CAS-004 · topic practice

Security Operations practice questions

Use this page to practise Security Operations questions for this certification. Focus on how the exam tests security operations in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Operations

What the exam tests

What to know about Security Operations

Security Operations questions on this certification test your ability to deploy and manage security operations concepts in scenario-based situations.

Core Security Operations concepts and how they apply in real-world cloud scenarios.

How to deploy security operations correctly and verify the outcome.

Troubleshooting security operations issues by interpreting error output and system state.

Cloud best practices and Security Operations design trade-offs tested by this certification.

Watch out for

Common Security Operations exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Security Operations questions

20 questions · select your answer, then reveal the explanation

A security analyst receives an alert indicating an internal host is sending outbound traffic on TCP port 25 to multiple external IP addresses. Which action should the analyst take first to investigate potential data exfiltration?

A SOC analyst is reviewing a large volume of failed login attempts across multiple user accounts from a single external IP address. The attempts use common usernames and passwords over SSH (port 22). Which security control would be most effective at preventing this type of attack?

An organization deploys a new web application that stores sensitive data in a backend database. During a penetration test, the tester discovers that the application is vulnerable to SQL injection via a search field. Which of the following design changes would best mitigate this vulnerability without significantly impacting functionality?

A security engineer is configuring a SIEM and wants to reduce false positives while ensuring that real attacks are detected. Which of the following approaches would best achieve this balance?

During a security incident, a forensic investigator needs to capture the contents of volatile memory on a compromised server. Which of the following tools should the investigator use?

Which TWO of the following are best practices for securing a cloud-based identity and access management (IAM) system? (Select exactly 2.)

Which THREE of the following are effective techniques for detecting advanced persistent threats (APTs) within a network? (Select exactly 3.)

A security analyst reviews the above Windows security events from a domain controller. What is the most likely conclusion about the activity?

Exhibit

Refer to the exhibit.

```
Event: 4625 (An account failed to log on)
Account Name: Administrator
Source Network Address: 10.10.10.50
Logon Type: 3 (Network)
Status: 0xC000006D (bad username or password)

Event: 4624 (An account was successfully logged on)
Account Name: jsmith
Source Network Address: 10.10.10.50
Logon Type: 2 (Interactive)

Event: 4672 (Special privileges assigned to new logon)
Account Name: jsmith
Privileges: SeTcbPrivilege, SeDebugPrivilege

Event: 5140 (A network share object was accessed)
Account Name: jsmith$
Accesses: WriteData (or AddFile)
Share Name: \\*\C$
```

A cloud security engineer reviews the above S3 bucket policy. Which of the following is the most significant security concern?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket123/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket123/*",
      "Principal": "*"
    }
  ]
}
```

A security analyst notices repeated failed login attempts from a single IP address across multiple user accounts. Which of the following is the BEST immediate action to mitigate this attack?

A SOC analyst is reviewing an alert about a suspicious process execution on a critical server. The alert shows that cmd.exe spawned from Microsoft Word. Which of the following is the BEST next step for the analyst?

Question 12easymultiple choice
Read the full NAT/PAT explanation →

An organization wants to implement a solution that automatically detects and blocks malicious traffic based on known signatures and behavioral anomalies. Which of the following should be deployed?

A security engineer needs to design a solution to detect and respond to insider threats involving unauthorized data exfiltration via USB devices. Which of the following is the MOST effective approach?

A security analyst is investigating a potential data breach. The logs show that an attacker used a compromised service account to access sensitive files on a file server. Which TWO actions should the analyst take FIRST to contain the incident? (Choose TWO.)

A large enterprise has deployed a security information and event management (SIEM) system that ingests logs from all critical servers, network devices, and endpoints. The SIEM is configured to correlate events and generate alerts for suspicious activities. Recently, the SOC team has been overwhelmed by a high volume of false positive alerts, particularly from the web server farm. The false positives are mainly triggered by legitimate web crawling and scanning activities from partners and internal tools. The SOC manager wants to reduce false positives without missing real threats. As the security architect, you are asked to recommend a solution. Which of the following is the BEST course of action?

Question 16mediummultiple choice
Read the full VPN explanation →

A small business runs its critical line-of-business application on a single Windows server located in a local data center. The server is accessed by employees remotely via RDP over a VPN. Recently, the server has been experiencing slow performance, and the administrator notices high CPU usage from a process named 'svchost.exe'. The administrator suspects malware but is not sure. The business has no security tools beyond Windows Defender. Management wants to minimize downtime and ensure the server is back to full operation as soon as possible. Which of the following is the BEST course of action for the administrator to take first?

Which TWO of the following are key components of a successful incident response plan according to NIST SP 800-61?

Based on the exhibit, which type of attack is most likely occurring?

Exhibit

Refer to the exhibit.

Exhibit:
```
Jul 15 10:23:45 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=admin
Jul 15 10:23:47 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:49 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:51 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:53 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:55 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:57 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:24:00 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
```

A security analyst at a financial institution is investigating a potential data exfiltration incident. The organization uses a zero-trust network architecture with micro-segmentation. The analyst notices that a database server with sensitive customer financial data has been communicating with an external IP address (198.51.100.45) over port 443 during non-business hours. The database server is not supposed to initiate outbound connections; all outbound traffic is logged and blocked by default except for specific allowlisted IPs and ports. The analyst reviews the firewall logs and finds that the outbound connection to 198.51.100.45 was allowed because the source port was 443, which is an allowed port for inbound HTTPS traffic. The database server is not a web server and does not run any HTTPS services. Which of the following is the best course of action for the analyst to take first?

Drag and drop the steps to set up a SIEM alert for a failed login threshold into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Operations sessions

Start a Security Operations only practice session

Every question in these sessions is drawn from the Security Operations domain — nothing else.

Related practice questions

Related CAS-004 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CAS-004 exam test about Security Operations?
Security Operations questions on this certification test your ability to deploy and manage security operations concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Operations questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Operations domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CAS-004 topics?
Use the topic links above to move to related areas, or go back to the CAS-004 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CAS-004 exam covers. They are not copied from any real exam or dump site.