Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›SY0-701›Objectives›Security Operations
Objective 4.028% of exam

Security Operations

SY0-701 Practice Questions

Security Operations is the single largest domain on the SY0-701 exam at 28% — and the one most grounded in real-world analyst work. This domain covers what a security team does every day: detecting threats through SIEM and IDS/IPS, running the incident response playbook, scanning and patching vulnerabilities, protecting data, and keeping change management locked down. Exam questions are almost entirely scenario-based. You will be handed a situation — ransomware hits a file server, a SIEM alert fires at 2am, a critical CVE drops for a system you own — and asked what to do next, in what order, and with which tool. The NIST SP 800-61 incident response lifecycle (Preparation → Detection and Analysis → Containment → Eradication and Recovery → Post-Incident Activity) appears on nearly every exam version. Treat it as a required memorisation.

Full Practice Test →All Objectives

What this objective tests

SY0-701 Security Operations — Key Topics

Security Operations tests your ability to detect, respond to, and recover from real-world security incidents. On the SY0-701 exam it covers incident response (NIST SP 800-61), vulnerability management, SIEM log analysis, data protection, and change management. It is worth 28% of your score — the highest-weighted domain.

  • Incident response lifecycle — Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident Activity (NIST SP 800-61). Know the exact order cold.
  • Vulnerability management — scan types, CVSS severity scoring, patch prioritisation, and the critical difference between a vulnerability scan and a penetration test.
  • Security monitoring — SIEM log correlation, IDS vs IPS placement and behaviour, alert triage, and separating true positives from false positives.
  • Identity and access management operations — enforcing MFA, detecting privilege escalation, account lockout policies, and least-privilege principles.
  • Data protection — encryption at rest vs in transit, DLP tool placement, data classification schemes, and secure data disposal methods.
  • Disaster recovery and business continuity — RTO vs RPO definitions, full/incremental/differential backup strategies, and failover testing.

Common exam traps

Where candidates lose marks on Security Operations

  • ⚠Containment comes before Eradication in incident response — reversing these two phases is the most common mistake on this domain.
  • ⚠A vulnerability scan identifies weaknesses; a penetration test actively exploits them. The exam expects you to know which is appropriate and when.
  • ⚠RTO is how fast you restore service; RPO is how much data loss you can tolerate. Mixing these up costs marks on scenario questions.
  • ⚠Not every SIEM alert is a real threat — the exam tests alert triage. Recognising false positives is a distinct skill from detecting real incidents.
  • ⚠IDS alerts and logs; IPS blocks. Placement also differs — IDS can be passive/out-of-band, IPS must be inline. Confusing them is a guaranteed wrong answer.

SY0-701 Security Operations — Practice Questions

30 questions from this objective · 28% of your SY0-701 exam

Question 2mediummultiple choice
Full question →

A SOC analyst receives an alert from the EDR system indicating that the process 'C:\Program Files\Vendor\Updater.exe' attempted to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key on a user's workstation. The analyst checks the file hash and finds it matches a known legitimate software updater. Which of the following actions is most appropriate for the analyst to take?

Question 3mediummultiple choice
Full question →

A SOC analyst is reviewing logs from a Windows domain controller and notices a large number of failed logon attempts (Event ID 4625) from a single source IP address within a five-minute window. The account names used are random strings such as "a1b2c3", "x9y8z7", etc. The analyst then checks the source IP and finds it is a known external address from a foreign country. Which of the following is the most appropriate next step for the analyst to take?

Question 4mediummultiple choice
Full question →

A security operations analyst is tuning a SIEM correlation rule designed to detect brute-force password attacks against domain user accounts. The current rule generates an alert when a single user account has more than 10 failed logon attempts within a 5-minute window. The SOC team is overwhelmed by thousands of alerts each day, the vast majority of which are triggered by legitimate users who accidentally mistype their passwords. Which of the following modifications to the rule would most effectively reduce false positives while still detecting actual brute-force attacks?

Question 5mediummultiple choice
Full question →

A security analyst is responding to a potential ransomware incident on a Windows server that is still running. The analyst needs to preserve forensic evidence for analysis. Which of the following actions should the analyst perform first, based on the order of volatility?

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is monitoring logs from the cloud access security broker (CASB) and observes that a user account downloaded 500 GB of data from a highly sensitive SharePoint document library within a single hour. The user's historical baseline shows an average daily download of less than 10 MB. Additionally, the log shows the session originated from an IP address in a country where the company has no employees or business operations. Which of the following actions is the most appropriate for the analyst to take?

Question 7mediummultiple choice
Read the full DNS explanation →

A security analyst in the SOC is investigating a potential DNS tunneling incident. The analyst has identified a workstation that is making thousands of DNS queries to an external domain with base64-encoded subdomains. The analyst suspects that sensitive files from the workstation are being exfiltrated by encoding their contents into the subdomains of the DNS queries. Which of the following log sources will provide the most definitive evidence to confirm that the contents of a specific sensitive file are being transmitted in the DNS queries?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing network flow logs and notices a series of outbound connections from a single internal workstation to an external IP address on TCP port 443. The connections occur every 5 minutes, each lasting about 2 seconds, and the amount of data transferred per connection is consistently around 1 KB. The workstation's user reports no unusual activity. The analyst checks the host's EDR logs and sees no malicious processes or known indicators. Which type of activity is this pattern most consistent with?

Question 9mediummultiple choice
Read the full VPN explanation →

A security analyst in the SOC is reviewing an alert from the corporate VPN server. The alert indicates that user 'jsmith' authenticated successfully from an IP address in Brazil at 14:30 UTC. The analyst contacts jsmith, who confirms he is physically in the company's headquarters in Chicago and has not remotely accessed the VPN today. The VPN authentication logs show that jsmith's session used a valid smart card certificate for authentication. The analyst checks the certificate revocation list and finds that jsmith's certificate has not been revoked. Which of the following is the most likely explanation for this event?

Question 10mediummultiple choice
Full question →

A security analyst is reviewing the perimeter firewall logs. The analyst observes repeated TCP SYN packets from a single external IP address (203.0.113.50) to multiple internal IP addresses on TCP port 3389. The packets are sent with a consistent 50-millisecond interval. There are no subsequent SYN-ACK or RST packets from the internal hosts in the logs. The analyst suspects this is a reconnaissance scan. Which of the following additional log sources would provide the most definitive evidence to confirm this suspicion?

Question 11mediummultiple choice
Full question →

A digital forensics analyst is investigating a suspected insider threat. The analyst has acquired a laptop used by the suspect. The analyst needs to obtain a forensic image of the hard drive without altering any data. The laptop is running and logged into the suspect's user account. Which of the following is the most appropriate first step for the analyst to take?

Question 12mediummultiple choice
Full question →

A security analyst receives an alert from the intrusion detection system indicating that a workstation in the finance department has established an outbound connection to a known malicious IP address using an encrypted protocol. The analyst verifies the alert and checks the user's activity logs, which show no legitimate business reason for the connection. According to the incident response process, what should the analyst do NEXT?

Question 13mediummultiple choice
Full question →

A security analyst at a financial firm detects an unusual spike in outbound network traffic from a database server that normally only communicates with internal web servers. The traffic is directed to numerous external IP addresses in various countries. According to established incident response procedures, what should be the analyst's immediate next step?

Question 14mediummultiple choice
Full question →

A security analyst receives an alert from the intrusion detection system (IDS) indicating a high volume of outbound traffic from a single internal workstation to an external IP address known to be associated with a command-and-control (C2) server. The workstation's user reports no unusual activity. Which of the following should the analyst do FIRST?

Question 15mediummultiple choice
Full question →

A security analyst notices repeated failed login attempts to a critical database server from a single external IP address over the past hour. The analyst reviews the authentication logs and sees that the account name used in each attempt is 'admin'. Which of the following security controls should the analyst recommend to mitigate this type of attack with minimal impact on legitimate users?

Question 16mediummultiple choice
Full question →

A security analyst receives multiple alerts indicating that several users in the finance department clicked a malicious link in an email. The analyst has confirmed the email subject line and sender address. Which of the following is the BEST first step to contain the incident?

Question 17mediummultiple choice
Full question →

A security analyst receives an automated alert indicating that a standard user account logged in from a geographic location that is unusual for the user, and the login occurred at 3:00 AM local time. The analyst has not yet verified whether this was a successful login or if any additional suspicious activity occurred. According to standard incident response procedures, what should the analyst do NEXT?

Question 18mediummultiple choice
Full question →

A security analyst detects unusual outbound traffic from a workstation that appears to be communicating with a known malicious IP address. The analyst immediately isolates the workstation from the network. Which of the following is the NEXT step in the incident response process according to NIST SP 800-61?

Question 19mediummultiple choice
Full question →

An organization's file server contains sensitive HR data. The security team discovers that permissions on a confidential folder have been altered. Which of the following security controls would MOST likely help determine the account responsible for this change?

Question 20mediummultiple choice
Full question →

A security analyst detects a high volume of failed authentication attempts from IP address 203.0.113.1 against a web application. The attempts use different usernames, such as 'admin', 'root', 'test', and several common names. Account lockout policies are configured to lock an account after five failed attempts. Despite this, the analyst sees the attempts continuing over several hours. Which of the following security controls is most likely missing or improperly configured?

Question 21mediummultiple choice
Full question →

A security analyst receives an alert about a user account that has been attempting to authenticate from an unusual geographic location outside of business hours. The analyst reviews the event logs and sees that the authentication attempt was successful, but the user has not reported any suspicious activity. Which of the following actions should the analyst take NEXT?

Question 22mediummultiple choice
Read the full NAT/PAT explanation →

A help desk technician reports that a user's account was locked out three times overnight. The security team reviews the authentication logs and discovers that the lockouts resulted from failed login attempts originating from a single external IP address, each attempt using a slightly different variation of the user's password. Which of the following should the security analyst do FIRST?

Question 23mediummultiple choice
Full question →

A security analyst detects an encrypted outbound connection from a web server to an unknown IP address. The connection is persistent and occurs every 5 minutes. What is the MOST appropriate first step for the analyst to take?

Question 24mediummultiple choice
Full question →

A security analyst in the SOC observes a sudden spike in failed authentication attempts from a single external IP address targeting multiple user accounts over the last 30 minutes. After confirming the logs are accurate, which of the following actions should the analyst take FIRST according to standard incident response procedures?

Question 25mediummultiple choice
Full question →

A security analyst detects repeated outbound traffic from a single workstation to an IP address listed on a public threat intelligence feed as a known command-and-control server. The user reports that the workstation is behaving slowly and that antivirus software is up to date. According to incident response best practices, what should the analyst do FIRST?

Question 26mediummultiple choice
Full question →

A SOC analyst is investigating an alert triggered when a user clicked a link in an email. The email appeared to be from a trusted vendor and included a PDF attachment with a macro, but the user did not run the macro. Upon reviewing the email headers, the analyst notices that the sender's domain is a common misspelling of the vendor's legitimate domain. Which of the following is the most direct indicator that this email is a phishing attempt?

Question 27mediummultiple choice
Full question →

A security analyst in a SOC receives an alert indicating that a large volume of data was transferred from a user's workstation to an external IP address at 2:00 AM. The analyst suspects a data exfiltration attack. According to incident response best practices, what should the analyst do FIRST?

Question 28mediummultiple choice
Full question →

A security analyst receives an alert that a user clicked a link in a phishing email and entered their corporate credentials on a fake login page. Which of the following should the analyst do FIRST to minimize further damage?

Question 29mediummultiple choice
Full question →

A security analyst notices a sudden increase in outbound traffic from a database server that normally only communicates with internal application servers. The server is running a standard OS with no recent changes. Which of the following actions should the analyst take FIRST to determine if the server is compromised?

Question 30mediummultiple choice
Full question →

A security analyst is reviewing authentication logs from a corporate web application. The logs show that over a span of two hours, a single external IP address attempted to log in with 500 different usernames, each using the same password 'Spring2024!'. Only a few of these attempts succeeded. Which type of attack is most likely being observed?

Question 31mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing web server logs after a user reports that the company website displayed an error message containing raw database queries. The log shows repeated requests to the product search page with the following parameter: `?id=1 OR 1=1`. Which of the following should the analyst do FIRST to confirm the nature of the suspected attack?

More Security Operations questions available in the full practice test.

Continue Practising →
←

Previous objective

Security Architecture

Next objective

Security Program Management and Oversight

→

All SY0-701 Objectives

  • 1.General Security Concepts12%
  • 2.Threats, Vulnerabilities, and Mitigations22%
  • 3.Security Architecture18%
  • 4.Security Operations28%
  • 5.Security Program Management and Oversight