockers.

Hide the business unit from future reports

Create an agreed corrective action plan with dates

Action plans turn reporting into improvement.

Why: Recurring SLA failures require blocker analysis and accountable corrective action.

Which items help make a post-incident report useful for technical teams? (Choose two.)

Generic motivational slogans

Unrelated financial forecasts

Root cause and exploited control gaps

Technical teams need to know what failed.

Specific remediation tasks with owners and validation steps

Actionable tasks enable closure.

Why: Post-incident reports should translate findings into precise technical remediation.

A third-party supplier needs incident information to fix an integration. What should be shared? (Choose two.)

Internal blame discussions

Credentials for unrelated systems

Required remediation outcome and deadline

Clear expectations support accountability.

Relevant timeline and technical evidence tied to the integration

The supplier needs facts that support troubleshooting.

Why: Supplier communication should be factual, scoped, and action-oriented.

Want more Reporting and Communication practice?