Practice CC Security Operations questions with full explanations on every answer.
Start practicing
Security Operations — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Which tier in a Security Operations Center (SOC) is primarily responsible for triaging alerts and determining whether to escalate?
2A security analyst notices repeated failed login attempts from an internal IP address to a domain controller, followed by a successful login. Which log type is most likely to provide detailed evidence of this activity?
3An organization must comply with PCI DSS log retention requirements. What is the minimum retention period for logs, and how long must they be immediately available for analysis?
4A security administrator is implementing measures to protect log integrity. Which of the following is the most effective method to prevent tampering with logs after they are generated?
5A company discovers a critical vulnerability in a widely used software application. The vendor has released a patch, but the company's patch management policy requires testing before deployment. What is the best course of action?
6Which of the following is an indicator of a phishing email?
7What is the primary purpose of using security baselines derived from CIS Benchmarks?
8A SOC analyst detects a pattern of outbound traffic from an internal server to a known malicious IP address. Which SOC tier should this alert be escalated to for a deeper investigation?
9An organization has a legacy system that cannot be patched due to vendor end-of-life. Which compensating control is most effective at reducing the risk of exploitation via network-based attacks?
10Which of the following is a key function of a Security Information and Event Management (SIEM) system?
11An employee receives an email from the CEO asking for an urgent wire transfer to a new vendor. The email address is slightly misspelled. What type of attack is this?
12A configuration management tool detects that a critical server's security settings have changed from the approved baseline. What is the first action the security team should take?
13An organization is implementing a security awareness program. Which THREE topics should be included to address common social engineering attacks? (Select THREE)
14A SOC analyst is investigating a potential data exfiltration incident. Which TWO log sources would be most useful for identifying outbound data transfers? (Select TWO)
15A security engineer is designing a patch management process. Which TWO steps are part of the standard patch lifecycle? (Select TWO)
16A Security Operations Center (SOC) Tier 1 analyst notices an alert for a failed login attempt from an unusual geographic location. What is the primary responsibility of a Tier 1 analyst in this scenario?
17A company's SIEM solution aggregates logs from various sources and generates an alert when multiple failed logins occur within a short timeframe. Which log source is most likely to provide the data for this alert?
18An organization needs to retain authentication logs for compliance with PCI DSS. What is the minimum retention period required, and how long must the logs be immediately available?
19A security analyst needs to ensure that log data cannot be altered after it is written. Which of the following is the most effective method to protect log integrity?
20During a patch management cycle, a new vulnerability is disclosed in a widely used web server software. What is the first step an organization should take in the patch lifecycle?
21A critical zero-day vulnerability is actively being exploited in the wild, affecting an organization's internet-facing application. Which patching approach should be taken?
22A legacy system cannot be patched due to vendor unavailability. Which compensating control would be most effective in reducing the risk of exploitation?
23An employee receives an email from an unknown sender claiming to be from the IT department, asking for their password to perform an urgent system update. What type of social engineering attack is this?
24Which of the following is the most effective way to prevent tailgating in a secured facility?
25An organization wants to ensure that all workstations are configured according to a hardened baseline. Which process detects when a workstation deviates from this baseline?
26A SOC analyst reviews a SIEM alert indicating a high volume of outbound traffic from a server to an external IP address known for command-and-control activity. The analyst has confirmed the alert is not a false positive. What is the most appropriate next step?
27Which of the following is an indicator of a phishing email?
28A security analyst is reviewing firewall logs and notices an unusually high number of blocked outbound connections to a single external IP address. Which TWO actions should the analyst take to investigate this potential security incident? (Choose two.)
29An organization is implementing a security baseline for new servers. Which THREE components are typically included in a hardened baseline configuration? (Choose three.)
30A security awareness trainer is developing material on USB drop attacks. Which TWO messages should be included in the training? (Choose two.)
31A security analyst at a Security Operations Centre (SOC) receives an alert from the SIEM indicating multiple failed login attempts for a user account followed by a successful login from an unusual geographic location. According to SOC tier responsibilities, which tier should perform the initial triage of this alert?
32An organization must retain authentication logs for compliance with PCI DSS. What is the minimum retention period and the requirement for immediate availability?
33A critical vulnerability is discovered in a widely used VPN appliance that is actively being exploited in the wild. The vendor has released an emergency patch. However, the organization's patch management policy requires testing in a staging environment before production deployment. What should the security team do?
34An employee receives an email that appears to be from the CEO requesting an urgent wire transfer to a new vendor. The email contains several grammatical errors and the sender's address is slightly misspelled. What type of security incident is this?
35To protect the integrity of log files, which of the following is a best practice?
36A SOC analyst notices a large spike in outbound traffic from a workstation that is not scheduled for any data transfers. Upon checking the SIEM, the analyst sees that the workstation's antivirus was disabled 30 minutes ago. What type of logs should the analyst examine first to understand the sequence of events?
37An organization implements a security baseline using CIS Benchmarks for all new servers. After a routine scan, a server is found to have a configuration that deviates from the baseline. The deviation was introduced by a system administrator to resolve a performance issue. What is the best course of action?
38Which type of log should be monitored to detect a user account that has been granted administrative privileges unexpectedly?
39What is the primary purpose of a Security Information and Event Management (SIEM) system?
40An organization has a legacy system that cannot be patched due to vendor end-of-life. The system is critical for operations. Which compensating control is most appropriate to reduce the risk of exploitation?
41An organization is planning to implement a security awareness program. Which TWO topics should be included to address common social engineering attacks?
42A SOC team is reviewing security controls for a new critical application. Which THREE of the following are essential components of a security operations capability?
43After a security incident, an investigator needs to analyze logs to determine the timeline of events. Which TWO types of logs are most likely to provide evidence of lateral movement within the network?
44Which TWO of the following are common indicators of a phishing email?
45An organization is implementing a patch management policy. Which THREE steps are part of the standard patch lifecycle?
The Security Operations domain covers the key concepts tested in this area of the CC exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CC domains — no account required.
The Courseiva CC question bank contains 45 questions in the Security Operations domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Operations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included