Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSY0-701DomainsSecurity Operations
SY0-70128% of examFree — No Signup

Security Operations

Security Operations tests your ability to detect, respond to, and recover from real-world security incidents. On the SY0-701 exam it covers incident response (NIST SP 800-61), vulnerability management, SIEM log analysis, data protection, and change management. It is worth 28% of your score — the highest-weighted domain.

Exam weight28% of SY0-701
291questions

Start practicing

Security Operations — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SY0-701 Domains

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight

Domain overview

About the Security Operations domain

Security Operations is the single largest domain on the SY0-701 exam at 28% — and the one most grounded in real-world analyst work.

This domain covers what a security team does every day: detecting threats through SIEM and IDS/IPS, running the incident response playbook, scanning and patching vulnerabilities, protecting data, and keeping change management locked down.

Exam questions are almost entirely scenario-based. You will be handed a situation — ransomware hits a file server, a SIEM alert fires at 2am, a critical CVE drops for a system you own — and asked what to do next, in what order, and with which tool.

The NIST SP 800-61 incident response lifecycle (Preparation → Detection and Analysis → Containment → Eradication and Recovery → Post-Incident Activity) appears on nearly every exam version. Treat it as a required memorisation.

Exam objectives

What Security Operations tests on SY0-701

  1. 1

    Incident response lifecycle — Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident Activity (NIST SP 800-61). Know the exact order cold.

  2. 2

    Vulnerability management — scan types, CVSS severity scoring, patch prioritisation, and the critical difference between a vulnerability scan and a penetration test.

  3. 3

    Security monitoring — SIEM log correlation, IDS vs IPS placement and behaviour, alert triage, and separating true positives from false positives.

  4. 4

    Identity and access management operations — enforcing MFA, detecting privilege escalation, account lockout policies, and least-privilege principles.

  5. 5

    Data protection — encryption at rest vs in transit, DLP tool placement, data classification schemes, and secure data disposal methods.

  6. 6

    Disaster recovery and business continuity — RTO vs RPO definitions, full/incremental/differential backup strategies, and failover testing.

Watch out — common Security Operations traps

  • !

    Containment comes before Eradication in incident response — reversing these two phases is the most common mistake on this domain.

  • !

    A vulnerability scan identifies weaknesses; a penetration test actively exploits them. The exam expects you to know which is appropriate and when.

  • !

    RTO is how fast you restore service; RPO is how much data loss you can tolerate. Mixing these up costs marks on scenario questions.

  • !

    Not every SIEM alert is a real threat — the exam tests alert triage. Recognising false positives is a distinct skill from detecting real incidents.

  • !

    IDS alerts and logs; IPS blocks. Placement also differs — IDS can be passive/out-of-band, IPS must be inline. Confusing them is a guaranteed wrong answer.

Practice Security Operations questions

10Q20Q30Q50Q

All SY0-701 Security Operations questions (291)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A SOC analyst receives an alert from the EDR system indicating that the process 'C:\Program Files\Vendor\Updater.exe' attempted to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key on a user's workstation. The analyst checks the file hash and finds it matches a known legitimate software updater. Which of the following actions is most appropriate for the analyst to take?

2

A SOC analyst is reviewing logs from a Windows domain controller and notices a large number of failed logon attempts (Event ID 4625) from a single source IP address within a five-minute window. The account names used are random strings such as "a1b2c3", "x9y8z7", etc. The analyst then checks the source IP and finds it is a known external address from a foreign country. Which of the following is the most appropriate next step for the analyst to take?

3

A security operations analyst is tuning a SIEM correlation rule designed to detect brute-force password attacks against domain user accounts. The current rule generates an alert when a single user account has more than 10 failed logon attempts within a 5-minute window. The SOC team is overwhelmed by thousands of alerts each day, the vast majority of which are triggered by legitimate users who accidentally mistype their passwords. Which of the following modifications to the rule would most effectively reduce false positives while still detecting actual brute-force attacks?

4

A security analyst is responding to a potential ransomware incident on a Windows server that is still running. The analyst needs to preserve forensic evidence for analysis. Which of the following actions should the analyst perform first, based on the order of volatility?

5

A security analyst is monitoring logs from the cloud access security broker (CASB) and observes that a user account downloaded 500 GB of data from a highly sensitive SharePoint document library within a single hour. The user's historical baseline shows an average daily download of less than 10 MB. Additionally, the log shows the session originated from an IP address in a country where the company has no employees or business operations. Which of the following actions is the most appropriate for the analyst to take?

6

A security analyst in the SOC is investigating a potential DNS tunneling incident. The analyst has identified a workstation that is making thousands of DNS queries to an external domain with base64-encoded subdomains. The analyst suspects that sensitive files from the workstation are being exfiltrated by encoding their contents into the subdomains of the DNS queries. Which of the following log sources will provide the most definitive evidence to confirm that the contents of a specific sensitive file are being transmitted in the DNS queries?

7

A security analyst is reviewing network flow logs and notices a series of outbound connections from a single internal workstation to an external IP address on TCP port 443. The connections occur every 5 minutes, each lasting about 2 seconds, and the amount of data transferred per connection is consistently around 1 KB. The workstation's user reports no unusual activity. The analyst checks the host's EDR logs and sees no malicious processes or known indicators. Which type of activity is this pattern most consistent with?

8

A security analyst in the SOC is reviewing an alert from the corporate VPN server. The alert indicates that user 'jsmith' authenticated successfully from an IP address in Brazil at 14:30 UTC. The analyst contacts jsmith, who confirms he is physically in the company's headquarters in Chicago and has not remotely accessed the VPN today. The VPN authentication logs show that jsmith's session used a valid smart card certificate for authentication. The analyst checks the certificate revocation list and finds that jsmith's certificate has not been revoked. Which of the following is the most likely explanation for this event?

9

A security analyst is reviewing the perimeter firewall logs. The analyst observes repeated TCP SYN packets from a single external IP address (203.0.113.50) to multiple internal IP addresses on TCP port 3389. The packets are sent with a consistent 50-millisecond interval. There are no subsequent SYN-ACK or RST packets from the internal hosts in the logs. The analyst suspects this is a reconnaissance scan. Which of the following additional log sources would provide the most definitive evidence to confirm this suspicion?

10

A digital forensics analyst is investigating a suspected insider threat. The analyst has acquired a laptop used by the suspect. The analyst needs to obtain a forensic image of the hard drive without altering any data. The laptop is running and logged into the suspect's user account. Which of the following is the most appropriate first step for the analyst to take?

11

A security analyst receives an alert from the intrusion detection system indicating that a workstation in the finance department has established an outbound connection to a known malicious IP address using an encrypted protocol. The analyst verifies the alert and checks the user's activity logs, which show no legitimate business reason for the connection. According to the incident response process, what should the analyst do NEXT?

12

A security analyst at a financial firm detects an unusual spike in outbound network traffic from a database server that normally only communicates with internal web servers. The traffic is directed to numerous external IP addresses in various countries. According to established incident response procedures, what should be the analyst's immediate next step?

13

A security analyst receives an alert from the intrusion detection system (IDS) indicating a high volume of outbound traffic from a single internal workstation to an external IP address known to be associated with a command-and-control (C2) server. The workstation's user reports no unusual activity. Which of the following should the analyst do FIRST?

14

A security analyst notices repeated failed login attempts to a critical database server from a single external IP address over the past hour. The analyst reviews the authentication logs and sees that the account name used in each attempt is 'admin'. Which of the following security controls should the analyst recommend to mitigate this type of attack with minimal impact on legitimate users?

15

A security analyst receives multiple alerts indicating that several users in the finance department clicked a malicious link in an email. The analyst has confirmed the email subject line and sender address. Which of the following is the BEST first step to contain the incident?

16

A security analyst receives an automated alert indicating that a standard user account logged in from a geographic location that is unusual for the user, and the login occurred at 3:00 AM local time. The analyst has not yet verified whether this was a successful login or if any additional suspicious activity occurred. According to standard incident response procedures, what should the analyst do NEXT?

17

A security analyst detects unusual outbound traffic from a workstation that appears to be communicating with a known malicious IP address. The analyst immediately isolates the workstation from the network. Which of the following is the NEXT step in the incident response process according to NIST SP 800-61?

18

An organization's file server contains sensitive HR data. The security team discovers that permissions on a confidential folder have been altered. Which of the following security controls would MOST likely help determine the account responsible for this change?

19

A security analyst detects a high volume of failed authentication attempts from IP address 203.0.113.1 against a web application. The attempts use different usernames, such as 'admin', 'root', 'test', and several common names. Account lockout policies are configured to lock an account after five failed attempts. Despite this, the analyst sees the attempts continuing over several hours. Which of the following security controls is most likely missing or improperly configured?

20

A security analyst receives an alert about a user account that has been attempting to authenticate from an unusual geographic location outside of business hours. The analyst reviews the event logs and sees that the authentication attempt was successful, but the user has not reported any suspicious activity. Which of the following actions should the analyst take NEXT?

21

A help desk technician reports that a user's account was locked out three times overnight. The security team reviews the authentication logs and discovers that the lockouts resulted from failed login attempts originating from a single external IP address, each attempt using a slightly different variation of the user's password. Which of the following should the security analyst do FIRST?

22

A security analyst detects an encrypted outbound connection from a web server to an unknown IP address. The connection is persistent and occurs every 5 minutes. What is the MOST appropriate first step for the analyst to take?

23

A security analyst in the SOC observes a sudden spike in failed authentication attempts from a single external IP address targeting multiple user accounts over the last 30 minutes. After confirming the logs are accurate, which of the following actions should the analyst take FIRST according to standard incident response procedures?

24

A security analyst detects repeated outbound traffic from a single workstation to an IP address listed on a public threat intelligence feed as a known command-and-control server. The user reports that the workstation is behaving slowly and that antivirus software is up to date. According to incident response best practices, what should the analyst do FIRST?

25

A SOC analyst is investigating an alert triggered when a user clicked a link in an email. The email appeared to be from a trusted vendor and included a PDF attachment with a macro, but the user did not run the macro. Upon reviewing the email headers, the analyst notices that the sender's domain is a common misspelling of the vendor's legitimate domain. Which of the following is the most direct indicator that this email is a phishing attempt?

26

A security analyst in a SOC receives an alert indicating that a large volume of data was transferred from a user's workstation to an external IP address at 2:00 AM. The analyst suspects a data exfiltration attack. According to incident response best practices, what should the analyst do FIRST?

27

A security analyst receives an alert that a user clicked a link in a phishing email and entered their corporate credentials on a fake login page. Which of the following should the analyst do FIRST to minimize further damage?

28

A security analyst notices a sudden increase in outbound traffic from a database server that normally only communicates with internal application servers. The server is running a standard OS with no recent changes. Which of the following actions should the analyst take FIRST to determine if the server is compromised?

29

A security analyst is reviewing authentication logs from a corporate web application. The logs show that over a span of two hours, a single external IP address attempted to log in with 500 different usernames, each using the same password 'Spring2024!'. Only a few of these attempts succeeded. Which type of attack is most likely being observed?

30

A security analyst is reviewing web server logs after a user reports that the company website displayed an error message containing raw database queries. The log shows repeated requests to the product search page with the following parameter: `?id=1 OR 1=1`. Which of the following should the analyst do FIRST to confirm the nature of the suspected attack?

31

A security analyst detects real-time data exfiltration from a critical production database that supports customer transactions. The exfiltration appears to be occurring via a compromised application service account. Which containment strategy should the analyst implement FIRST to minimize damage while preserving forensic data?

32

A security analyst receives an alert that a user's workstation is communicating with a known malicious IP address during off-hours. The analyst reviews the firewall logs and confirms the connection was established. Which of the following should the analyst perform NEXT to contain the threat?

33

A security analyst observes a pattern where an account exhibits multiple failed login attempts from an IP address in a foreign country, followed by a successful login from the same account but from a different IP address in another foreign country minutes later. The analyst wants to deploy a control that can automatically detect and alert on this type of anomalous user behavior, even if the individual login events are not blocked by existing rules. Which of the following security controls is BEST suited for this task?

34

A security analyst notices that a phishing campaign is targeting employees with emails that appear to be from the company's IT support team. The emails contain a link to a website that mimics the corporate password reset portal. Which of the following controls would be MOST effective in preventing users from reaching the malicious website, assuming the link uses HTTPS?

35

A security analyst notices repeated attempts to copy large amounts of data to USB drives from a user's workstation. The analyst suspects the user may be exfiltrating company proprietary data. The company wants to implement a technical control that can both detect and block such data exfiltration without completely disabling all USB ports, as some users require USB for authorized work. Which of the following would best meet this requirement?

36

A security analyst detects that multiple workstations in the finance department are displaying ransom notes and files are being encrypted. The analyst has disconnected the affected workstations from the network. Which of the following should the analyst do next according to the incident response procedure?

37

A security analyst observes a critical server generating unusually high outbound traffic to an external IP address that is listed on a threat intelligence feed as a known command-and-control server. The analyst suspects the server is compromised. According to standard incident response procedures, what should the analyst do NEXT?

38

A security analyst at a financial firm notices a significant increase in DNS queries from an internal server to a rarely visited external domain. The queries are for unusual subdomain names that contain encoded data. The server is not a DNS server and does not typically generate outbound traffic. Which of the following is the MOST appropriate immediate action for the analyst to take?

39

A security analyst is reviewing firewall logs and notices repeated connection attempts from a single external IP address to multiple internal IP addresses on TCP port 22 (SSH). Each attempt uses a different username but the same password: 'Spring2024!'. The attempts occur sporadically over a 12-hour period. Which type of attack is most likely being observed?

40

A SOC analyst detects that a user's workstation is sending large volumes of data to an unusual external IP address during non-business hours. The analyst has already isolated the workstation by disconnecting it from the network. What is the NEXT step in the incident response process?

41

A security analyst is reviewing authentication logs and observes multiple failed login attempts for a single user account occurring within a short timeframe, followed by a successful login from an IP address located in a country where the user has never traveled. The failed attempts originate from various IP addresses and use different passwords. Which type of attack has most likely occurred?

42

A security analyst notices unusual outbound traffic from a server that normally only communicates with internal clients. The traffic is encrypted and goes to an external IP address not on any blocklists. The analyst also finds a new scheduled task on the server that runs a PowerShell script. Which of the following best describes the analyst's immediate next step in the incident response process?

43

A security analyst at a manufacturing company notices multiple workstations generating high volumes of encrypted outbound traffic and displaying ransom notes. The analyst suspects a ransomware outbreak. According to the incident response process, which of the following should the analyst perform FIRST?

44

A security analyst detects unusual outbound traffic from a workstation to an external IP address known for command and control. The analyst has verified the alert and wants to contain the threat. According to the NIST SP 800-61 incident response process, which of the following steps should the analyst take FIRST?

45

During malware response on a finance workstation, the system is still powered on and connected. The manager asks whether you can just reboot it to stop the issue. What is the best next step?

46

A privileged account is used on a jump box at 02:15, and the SIEM shows multiple interactive logons from the same account to different servers within 10 minutes. The administrator says they used a password vault for the session. Which log source best confirms whether the access was authorized?

47

After confirming malicious activity on a workstation, the incident lead wants the system cleaned up quickly. The analyst has not yet collected any volatile data. What should the analyst do before remediation begins?

48

After restoring a virtualized file server from backup, users can log in but the accounting application returns database consistency errors. What should you do next?

49

A web application was updated at 10:00. At 10:05, the SIEM reports a sharp rise in HTTP 500 errors and WAF blocks from the same source range. The application owner says customers are seeing failures only on the new checkout page. What is the best next step?

50

EDR flags a word processor that launched encoded PowerShell and then made an outbound HTTPS connection to a rare domain. Which two actions should the analyst take first from the EDR console? Select two.

51

Security receives a company laptop used in an insider theft investigation. A manager wants the device moved to another office for review by legal staff. Which action best supports chain of custody?

52

After restoring a virtual file server from last night’s backup, users can browse shares, but finance reports that several spreadsheet edits from yesterday are missing. What should the administrator verify next before declaring the restore successful?

53

A firewall rule was changed in production to allow a new vendor IP range, and payroll users immediately lost access to an internal service. Which two change-management practices would have reduced the risk of this outage? Select two.

54

An investigator needs a copy of a suspect laptop drive for analysis without changing the original media. What should be used?

55

A SIEM alert shows five failed logins to a SaaS admin portal from one IP, followed by a successful login from a new city three minutes later. Which two actions are the best next steps for the analyst to validate the event before containment? Select two.

56

A workstation is suspected of malware infection, and it is still powered on and connected to the network. Which action best preserves volatile evidence before the system is shut down?

57

After restoring a virtual file server from backup, users can log in and browse shares, but finance says the last day's edits are missing. Which two steps should the administrator take before declaring recovery complete? Select two.

58

A firewall ACL must be modified in production to allow a vendor update server. The team wants to minimize the chance of accidentally blocking payroll traffic. Which change-management step is best before applying the rule?

59

A Windows server is still running after suspected compromise. Before it is powered down, which two volatile data sources should be collected first? Select two.

60

A company-owned laptop is being transferred from the incident site to the evidence locker for a theft investigation. Which two actions best support chain of custody during transport? Select two.

61

After restoring a virtual file server from backup, users can browse folders, but an accounting application reports missing recent transactions. What should the administrator do next?

62

A firewall rule was added directly in production to allow a new vendor IP range, and an internal service stopped responding because the new rule was placed above an existing deny rule. Which two change-management practices would have reduced the risk? Select two.

63

An investigator receives a suspect laptop drive that may be used in court. Which approach best supports a forensically sound image while protecting the original media?

64

An administrator pushed a firewall rule change to allow a new vendor IP range during business hours. Minutes later, payroll users lost access to an internal service. Which change management practice would have best reduced the impact?

65

A SIEM alert shows five failed logins to an administrator account, followed by a successful login from a new city three minutes later. The account owner says they did not sign in. What should the analyst do first?

66

A privileged cloud administrator account shows two suspicious events: an API key was created from an unfamiliar IP address, and a mailbox forwarding rule was added five minutes later. The account is still active and may be in attacker control. Which two actions should the analyst take first to preserve evidence while limiting additional abuse? Select two.

67

You are handed a company laptop suspected in an insider theft case. Legal says the evidence may be needed in court. Which action best preserves admissibility?

68

A virtual file server was restored from last night’s backup. The service is online, but some finance users report missing spreadsheet changes and a few files show a 'recovered copy' timestamp. Which two checks should be completed before the team accepts the restore as successful? Select two.

69

After a new MFA policy rollout, the SIEM generates an alert for five failed logins to a SaaS admin portal from one IP, followed by a successful login to the same account from an IP in another country. The account owner says they were in meetings all day. What should the analyst do first?

70

A firewall rule change was implemented directly in production to allow a new vendor IP range. Within minutes, several internal services became unreachable because the rule order changed unexpectedly. Which change-management practice would have most likely prevented this outage?

71

A finance laptop is powered on, the user is still logged in, and it remains connected to Wi-Fi after a malware alert. What should the responder do first to preserve volatile evidence?

72

A laptop is suspected of being used in a malware incident. It is still powered on and connected to Wi-Fi. What should the responder do before shutting it down?

73

A Linux server starts showing many failed SSH logins from one source IP address. Which log source should the analyst review first?

74

EDR alerts on a remote laptop show a suspicious process attempting to dump browser credentials and then contacting a rare domain. The user is in another time zone and still needs the laptop online for a presentation later today. What containment action is best?

75

A server is suspected of being used for lateral movement after the SOC notices dozens of failed SSH logons, then a successful login from a new source IP, followed by new outbound SMB connections to internal hosts. The system is still running. Which two items should be collected first before any reboot or remediation? Select two.

76

Security receives a company-owned laptop connected to an insider theft investigation. Before the device is transported to the evidence locker, what is the BEST action to support chain of custody?

77

An investigator receives a suspect laptop that may be needed in court. The goal is to create a forensic image without changing the original drive contents. Which three actions best support chain of custody and evidence integrity? Select three.

78

A SIEM correlation rule fires for a Microsoft 365 executive mailbox. At 02:14, the account signs in from a new country. At 02:17, the mailbox gets a forwarding rule that sends all mail to an external address. The user says they did not travel and did not create any rules. Which two log sources should the analyst review first to confirm whether this is account takeover or token abuse? Select two.

79

A finance workstation is suspected of running malware. It is still powered on, the user is logged in, and the network cable is connected. Which two actions best preserve volatile evidence before shutdown? Select two.

80

A vulnerability scan identifies a critical patch for a fleet of internet-facing servers. The operations lead wants to apply it immediately during peak business hours because the exploit is public. What is the BEST next step?

81

A SIEM alert shows a successful VPN login for an executive account from an unusual country, followed 3 minutes later by large downloads from a file share the user rarely accesses. Which log source should the analyst review next to determine whether the session came from the user's assigned laptop or an unmanaged device?

82

EDR detects encoded PowerShell launched from a word processor, a process attempt to read LSASS memory, and an outbound HTTPS connection to a rare domain. What should the analyst do first?

83

EDR on a finance workstation shows Outlook launching mshta.exe, followed by a scheduled task named UpdateSvc_91 and repeated HTTPS beacons to a newly registered domain. The user is still working and has not rebooted. Which two telemetry sources would best help the analyst confirm the initial execution path and determine whether the host has communicated with other suspicious infrastructure? Select two.

84

EDR flags a workstation after a word processor launches encoded PowerShell and the host begins contacting a rare domain over HTTPS. The user is still active. What is the best containment action from the EDR console?

85

An EDR alert shows suspicious PowerShell activity on a remote employee laptop, and the user is still logged in to cloud applications. Which two response actions are best if the device is believed to be actively compromised? Select two.

86

A SIEM correlates three failed MFA prompts for a payroll admin account from one IP, a successful login two minutes later from the same IP, and a new mailbox forwarding rule to an external address. What is the best immediate action?

87

An administrator wants to add a new vendor IP range to a firewall rule in production. What is the best change-management step to reduce risk?

88

During malware containment, an analyst needs to preserve transient information from a compromised Windows workstation that is still running. Which action is MOST appropriate before shutdown or imaging?

89

A SIEM alert shows a successful sign-in to a cloud admin portal from an unusual country, followed by mailbox forwarding-rule changes four minutes later. Which two log sources should the analyst review first to confirm whether the account was abused? Select two.

90

EDR reports that a workstation launched PowerShell from a word processor, created a scheduled task named WinUpdateSvc, and began making repeated HTTPS connections to a rare external domain. The user is still logged in to several cloud apps. Which two response actions are best to initiate from the EDR console? Select two.

91

An investigator needs to make a forensic image of a suspect laptop without changing the original drive contents. Which two practices should be used? Select two.

92

An employee reports a ransomware note on a file server. The server is still powered on, shares are still being accessed, and management wants service restored as quickly as possible. What should the incident response team do first?

93

A Windows laptop is believed to be involved in a credential-theft incident. It is still powered on, connected to Wi-Fi, and the user reports that the screen recently locked by itself. The SOC can reach the device remotely through EDR. Which two actions should be taken before the laptop is shut down? Select two.

94

Several Windows servers were built from the same image, and all of them use the same local Administrator password. What is the best operational hardening change?

95

EDR flags a workstation because a word processor launched an unusual script and then contacted a rare external domain. What is the best immediate action?

96

During a disaster recovery test, what is the most important thing to confirm about the backup?

97

A SIEM reports a successful sign-in to a SaaS admin portal from a new country, followed three minutes later by multiple configuration changes to mailbox forwarding rules. The account owner says they were in the office and did not approve any changes. What should the analyst check next?

98

A SIEM alert flags an interactive logon to a Windows file server from a service account that normally only runs scheduled tasks. The alert occurred at 01:12, but the maintenance window for that server is every Sunday at 02:00. The account also accessed a different server five minutes later. What should the analyst do first?

99

EDR flags encoded PowerShell launched by a spreadsheet application, followed by an attempt to access LSASS and outbound HTTPS traffic to a rare domain. What should the analyst do first from the EDR console?

100

A firewall rule must be changed to allow a vendor update server. Which step best reduces the chance of an unexpected outage?

101

A company-owned laptop is suspected in an insider theft case and legal says the evidence may be used in court. Which two actions best support evidence admissibility during transport to the evidence locker? Select two.

102

A new SIEM rule generates many alerts from a scheduled backup job that is known to be legitimate. What should the analyst do to improve alert quality?

103

A company laptop is collected as evidence in a suspected theft case. Which action best supports chain of custody?

104

EDR flags encoded PowerShell launched by a spreadsheet application and an outbound HTTPS connection to a rare domain. Which two response actions are best to take from the EDR console first? Select two.

105

After restoring a virtual file server from backup, users can open shares, but the accounting application shows the previous day's transactions are missing. Which two steps should the administrator take next? Select two.

106

After a file server is restored from backup, users can open the share, but the business wants to be sure the recovery was successful. What should the administrator verify next?

107

An employee reports a ransomware note on a finance laptop. The laptop is still powered on, connected to Wi-Fi, and the user says they were just working in a spreadsheet. Management wants the fastest safe response that also preserves evidence. What should the responder do first?

108

EDR shows encoded PowerShell launched by a word processor and an outbound connection to a rare domain. What is the best immediate containment action?

109

A new SIEM rule generates hundreds of alerts from a scheduled backup job that is known to be legitimate. Which two tuning changes are the best ways to reduce noise without losing visibility into real abuse? Select two.

110

A SIEM alert shows a payroll administrator account signed in at 02:10 from a country the employee has never visited. The employee says they are on vacation at home and did not travel. What should the analyst do first?

111

Based on the exhibit, which improvement best aligns the current backup design with the stated recovery targets?

112

Based on the exhibit, what is the most likely SOC conclusion and next action? A scheduled alert fired on a server that repeatedly connects to a vendor update site at fixed intervals. The security team wants to know whether the alert represents a real threat or a harmless operational pattern.

113

An ERP database is backed up nightly to a NAS that remains online and is managed with the same admin group as production servers. After a ransomware incident, management wants the most effective change to improve recovery assurance without redesigning the whole environment. What should be implemented?

114

An internal finance application has an RTO of 2 hours and an RPO of 30 minutes. Current backups restore in about 6 hours because the team must rebuild the server from scratch. Which change best aligns the recovery design to the business requirement?

115

During morning SIEM review, an analyst sees 37 failed SSH logins followed by a successful login to a Linux server from a jump host. The account belongs to a configuration-management service account, and the activity occurred inside the normal maintenance window. What should the analyst do next to determine whether the alert is a true positive or a false positive?

116

After isolating an infected endpoint and collecting volatile memory, the team identifies a malicious browser extension and a scheduled task used for persistence. Which two actions belong in the eradication phase before returning the system to service? Select two.

117

A monthly scan finds a critical remote-code-execution vulnerability on an internet-facing VPN appliance. The vendor has not released a patch for six weeks, but the service must stay online. Which short-term action is the best risk treatment?

118

A billing application has an RTO of 2 hours and an RPO of 30 minutes. The current recovery method requires rebuilding the VM from scratch and then restoring last night's backup, which takes over six hours. Which solution best meets the stated recovery objectives?

119

A weekly vulnerability scan returns five findings across different systems. Which three should be remediated first? Select three.

120

During a restore test, a technician brings back a file server successfully, but the application team discovers that the database is missing the last 12 hours of transactions. Management says the business can tolerate only one hour of data loss. What should be changed first?

121

A help desk ticket confirms that a user entered corporate credentials into a fake sign-in page. Minutes later, the security team finds a new mailbox forwarding rule and evidence that the attacker added backup MFA codes. After disabling the account, what should the team do next to support containment and recovery?

122

Based on the exhibit, which temporary control best reduces risk until the patch is released?

123

Based on the exhibit, which change best moves the ERP recovery design toward meeting both recovery targets?

124

The SOC has contained a mailbox compromise by resetting the password and revoking active sessions. Investigation shows the attacker created an automatic forwarding rule and added an OAuth consent grant. What should happen next to eradicate the threat?

125

Based on the exhibit, which change best helps the company meet its recovery objectives after a ransomware event?

126

Based on the exhibit, what is the most likely conclusion after correlating the logs? A configuration-management task ran from a jump host and generated repeated login alerts on target servers. The SOC wants to determine whether this is malicious activity or approved automation.

127

Based on the exhibit, what is the best immediate action for the SOC or IR team? A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.

128

Based on the exhibit, what is the best eradication decision for the server compromise?

129

A SOC analyst reviews email platform logs for a finance user account. At 08:12, the user successfully signs in from Denver. At 08:15, the same account signs in from a residential ISP in another state. At 08:16, the mailbox creates a new external forwarding rule and deletes the original alert message. The user says they did not set up forwarding. What is the best assessment?

130

A scan keeps reporting the same medium-severity TLS configuration issue on a public web server. The application owner says the vendor software cannot be changed until next quarter, but they can place the service behind a reverse proxy that enforces stronger cipher settings. How should the issue be handled in the vulnerability management process?

131

Based on the exhibit, what is the most likely explanation for the alert?

132

A SIEM rule flags a Linux server because it makes outbound HTTPS connections to the same cloud IP every 15 minutes. The server runs an approved patch agent that should check in on a regular schedule. Which two checks best validate whether the alert is a false positive? Select two.

133

A legacy application server has a critical vulnerability, but the vendor will not release a fix for 30 days. Which two compensating controls are the best short-term risk reduction steps? Select two.

134

An IDS raises an alert for a possible SQL injection attack against an internal reporting portal. The web server logs show the source IP belongs to the company's vulnerability scanner, and the requests match the scanner's normal test pattern. What is the most appropriate analyst action?

135

A SIEM alert shows a workstation connecting to the same unknown internet address every 15 minutes, even after business hours. The device belongs to an employee who is on vacation. What is the best next step for the analyst?

136

A ransomware incident encrypted a file share and the attached NAS backups because the NAS stayed mounted to production and was reachable over SMB. Which two design changes would have reduced the blast radius most effectively? Select two.

137

An EDR alert shows winword.exe launching powershell.exe with an encoded command after a user opened an invoice attachment. No new executable file was written to disk, and the host is still online. Which two actions should the SOC analyst take first to validate the alert and collect usable evidence? Select two.

138

At 10:15, a file server begins renaming documents and creating payment notes. The SOC confirms the server is also making SMB connections to other internal hosts, but users can still access shared folders. What should the incident handler do FIRST?

139

Based on the exhibit, which issue should be remediated first by the operations team? A small company has limited maintenance windows and can address only one of several findings this week.

140

A vulnerability dashboard shows four new findings. Which one should be remediated first by the operations team? - A low-severity issue on an offline lab VM - A medium-severity issue on a payroll server with no known exploit - A critical issue on an internet-facing web server with an available exploit - A high-severity issue on a test workstation that is not domain joined

141

Based on the exhibit, what is the best eradication decision after containment? A quarantined endpoint was found to have a malicious startup item and a scheduled task. The team has already isolated it from the network and preserved memory for analysis.

142

Based on the exhibit, which finding is the best candidate for immediate remediation or emergency mitigation?

143

A user reports that a shared department drive is rapidly renaming files and creating ransom notes on a Windows file server. The SOC confirms suspicious activity is still occurring on that server. What should the incident responder do first?

144

Based on the exhibit, what is the most important next IR action?

145

A SOC analyst receives an alert that a domain admin account authenticated to a file server at 02:14 from a jump host that is normally used only by the infrastructure team. The Windows logs also show a scheduled task launching a backup script at the same time, and the backup team says the task was created during yesterday's change window. What is the best next step to determine whether this is a false positive?

146

A branch office stores nightly backups on a NAS that is joined to the same Active Directory domain as the production servers. After a ransomware incident, management wants a backup design that is much harder for attackers to encrypt or delete. Which approach is the best improvement?

147

An IDS generates an alert for possible SQL injection against an internal reporting portal at 02:00. The web logs show the source IP belongs to the company's approved vulnerability scanner, the request path matches the scheduled test window, and the WAF blocked the request. What is the most appropriate analyst conclusion?

148

An engineering firm backs up its file server every night to a NAS that is always mounted to the production domain. After a ransomware event, management asks for the most effective improvement to reduce the chance that backups are encrypted along with production data. What should be recommended?

149

A monthly vulnerability scan identifies a critical vulnerability on a public-facing VPN appliance, but the vendor says no patch is available yet. The service must remain online for remote workers. What is the best compensating control to reduce risk right away?

150

After a phishing account compromise has been contained and the attacker’s mailbox forwarding rule was removed, what should the team do next?

151

A SOC analyst receives a SIEM alert for a possible brute-force attack against a remote access portal. The alert shows 240 failed logins from the same source IP over 4 minutes, followed by one successful login. Before escalating as an incident, what is the BEST evidence to check to determine whether the alert is a false positive caused by approved activity?

152

Based on the exhibit, which change best improves both recovery time and recovery point for the ERP database? A mid-sized company has a two-hour RTO and a 30-minute RPO, but its current backup design cannot meet either objective during restore testing.

153

A vulnerability scan finds a critical flaw on a public-facing server and a medium flaw on a lab system that is not connected to the production network. Which issue should be fixed first?

154

An EDR console reports possible beaconing from a workstation because it makes outbound HTTPS connections to the same cloud IP every 15 minutes. The workstation belongs to the patch-management team, and the destination resolves to a vendor update service. Which evidence best supports closing the alert as a false positive?

155

A technician restores a file server from backup, but the business wants confidence that the recovery process will work during an outage. What should the team do most often to validate the backups?

156

Based on the exhibit, what is the best-supported conclusion for the SOC analyst?

157

A file server in the accounting department begins renaming documents and dropping ransom notes. The SOC confirms encryption is still in progress, and the server hosts a share used by several finance teams. What should the incident response team do first?

158

An EDR alert flags suspicious PowerShell on a finance workstation. Windows logs show the script started immediately after a patch-management tool launched from the software distribution server. The script only queries installed software and writes results to a log file. What is the most likely conclusion?

159

A company wants to make sure it can recover quickly after ransomware, even if the production network is unavailable. Which backup approach is the best choice?

160

A SOC analyst sees 20 failed logins for one user account, followed by a successful login 30 seconds later from the same office subnet. The user confirms they mistyped the password several times. What is the best conclusion?

161

A SOC analyst confirms that an employee entered credentials into a phishing site and that the mailbox now shows a new forwarding rule sending messages to an external address. The account is still signed in on a laptop and a mobile phone. What is the best next action?

162

A legacy application cannot be patched for two weeks, but the security team still wants to reduce risk in the meantime. What is the best temporary measure?

163

A weekly scan reports three findings: a medium-severity missing patch on a lab VM with no network access, a high-severity default credential on a management interface reachable from the internet, and a low-severity outdated browser plug-in on a visitor kiosk. Which issue should be remediated first?

164

Based on the exhibit, which action should the incident response team take next to eradicate the threat?

165

Based on the exhibit, which change best improves recovery resilience against a repeat ransomware incident?

166

A monthly scan finds a critical remote-code-execution issue on an internet-facing VPN appliance. The vendor has released a fix, but the appliance can only be rebooted during the weekend maintenance window in five days. What is the BEST immediate action to lower risk until patching can occur?

167

A Linux host is patched, but the scanner still flags the package as vulnerable. The vendor advisory says the distribution backported the fix, so the package version did not change. What should the analyst do before closing the ticket?

168

A file server is actively renaming documents and generating ransom notes. The server hosts a shared drive used by finance, and users are still online. What is the best immediate action?

169

A SIEM alert shows a workstation making repeated outbound HTTPS connections every 15 minutes to the same cloud IP address. The host belongs to the patch-management group, and the security team suspects an approved agent may be responsible. Which two checks best validate whether this is a false positive? Select two.

170

A branch office uses a NAS for nightly backups, but the NAS is joined to the same domain as the production servers. After ransomware encrypted both production data and backups, management wants the most effective change to reduce the chance of backup tampering without a major redesign. Which control should be implemented?

171

After containment and eradication of malware on several laptops, the team restores the devices from known-good images and verifies that users can authenticate and access email. Which action should occur NEXT to complete the incident response lifecycle and reduce future impact?

172

A SOC analyst confirms that a user entered corporate credentials into a fake sign-in page. Mailbox logs now show a new forwarding rule sending messages to an external address, and the attacker may still have an active session. Which two actions should the analyst take first to contain the account compromise? Select two.

173

A critical vulnerability is discovered on an internet-facing VPN appliance that cannot be patched for six weeks because the vendor has not released a fix. The VPN service must remain available. What is the best operational response?

174

A systems administrator says the backup software reports success every night, but no one has restored a server from backup in over a year. The business wants confidence that a file server can be recovered within the agreed recovery window. What is the best next action?

175

A user reports that their laptop is suddenly encrypting files and showing a ransom note. What should the incident response team do first?

176

Based on the exhibit, what should the team do next after the account has been contained?

177

Management wants to ensure a file server backed up every night can actually be restored within a 4-hour recovery time objective after an incident. Which two actions best improve recovery confidence? Select two.

178

A Linux administrator must run a weekly maintenance script on 40 servers without giving technicians interactive root access. Which two practices best support secure administration? Select two.

179

After a suspicious laptop is imaged with a write blocker, the original drive is sealed and stored. Before a second analyst examines the image, what is the most important next step to preserve admissibility?

180

A server room is located next to a chilled-water pipe, and facilities staff want the earliest possible warning if moisture starts leaking under the raised floor. Which control is the best fit?

181

An email security team receives a macro-enabled spreadsheet from a known supplier. The file must be analyzed before users open it, and if it proves malicious, the organization wants to stop the same attachment from reaching other inboxes. Which two tools are the best fit? Select two.

182

Match each incident response activity to the phase of the incident response lifecycle it best represents. Use each option once. 1. A SOC analyst disables a compromised account, isolates the workstation from the network, and preserves volatile evidence. 2. The team images the infected system, removes the malicious persistence mechanism, and patches the exploited vulnerability. 3. After restoring services, the team reviews timeline gaps, detection delays, and control failures with management. 4. Before the attack occurs, the team verifies contact lists, playbooks, escalation paths, and backup credentials. 5. The team confirms suspicious authentication logs, endpoint alerts, and unusual outbound traffic indicate an active compromise.

183

A finance workstation begins encrypting local files, and the EDR console shows the process is also enumerating SMB shares on adjacent hosts. The user reports no suspicious email and is still logged in. Management wants the fastest containment step that minimizes spread and the best follow-up action to preserve useful evidence. Which two actions should the SOC take first? Select two.

184

A SIEM analyst reviews authentication logs and sees the following pattern over 15 minutes: 68 different user accounts each had one failed login attempt from the same source IP, followed by no lockouts, and then one of the accounts successfully authenticated from that same IP using a valid password. What is the most likely explanation?

185

After a ransomware incident, management learns the attacker's stolen domain admin credentials were used to delete recent online backups from the same backup network. Which backup strategy would have most reduced the chance of permanent backup loss?

186

The email security team receives a suspicious invoice attachment from a vendor. The attachment is not blocked by signature-based detection, but the team wants to observe its behavior in a safe environment before delivery to users. What tool best fits this requirement?

187

A nightly patch script restarts services on 40 Linux servers. Security does not want an administrator to log in interactively, and the script should only have the permissions needed to install approved patches and restart those services. What is the best design?

188

Based on the exhibit, which control should be installed or expanded to provide the earliest warning of this hazard?

189

An investigator must collect data from a suspected insider-threat laptop so the evidence could be used in an HR and legal review. Which action best preserves admissibility?

190

A SIEM alert shows 300 failed logins against the same VPN account from one source IP over 12 minutes, followed by a successful login from that same IP and a spike in mailbox access. The user says they did not initiate the session. What is the most likely cause?

191

Based on the exhibit, which change best improves secure administration for the scheduled task?

192

A SIEM correlates VPN authentication logs and sees 14 different user accounts receive one failed login attempt each from the same source IP during a 5-minute window. A few minutes later, one of those accounts successfully authenticates from that same IP. Which attack is most likely?

193

A security team receives a macro-enabled spreadsheet from a supplier. The file must be analyzed before any user opens it, and if the same payload later executes on an endpoint the organization wants the ability to contain it automatically. Which two tools best fit those requirements? Select two.

194

A network analyst reviews packet captures from a subnet where users intermittently lose access to the gateway. Which two findings would most strongly indicate ARP spoofing? Select two.

195

A Linux operations team must run a nightly maintenance script on 70 servers to rotate logs and restart one service. Security will not allow interactive SSH logins, and the script should only have the permissions required for those two commands. Which two configuration choices best meet the requirement? Select two.

196

A system administrator must run a weekly maintenance script that stops and restarts two services on 50 Linux servers. Security says the job must not use an interactive login and should have only the permissions needed for that task. What is the best approach?

197

A public web application is seeing bursts of requests that contain SQL metacharacters, encoded script tags, and attempts to POST to administrative endpoints. The team wants a control that can inspect HTTP traffic and block the malicious requests before they reach the app. What should be deployed?

198

A help desk ticket reports that a user's Microsoft 365 mailbox sent hundreds of messages to external contacts, and the user says they are still receiving MFA prompts they did not start. The attacker may still have an active web session. What is the best first containment action?

199

An investigator has just created a bit-for-bit image of a suspect's SSD using a write blocker. Before the drive is returned to evidence storage, what action most directly validates the integrity of both the original media and the image?

200

After a ransomware incident, management sees that last night's backups completed successfully and wants proof they can actually be used before production is declared recovered. Which three actions best validate recoverability? Select three.

201

After seizing a suspect's laptop, a responder creates a bit-for-bit disk image using a write blocker. The legal team wants the next step that most directly supports evidence integrity for later review. What should the responder do?

202

A branch office's network closet has repeated unauthorized access issues after staff badge in and hold the door for others. Management wants a control that allows one person through after valid badge use and helps prevent tailgating. Which control is best?

203

A SIEM analyst reviews the following sequence from a VPN and email platform over 15 minutes: 47 failed logins against different accounts from one public IP, one successful VPN login from that same IP, a new inbox forwarding rule to an external address, and a mailbox sign-in from a device never seen before. Which three findings most strongly support a password-spraying-to-compromise scenario? Select three.

204

After a ransomware incident, management says backups are available but will not approve closure until the team proves the restore process works without risking production data. Which two actions best validate recoverability? Select two.

205

A data center has repeated tailgating incidents at the entry to the server room. Management wants a control that forces one person to pass after badge authentication and prevents two people from entering together. What should be installed?

206

A server room uses raised flooring and sits below a chilled-water pipe. Facilities wants the earliest warning if water starts accumulating under the floor tiles. Which control should be added?

207

After collecting a suspect laptop, the responder makes a bit-for-bit image of the drive. Which two actions best support chain of custody? Select two.

208

An analyst receives a disk image and the original hash from a response team member. Before any examination begins, the analyst must be able to show the image is unchanged and that the evidence handling process is defensible. Which two actions are most important? Select two.

209

A help desk technician receives an alert that an unmanaged laptop was plugged into a conference room network jack and was automatically placed into a restricted network segment until it passed a security check. Which control is responsible for that behavior?

210

A records room has repeated tailgating after hours and occasional door propping during deliveries. Management wants one control that prevents follow-on entry and another that immediately alerts security if the door is forced open or left ajar. Which two controls best meet the need? Select two.

211

A data center wants to reduce tailgating at a sensitive room entrance. Which two controls are most effective? Select two.

212

A responder has imaged a suspect laptop and needs to preserve the evidence for possible legal action. Which three actions best support chain of custody and admissibility? Select three.

213

A security team receives a suspicious email attachment and wants to inspect its behavior safely before any user opens it. They also want a tool that can isolate the same threat if it reaches an endpoint. Which two tools or capabilities best fit this need? Select two.

214

A system administrator must run a weekly patch-and-restart job on 80 Linux servers without logging in interactively. The job should be repeatable, auditable, and limited to only the required maintenance commands. What is the best approach?

215

A SOC analyst reviews an EDR alert showing powershell.exe launched with an encoded command, then immediately connected to an unfamiliar IP address and spawned rundll32.exe. The user is still logged in and the machine may still contain evidence needed for investigation. Which two actions should the analyst take first to contain the incident while preserving evidence? Select two.

216

Based on the exhibit, which tool should the security team use to safely observe the attachment's behavior before delivery to users?

217

Facilities sees occasional water droplets forming above the cable trays in a data room during humid afternoons. The team wants the earliest possible warning before equipment is damaged. Which control should be added?

218

A SIEM correlates the following: 17 failed logons against the same VPN account from one IP in 9 minutes, a successful login from that IP, creation of a new API token in the SaaS tenant, and a large export job started two minutes later. Which two interpretations are best supported? Select two.

219

A contractor connects a personal tablet to a lobby Ethernet jack. The network team wants the device blocked from internal resources until it passes posture checks and only guest access is allowed meanwhile. Which control best fits?

220

After a ransomware event, management wants proof that last night's backups can actually support business operations before they declare recovery complete. What is the best action?

221

A Linux operations team needs to run a nightly script that restarts one service and archives its logs on 60 servers. Security does not want an administrator to log in interactively, and the script should have only the permissions needed for that job. What is the best approach?

222

A SOC analyst confirms that a critical Linux virtual machine is making outbound connections to a known malicious IP address. The application owner says the VM hosts a revenue system that cannot be powered off without causing a major outage. What is the best containment action?

223

Based on the exhibit, which control would best reduce unauthorized follow-on entry into the records room?

224

A SIEM correlates VPN logs and sees the same public IP make one failed login attempt against 56 different user accounts over 25 minutes. The usernames vary, but the password value appears to be the same in each attempt. Ten minutes later, one of those accounts authenticates successfully from the same IP, and no password-reset events are recorded. Which attack pattern is most likely?

225

Help desk staff must restart one Windows service and read its event logs on 150 servers, but they should not have local administrator rights or interactive logon to the systems. Which approach best supports this requirement?

226

After seizing a suspected insider's laptop, a responder makes a bit-for-bit image of the drive. The legal team asks what step most directly proves the image was not altered after acquisition. What should be done?

227

A SOC analyst reviews one user account and sees several failed logins from a single IP, then a successful login from the same IP, followed by a new inbox forwarding rule to an external address. Which two findings most strongly suggest account compromise? Select two.

228

Based on the exhibit, what should the team do next to confirm the backups can actually be used during an outage?

229

A company is placing a customer-facing web application behind a new security control. The team wants to block malicious HTTP requests such as injection attempts before they reach the application server, with minimal code changes to the app itself. Which control is the best fit?

230

A SOC analyst receives an EDR alert showing a finance laptop creating encrypted archives and then attempting SMB connections to several internal file shares. The user is still logged in, and the business wants to stop possible spread without destroying volatile evidence. What should the analyst do first?

231

An email attachment from an external supplier is not blocked by signature-based AV, but the SOC wants to see whether it drops files, launches child processes, or contacts suspicious domains before delivery to users. Which control best fits?

232

Based on the exhibit, what should the analyst do before opening the forensic image for examination?

233

After hours, EDR alerts show a finance laptop encrypting local files and trying SMB connections to nearby workstations. The user is still logged in, and management wants the fastest step that limits spread while preserving evidence. What should the SOC do first?

234

Following a ransomware incident, management wants to verify that backups are usable and that a restored file server will meet recovery expectations before declaring the system trusted again. Which action is best?

235

A workstation is suspected of running malware and contacting an unknown host. Which two actions belong in the containment phase? Select two.

236

After a ransomware event, management wants proof that backups can actually be used before trusting them. Which two activities best validate recoverability? Select two.

237

A server room sits below a chilled-water line, and occasional condensation is forming on the pipe during humid afternoons. Facilities wants the earliest warning before water reaches equipment and a way to get an alert even if no one is onsite. Which two controls should be implemented? Select two.

238

A post-incident review shows the SOC detected malicious PowerShell activity six hours late because the existing detections did not correlate the encoded command, the unusual outbound connection, and the creation of a scheduled task. Leadership wants the two follow-up actions most likely to improve future response. Select two.

239

A SOC analyst confirms that a workstation is encrypting local files and attempting SMB connections to nearby hosts. The user is still logged in, and the business wants to limit spread without destroying evidence. What is the best immediate action?

240

A Linux operations team must run a nightly maintenance workflow on 60 servers to rotate logs and restart one service. Security does not allow interactive root logins, and every execution must be auditable. Which two practices best support secure administration? Select two.

241

After a ransomware event, the team restores a file server from backup, but management wants proof that the restore process will work before the backups are declared trusted. What should be done next?

242

A SIEM report shows this sequence over 25 minutes: the same public IP submitted one failed password attempt against 53 different accounts, then one account successfully authenticated, created an inbox forwarding rule, and downloaded hundreds of messages through the web portal. Which two conclusions are best supported? Select two.

243

Based on the exhibit, what should the analyst do next to limit the impact of the suspected compromise?

244

A web team is moving a customer portal behind a new inspection device. They need something that can examine HTTP requests, block malicious patterns like injection attempts, and still allow normal browsing. Which control is most appropriate?

245

An email gateway receives a macro-enabled spreadsheet from an external supplier. Signature-based scanning does not flag it, but the security team wants to observe whether it drops files, creates persistence, or contacts suspicious domains before delivery to the user. Which tool best meets this need?

246

Following a ransomware incident, management wants proof that the organization can actually recover from its backups before declaring the backups trustworthy. What should the security team do next?

247

The web team is placing a public customer portal behind a control that can inspect HTTP requests, block malicious payloads such as SQL injection and cross-site scripting, and still allow legitimate application traffic without rewriting the app. Which control should they deploy?

248

A Linux web server was compromised through an outdated package. The team isolated the host, captured evidence, removed a malicious cron job, patched the vulnerable package, and confirmed no persistence remains. Which incident response phase are they primarily in now?

249

A SIEM reviews VPN authentication logs and sees 36 different usernames each receive one failed login attempt from the same source IP over 20 minutes, followed by one successful login to an unrelated account. Which attack is most likely?

250

An office loses power several times each month, causing servers to shut down without warning. Which control best helps keep the systems running long enough for a safe shutdown?

251

A user reports a suspicious pop-up on a workstation and the SOC suspects malware. Which action should the responder take first to contain the threat?

252

Match each SOC alert artifact to the most useful investigation pivot. Each pivot should help determine whether the alert is a true incident, a false positive, or part of a broader campaign.

253

Employees in a server room often prop the door open while carrying equipment. What control best helps detect and prevent this behavior?

254

A SOC analyst notices that log timestamps from different servers do not line up during an investigation. What should be implemented to improve event correlation?

255

A branch office loses power briefly several times each month. Which control best helps keep network equipment running long enough for an orderly shutdown?

256

A SOC analyst sees 38 failed logins for a finance user account from one public IP address over 4 minutes, followed by one successful login. What should the analyst do first?

257

A SOC analyst wants to make sure logs from multiple servers can be compared accurately during an incident review. What should be configured on those systems?

258

A critical patch must be applied to a production server next week. What is the best way to reduce the risk of downtime if the patch causes a problem?

259

A help desk team needs to update desktops in a call center without interrupting callers during peak hours. What is the best operational approach?

260

A laptop is suspected of being compromised, and the responder wants to preserve useful evidence before shutting it down. What should be done first?

261

Before applying a critical patch to a production application server, which action best reduces the risk of extended downtime if the patch fails?

262

A user reports a ransomware note on one department file share, but other departments are still working normally. What is the best first containment action?

263

Match each security monitoring artifact from the SOC alert queue to the best investigation focus.

264

A critical patch must be applied to a retail point-of-sale server. What is the best way to reduce business disruption?

265

Match each change-management practice to the best description for reducing patching risk in production.

266

A server room is sometimes left open while technicians carry equipment in and out. Which control best helps detect and discourage unauthorized entry?

267

Match each incident response action to its primary purpose during a suspected endpoint compromise.

268

A SIEM alert shows 120 failed logins for one user account from three different countries within 10 minutes, followed by a successful login. What should the analyst do first?

269

After a phishing incident, the security team wants to preserve evidence for later review. Which action is most appropriate?

270

A SIEM correlation rule alerts when a single user account fails to authenticate 20 times in 5 minutes and then succeeds from the same source IP. What is the most likely reason the team should investigate this event?

271

Match each detection pattern to the most likely security issue. Each item has one best match.

272

An EDR alert shows a user workstation launching an unfamiliar executable from the Downloads folder and then making repeated outbound connections to an IP address in another country. What is the best first response by the security team?

273

An EDR console alerts that powershell.exe launched with an encoded command on a finance workstation, and a minute later the host begins making repeated outbound connections to an unfamiliar IP address. What is the best initial response?

274

A hardening script is pushed to a production web server and, within minutes, the application stops accepting secure connections. The team discovers the script disabled a required TLS setting that the legacy application still needs. What should have been in place to reduce the impact of this change?

275

An NDR tool shows a production web server sending small, periodic DNS queries to random-looking subdomains under a domain the company does not use. The pattern repeats every 60 seconds, even when normal web traffic is idle. What is the best interpretation and next step?

276

A file server begins encrypting documents, and the SOC confirms the activity is malicious. Which incident response step should happen first to limit further damage?

277

A SOC analyst receives an alert from the VPN appliance and identity platform. In the last 10 minutes, a user account had 14 failed VPN logons from one country, then one successful login from a different country. The user calls the help desk and says they have not used their account today. What should the analyst do first?

278

After a workstation hardening baseline is updated, the security team wants to confirm that finance laptops actually match the new settings. Which control is the best way to verify this?

279

A nightly backup job shows "Completed successfully" in the backup console, but a test restore fails with an authentication error after the backup service account password was rotated last week. What is the best next step?

280

A manager asks the security team to let Human Resources inspect the files on a laptop suspected of containing stolen customer data before IT touches it. What is the best response?

281

An organization is retiring a batch of laptops with SSDs. All of the systems used full-disk encryption and stored sensitive internal documents. What is the best action before the devices leave the company?

282

A vulnerability scan finds that an old print server still has SMBv1 enabled. The business says the vendor will not support a patch for at least two months, but the server must stay online. What is the best temporary mitigation?

283

A security scan finds a critical patch missing on a public-facing web server. The patch has already been tested in the lab and approved for deployment. What should the operations team do next?

284

A security analyst is reviewing incident response procedures. Which three of the following activities are typically performed during the 'Containment, Eradication, and Recovery' phase of the incident response process? (Choose three.)

285

An organization is implementing a new Security Information and Event Management (SIEM) system. Which three of the following are primary capabilities that a SIEM provides to support security operations? (Choose three.)

286

A company is implementing controls to protect against insider threats. Which three of the following controls are most effective for detecting and preventing data exfiltration by a malicious insider? (Choose three.)

287

A security operations center (SOC) analyst is investigating a potential malware outbreak. Which three of the following indicators of compromise (IOCs) would provide the strongest evidence of malicious activity? (Choose three.)

288

A security analyst is reviewing the organization's incident response procedures. According to the NIST SP 800-61 framework, which four of the following are recognized phases of the incident response lifecycle? (Choose four.)

289

An organization is implementing a Security Information and Event Management (SIEM) system to enhance its security monitoring capabilities. Which four of the following are primary functions of a SIEM? (Choose four.)

290

Drag and drop the steps for the RADIUS authentication process into the correct order.

291

Drag and drop the steps to implement a backup strategy following the 3-2-1 rule into the correct order.

Practice all 291 Security Operations questions

Other SY0-701 exam domains

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity Program Management and Oversight

Frequently asked questions

What does the Security Operations domain cover on the SY0-701 exam?

Security Operations tests your ability to detect, respond to, and recover from real-world security incidents. On the SY0-701 exam it covers incident response (NIST SP 800-61), vulnerability management, SIEM log analysis, data protection, and change management. It is worth 28% of your score — the highest-weighted domain.

How many Security Operations questions are in the SY0-701 question bank?

The Courseiva SY0-701 question bank contains 291 questions in the Security Operations domain, covering the 28% of the exam attributed to this domain in the official CompTIA blueprint. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Operations for SY0-701?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Operations questions for SY0-701?

Yes — the session launcher on this page draws questions exclusively from the Security Operations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SY0-701 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

N10-009CS0-003CAS-004AZ-500