CCNA Security Operations Questions

75 of 162 questions · Page 2/3 · Security Operations · Answers revealed

76
Drag & Dropmedium

Arrange the steps for conducting a security incident response in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows the NIST framework: Prepare, Detect & Analyze, Contain/Eradicate/Recover, Post-Incident, and Report.

77
MCQmedium

A security operations center (SOC) analyst is investigating an alert from the endpoint detection and response (EDR) system indicating that a process named "svchost.exe" spawned from a parent process "cmd.exe" on a user workstation. The user is a software developer who frequently uses command-line tools. The analyst checks the command line arguments: "cmd.exe /c powershell -EncodedCommand ...". The encoded command decodes to a script that downloads a payload from a remote server and executes it. The analyst also sees that the workstation has established an outbound connection to the same server on port 443. Which of the following is the BEST immediate action?

A.Isolate the workstation from the network.
B.Disable the user account.
C.Kill the svchost.exe process.
D.Block the remote server IP at the firewall.
AnswerA

Immediately contains the threat by preventing further communication and lateral movement.

Why this answer

Isolating the workstation is the best immediate action because the EDR alert confirms active compromise: a malicious encoded PowerShell command executed via cmd.exe spawned svchost.exe (a process commonly abused for masquerading), and an outbound connection to the same C2 server on port 443 (HTTPS) indicates ongoing data exfiltration or further payload delivery. Network isolation stops all communication with the attacker while preserving forensic evidence on the endpoint, which is critical for containment in a SOC response.

Exam trap

CompTIA often tests the misconception that blocking the remote IP or killing the process is sufficient, but the trap here is that the active outbound connection and running payload require immediate network containment to prevent data exfiltration and lateral movement, not just reactive blocking or process termination.

How to eliminate wrong answers

Option B is wrong because disabling the user account does not stop the already-running malicious process or its outbound C2 connection; the threat persists on the endpoint regardless of authentication status. Option C is wrong because killing svchost.exe may disrupt the malware but does not block the outbound connection already established, and the process could be a legitimate svchost.exe instance that has been injected or hollowed, making termination risky without analysis. Option D is wrong because blocking the remote server IP at the firewall only prevents future connections from that IP but does not stop the current active session or the malware already executing on the workstation, and the attacker can easily switch to a different IP or domain.

78
MCQmedium

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Review application logs for query errors, authentication events, and abnormal database access
B.Disable the WAF rule because it may be noisy
C.Treat every HTTP 200 as proof of exploitation
D.Ask users to change passwords without checking logs
AnswerA

HTTP 200 can occur for blocked, handled, or successful requests; application and database context determine impact.

Why this answer

Option A is correct because HTTP 200 responses from a WAF-protected endpoint do not rule out successful SQL injection; the application may have processed the malicious input without triggering an HTTP error. Reviewing application logs for query errors, authentication anomalies, and abnormal database access provides direct evidence of whether the injection actually succeeded, which is essential before declaring compromise. This approach balances containment by not disrupting legitimate traffic while preserving forensic evidence for analysis.

Exam trap

Cisco often tests the misconception that an HTTP 200 status code definitively indicates no exploitation occurred, when in reality it only reflects the web server's response, not the success or failure of the injected SQL.

How to eliminate wrong answers

Option B is wrong because disabling the WAF rule without investigation removes a critical detection layer, potentially allowing ongoing exploitation and destroying evidence of the attack. Option C is wrong because an HTTP 200 status code only indicates the web server responded normally; it does not confirm that the SQL injection payload executed successfully, as many injections fail silently or are caught by parameterized queries.

79
MCQhard

A hospital's IT department has been receiving reports from nursing staff that the electronic medical record (EMR) system is responding slowly during peak hours. The network team has verified that the local area network is operating normally and there is no bandwidth congestion. The security analyst reviews the firewall logs and observes repeated outbound connections from the EMR server to an external IP address 198.51.100.23 on TCP port 443 at regular 5-minute intervals. Each connection transfers a small amount of data. The analyst also notes that the EMR server's antivirus software is up to date and no malware has been detected. The hospital's security policy requires that all outbound connections from critical servers be explicitly approved. Further investigation reveals that 198.51.100.23 is associated with a hosting provider in a foreign country. The analyst suspects a data exfiltration. Which of the following actions should the analyst take FIRST?

A.Install a network-based intrusion detection system to monitor the server.
B.Capture and analyze the network traffic between the EMR server and the external IP.
C.Isolate the EMR server from the network and run a full forensic analysis.
D.Block all outbound traffic from the EMR server to the internet immediately.
AnswerB

Capturing and analyzing the traffic provides insight into whether data exfiltration is occurring and what data is being sent, allowing for an informed response.

Why this answer

Option B is correct because the analyst must first confirm whether the outbound connections are actually exfiltrating data or are legitimate (e.g., software updates, license checks). Capturing and analyzing the network traffic (e.g., using tcpdump or Wireshark) allows the analyst to inspect the payload and determine the nature of the data being sent, which is a standard step in incident response before taking more disruptive actions.

Exam trap

CompTIA often tests the principle of 'least disruption first' in incident response, where candidates mistakenly choose an aggressive containment action (like isolation or blocking) before gathering sufficient evidence to confirm the threat.

How to eliminate wrong answers

Option A is wrong because installing a network-based intrusion detection system (NIDS) is a long-term monitoring solution, not an immediate first step to investigate a suspected active exfiltration; it would not provide the specific payload analysis needed now. Option C is wrong because isolating the EMR server and running a full forensic analysis is too disruptive and premature without first confirming that the traffic is malicious; it could halt critical hospital operations unnecessarily. Option D is wrong because immediately blocking all outbound traffic from the EMR server could disrupt legitimate services (e.g., updates, cloud backups) and would destroy evidence of the ongoing communication before it can be analyzed.

80
MCQmedium

A security analyst is configuring a SIEM correlation rule to detect multiple failed login attempts followed by a successful login from the same source IP within a short time window. This pattern suggests a successful brute-force attack. Which of the following correlation types should the analyst use?

A.Thresholding
B.Sequential correlation
C.Aggregation
D.Time-based correlation
AnswerB

Sequential correlation detects events in a specific order, ideal for detecting a pattern of failures followed by success.

Why this answer

Sequential correlation is the correct choice because it detects a specific ordered sequence of events: multiple failed logins followed by a successful login from the same source IP within a defined time window. This pattern is characteristic of a brute-force attack, where an attacker attempts many passwords before succeeding. SIEM tools like Splunk or QRadar use sequential correlation to match event chains where the order matters, not just the count or aggregation of events.

Exam trap

Cisco often tests the distinction between sequential correlation and aggregation, where candidates mistakenly choose aggregation because they focus on the 'multiple failed logins' count rather than the required ordered sequence of failures followed by a success.

How to eliminate wrong answers

Option A is wrong because thresholding triggers on a count of events exceeding a threshold (e.g., 10 failed logins) but does not require a subsequent successful login, missing the key pattern of a successful brute-force. Option C is wrong because aggregation groups events by a common attribute (e.g., source IP) but does not enforce an ordered sequence; it would flag any set of failed logins followed by a success even if the success occurred before the failures. Option D is wrong because time-based correlation simply matches events within a time window without requiring a specific order or sequence, so it could match a successful login followed by failed attempts, which is not the brute-force pattern.

81
MCQmedium

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Prioritize only the source with the highest EPS
B.Time synchronization and timezone normalization across log sources
C.Assume the firewall logs are falsified
D.Delete one source from the timeline
AnswerB

Clock drift and timezone parsing commonly distort event order in SIEM timelines.

Why this answer

Time synchronization and timezone normalization across log sources is the correct first check because a consistent five-minute offset between firewall and endpoint events for the same connection strongly indicates a clock drift or timezone misconfiguration rather than a security anomaly. In incident reconstruction, analysts must ensure all timestamps are aligned to a common reference (e.g., UTC) and that NTP is properly configured on all devices; otherwise, the timeline is unreliable. This step directly addresses the root cause before any triage or prioritization can occur.

Exam trap

Cisco often tests the misconception that a timestamp discrepancy automatically indicates log tampering or that high EPS should drive triage priority, when in fact the immediate technical root cause is almost always a time synchronization issue.

How to eliminate wrong answers

Option A is wrong because prioritizing only the source with the highest EPS (Events Per Second) ignores the fundamental time discrepancy and could lead to focusing on a noisy but irrelevant log source while the actual timing issue remains unresolved. Option C is wrong because assuming the firewall logs are falsified without first verifying time synchronization introduces bias and wastes investigative effort; log falsification is a serious claim that requires evidence, not a default assumption when a simple clock skew is the most likely explanation.

82
Multi-Selecteasy

A security analyst is reviewing alerts from an IDS. Which TWO indicators are most likely to suggest a successful command and control (C2) communication? (Choose two.)

Select 2 answers
A.An inbound connection from a known malicious IP to the mail server
B.A high volume of outbound traffic to an unusual destination IP on port 443
C.A single large file upload to a cloud storage service
D.An internal host performing a DNS query for a known malicious domain
E.Regular beaconing activity to an external IP with consistent payload sizes
AnswersB, E

High volume outbound traffic to an unusual IP on 443 could be data exfiltration or C2 traffic masquerading as HTTPS.

Why this answer

B is correct because a high volume of outbound traffic to an unusual destination IP on port 443 (HTTPS) is a classic indicator of data exfiltration or C2 communication, as attackers often use encrypted channels to blend in with legitimate web traffic. The combination of high volume and an unusual destination IP suggests the host is sending data to an external server controlled by the attacker, which is a key sign of an active C2 session.

Exam trap

Cisco often tests the distinction between attempted and successful C2 communication, where candidates mistakenly choose indicators like DNS queries or inbound connections as proof of success, but only outbound beaconing or sustained data transfer on unusual ports confirms an established C2 channel.

83
Multi-Selectmedium

Which evidence helps distinguish a true brute-force attack from a misconfigured service account? (Choose two.)

Select 2 answers
A.The number of monitors used by the administrator
B.Source distribution and timing of failed logons
C.Whether one service account repeatedly fails after a password change
D.The brand of the office router only
AnswersB, C

Distributed or patterned failures suggest attack activity.

Why this answer

Option B is correct because a true brute-force attack typically originates from multiple source IP addresses or a single source with a high frequency of failed logons over a short time window, whereas a misconfigured service account usually fails from a consistent source at regular intervals. Analyzing the source distribution and timing of failed logons helps distinguish automated attack patterns from predictable service account behavior, such as retry intervals defined in application configuration.

Exam trap

Cisco often tests the misconception that any repeated failed logon after a password change is evidence of an attack, when in fact it is a classic symptom of a misconfigured service account that has not been updated with the new credentials.

84
MCQmedium

A security analyst receives an alert from the HIDS indicating that a critical configuration file was modified unexpectedly. What is the best immediate action?

A.Ignore the alert as HIDS false positives are common
B.Immediately revert the file and block any similar changes
C.Check the change management system to see if the change was approved
D.Restore the file from a known good backup
AnswerC

Determines if modification is legitimate.

Why this answer

Option C is correct because the best immediate action when a HIDS alerts on a critical configuration file change is to first verify whether the change was authorized through the change management system. This aligns with the incident response process of validation before remediation; reverting or restoring without checking could disrupt approved maintenance or patch deployments. HIDS monitors file integrity via checksums (e.g., SHA-256), but it cannot distinguish approved changes from malicious ones without external context.

Exam trap

Cisco often tests the principle that immediate remediation (reverting or restoring) is not the best first step; candidates mistakenly jump to containment actions without validating whether the change was authorized, confusing incident response speed with due diligence.

How to eliminate wrong answers

Option A is wrong because ignoring HIDS alerts on critical configuration files is negligent; while false positives can occur, dismissing them without investigation violates security operations best practices and could allow a breach to go undetected. Option B is wrong because immediately reverting the file and blocking changes is premature and could undo an authorized change (e.g., a scheduled security patch or configuration update), potentially causing service disruption or compliance issues. Option D is wrong because restoring from a known good backup is a remediation step that should only be taken after confirming the change was unauthorized; doing so without checking change management could overwrite legitimate modifications and lose audit trail data.

85
MCQhard

During a threat hunting exercise, an analyst formulates a hypothesis that an attacker may be using DNS tunneling to exfiltrate data. Which data source would provide the best evidence to confirm or deny this hypothesis?

A.Firewall logs showing allowed outbound connections
B.NetFlow records from the border router
C.EndPoint detection and response (EDR) logs showing DNS client activity
D.Deep packet inspection (DPI) of DNS traffic
AnswerD

DPI reveals content of DNS packets which can indicate tunneling.

Why this answer

Deep packet inspection (DPI) of DNS traffic is the best evidence because DNS tunneling works by encoding data within DNS queries and responses, often using non-standard record types (e.g., TXT, NULL) or unusually long domain names. DPI can decode the payload within DNS packets to reveal hidden data, whereas other methods only see metadata or connection summaries. This allows the analyst to directly inspect the content of DNS messages for signs of exfiltration, such as base64-encoded data or anomalous query patterns.

Exam trap

Cisco often tests the misconception that NetFlow or firewall logs are sufficient for detecting data exfiltration, when in reality only deep packet inspection can reveal the payload content necessary to confirm DNS tunneling.

How to eliminate wrong answers

Option A is wrong because firewall logs showing allowed outbound connections only indicate that traffic passed through the firewall, not the content or structure of DNS packets; they cannot reveal whether data is being tunneled within DNS. Option B is wrong because NetFlow records from the border router provide metadata such as source/destination IPs, ports, and byte counts, but they lack the payload-level detail needed to detect encoded data inside DNS queries or responses. Option C is wrong because EDR logs showing DNS client activity typically record process-level events (e.g., which process made a DNS query) but do not capture the full DNS packet payload, making them insufficient to identify tunneling without additional deep inspection.

86
Multi-Selecthard

Which signals strengthen an alert for Kerberoasting activity? (Choose two.)

Select 2 answers
A.Unusual volume of TGS requests for many service principals
B.Requests from a workstation that does not normally administer services
C.A user changing their desktop wallpaper
D.Successful DHCP lease renewal
AnswersA, B

Kerberoasting often generates broad service-ticket requests.

Why this answer

Kerberoasting involves requesting Ticket-Granting Service (TGS) tickets for service principals (SPNs) to crack their passwords offline. An unusual volume of TGS requests for many SPNs is a strong indicator because attackers typically enumerate SPNs and request tickets in bulk, which deviates from normal user behavior.

Exam trap

Cisco often tests the distinction between benign user actions (like wallpaper changes) and actual Kerberos-related attack indicators, trapping candidates who confuse general system changes with authentication-specific anomalies.

87
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Publish the indicators on a public GitHub repository
B.Send the indicators to all customers
C.Ignore the indicators because TLP markings are optional
D.Use them internally with only people who need to know and avoid wider redistribution
AnswerD

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

Option D is correct because TLP:AMBER+STRICT restricts sharing to individuals within the organization who have a specific need to know, and explicitly prohibits redistribution beyond that group. The SOC must honor this marking to protect the confidentiality of the indicators and avoid violating the trust model established by the Traffic Light Protocol (TLP), as defined by FIRST.

Exam trap

CompTIA often tests the distinction between TLP:AMBER and TLP:AMBER+STRICT, where candidates mistakenly assume 'AMBER' allows sharing within the entire organization, but the '+STRICT' suffix explicitly narrows that to only those with a direct need to know.

How to eliminate wrong answers

Option A is wrong because publishing TLP:AMBER+STRICT indicators on a public GitHub repository violates the core TLP restriction against any external sharing, potentially exposing sensitive threat intelligence to adversaries. Option B is wrong because sending the indicators to all customers, even if they are internal, exceeds the 'need to know' principle of TLP:AMBER+STRICT, which limits distribution to only those individuals directly involved in the response. Option C is wrong because TLP markings are mandatory, not optional; ignoring them would break the trust framework and could lead to mishandling of sensitive intelligence.

88
MCQmedium

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Tune DHCP lease duration
B.Use only a firewall deny rule for port 443
C.Create a CVE entry
D.Create and test a YARA rule against known-good and known-bad samples
AnswerD

YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.

Why this answer

YARA rules are specifically designed to identify and classify malware samples based on textual or binary patterns, including unique strings and byte sequences. By testing the rule against known-good and known-bad samples, the analyst can validate its accuracy and reduce false positives, making it the most appropriate method for detecting related files from the same campaign.

Exam trap

CompTIA often tests the distinction between detection methods (YARA) and containment or remediation actions (firewall rules, DHCP changes), leading candidates to confuse operational security controls with forensic analysis techniques.

How to eliminate wrong answers

Option A is wrong because tuning DHCP lease duration affects network address allocation and does not help in detecting malware based on strings or byte patterns. Option B is wrong because using only a firewall deny rule for port 443 blocks HTTPS traffic indiscriminately, which would not identify related malware files and could disrupt legitimate business operations. Option C is wrong because creating a CVE entry is a process for documenting a vulnerability, not a method for detecting or classifying malware samples based on unique patterns.

89
MCQhard

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.CVSS vector string
B.Sigma rule
C.OpenIOC package only
D.YARA rule
AnswerB

Sigma is designed as a generic detection-rule format that can be translated into SIEM-specific queries.

Why this answer

Sigma rules are the correct choice because they are a vendor-agnostic, YAML-based format designed specifically for writing detection logic that can be converted into multiple SIEM query languages (e.g., Splunk SPL, Elastic EQL, QRadar AQL). This portability directly meets the threat hunter's goal of creating a single detection for suspicious rundll32 execution that works across different SIEM platforms.

Exam trap

Cisco often tests the distinction between artifact formats (like OpenIOC) and detection rule formats (like Sigma), trapping candidates who confuse forensic artifact sharing with portable detection engineering.

How to eliminate wrong answers

Option A is wrong because CVSS vector strings describe vulnerability severity (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and are not used for detection logic or SIEM queries. Option C is wrong because OpenIOC packages are XML-based and primarily used for forensic artifact sharing in tools like Mandiant IOC Editor, but they are not as easily convertible across multiple SIEM platforms as Sigma rules, and they lack the standardized mapping to SIEM query languages that Sigma provides.

90
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected?

A.Kerberoasting reconnaissance or ticket harvesting
B.DNS cache poisoning
C.Pass-the-hash using NTLM only
D.ARP spoofing
AnswerA

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

A high volume of Kerberos service ticket requests for many SPNs, followed by no actual service access, is characteristic of Kerberoasting reconnaissance. In this attack, an adversary with valid domain credentials requests TGS tickets for service accounts to extract the NTLM hash embedded in the ticket, which can then be cracked offline. The lack of subsequent service access confirms the tickets were obtained solely for offline brute-force cracking, not legitimate use.

Exam trap

Cisco often tests the distinction between reconnaissance (ticket harvesting without access) and actual exploitation; the trap here is confusing Kerberoasting with pass-the-ticket or golden ticket attacks, which involve ticket reuse or forgery rather than offline hash cracking.

How to eliminate wrong answers

Option B is wrong because DNS cache poisoning involves corrupting DNS resolver caches to redirect traffic to malicious IPs, which does not generate Kerberos TGS requests or SPN enumeration. Option C is wrong because pass-the-hash using NTLM only exploits NTLM authentication by reusing captured NTLM hashes to authenticate, not by requesting Kerberos service tickets; the described behavior specifically involves Kerberos AS-REQ/TGS-REQ traffic, not NTLM.

91
MCQhard

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Endpoint antivirus quarantine reports only
B.Packet captures from user laptops only
C.Cloud audit logs for identity, policy, and key-management API calls
D.Web server access logs from the public website
AnswerC

Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.

Why this answer

Option C is correct because cloud audit logs (e.g., AWS CloudTrail, Azure Activity Log) capture control-plane API calls such as IAM policy changes, key creation, and authentication failures. These logs directly record the identity and resource management actions that indicate a compromise of the cloud management plane, whereas endpoint or network telemetry only reflects data-plane activity and cannot see API-level administrative actions.

Exam trap

The trap here is that candidates often confuse data-plane telemetry (endpoint AV, packet captures) with control-plane telemetry, failing to recognize that only cloud audit logs can capture administrative API calls like IAM policy changes and key creation.

How to eliminate wrong answers

Option A is wrong because endpoint antivirus quarantine reports only detect malware or file-based threats on individual devices; they cannot capture cloud control-plane API calls like IAM policy changes or access key creation. Option B is wrong because packet captures from user laptops only show network traffic at the data plane (e.g., HTTP, SSH sessions) and cannot log cloud management API requests that occur between the client and the cloud provider's control-plane endpoints.

92
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Office document spawning a script interpreter from a user context
B.Successful DHCP renewal
C.High CPU usage on the print server
D.A password expiry warning
AnswerA

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

The correct detection logic is 'Office document spawning a script interpreter from a user context' because the scenario describes a classic malware execution chain: a user opens an invoice document (likely a malicious Office file with embedded macros or exploits), which then launches wscript.exe (a Windows Script Host interpreter) from the user's profile. This behavior is a strong indicator of a script-based attack, such as a macro virus or a downloader, and is directly relevant to detection engineering for endpoint security.

Exam trap

Cisco often tests the distinction between process-level behavioral detection (e.g., script interpreter spawned by Office) and unrelated system or network metrics, so candidates may mistakenly choose a generic performance or network event instead of recognizing the specific attack chain.

How to eliminate wrong answers

Option B is wrong because successful DHCP renewal is a routine network event that does not involve script execution or user-initiated document processing, and it would not generate noise relevant to the described attack chain. Option C is wrong because high CPU usage on the print server is a performance metric unrelated to endpoint script execution from an Office document, and it would not help detect or tune for the specific threat of wscript.exe being spawned from a user context.

93
MCQhard

An organization uses a SIEM with a rule that triggers when a user fails to authenticate five times within 10 minutes. Last night, the rule fired for a service account from an internal IP. What should be the first triage step?

A.Disable the service account immediately
B.Block the internal IP address at the firewall
C.Review the account's recent activity and correlate with system logs
D.Reset the service account password
AnswerC

Determines if failures are legitimate or malicious.

Why this answer

Option B is correct. The analyst should check the account's normal behavior; service accounts may have automated login attempts. Disabling could cause outages.

Blocking IP may be premature. Resetting password might lock out legitimate use.

94
MCQmedium

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.A vulnerability scanner run once per quarter
B.Host-based file integrity monitoring only
C.Suricata or Snort in IDS mode on a monitored network tap or SPAN port
D.Inline IPS mode with drop rules for all signatures
AnswerC

IDS mode observes traffic and alerts on signatures while avoiding inline blocking impact.

Why this answer

Suricata or Snort in IDS mode on a monitored network tap or SPAN port is the correct deployment because it passively inspects packet payloads against exploit signatures without blocking traffic, generating alerts only. This matches the requirement for detection without inline blocking, as IDS mode operates out-of-band on a copy of the traffic.

Exam trap

Cisco often tests the distinction between IDS and IPS modes, where candidates mistakenly choose an inline IPS deployment (e.g., with iptables rules) because they assume detection requires blocking, but the question explicitly requires no blocking.

How to eliminate wrong answers

Option A is wrong because a vulnerability scanner run once per quarter is a periodic assessment tool that identifies system weaknesses, not a real-time network sensor that detects exploit traffic via packet payload signatures; it cannot generate alerts on live traffic. Option B is wrong because host-based file integrity monitoring only detects changes to files on a host, not network-level exploit payloads in packets; it lacks the ability to inspect network traffic payloads.

95
MCQhard

What is the net effect of the policy shown in the exhibit on requests from an IP address in the 10.0.0.0/8 range?

A.Allows all S3 actions from the 10.0.0.0/8 range and denies from other IPs.
B.Denies all S3 actions from all IP addresses.
C.Denies all S3 actions except GetObject from the 10.0.0.0/8 range.
D.Allows GetObject requests from the 10.0.0.0/8 range and denies all other S3 actions.
AnswerB

The Deny statement applies to all resources and does not have a condition, so it denies all actions on the bucket. The Allow is effectively overridden.

Why this answer

The exhibit shows an AWS S3 bucket policy with a Deny effect for all S3 actions (s3:*) from any IP address (the condition block uses a NotIpAddress condition with the value 10.0.0.0/8, meaning the deny applies to all IPs that are NOT in that range). However, because the policy explicitly denies all actions for all IPs not in 10.0.0.0/8, and there is no corresponding Allow statement for the 10.0.0.0/8 range, the net effect is that all S3 actions are denied from all IP addresses, including those in 10.0.0.0/8. This is because AWS IAM policies default to implicit deny, and an explicit deny overrides any allow, so without an explicit allow for the 10.0.0.0/8 range, the deny applies universally.

Exam trap

CompTIA often tests the misconception that a Deny statement with a NotIpAddress condition effectively allows traffic from the specified IP range, when in reality it only denies traffic from outside that range, and without an explicit Allow, all traffic is denied.

How to eliminate wrong answers

Option A is wrong because the policy does not contain an Allow statement for the 10.0.0.0/8 range; it only has a Deny statement that denies all S3 actions from IPs not in 10.0.0.0/8, which does not implicitly allow actions from that range. Option C is wrong because the policy denies all S3 actions (s3:*) without exception for GetObject, and there is no condition that would allow GetObject from any IP range. Option D is wrong because the policy does not allow GetObject from 10.0.0.0/8; it denies all S3 actions from IPs outside that range, but without an explicit allow, requests from 10.0.0.0/8 are also denied by default.

96
MCQhard

A SOC analyst notices a spike in outbound traffic from a server that normally only serves web pages. The signature-based IDS did not alert. What should the analyst do next?

A.Query threat intelligence for the destination IPs
B.Disable the server immediately
C.Check for zero-day vulnerabilities
D.Increase the IDS sensitivity threshold
AnswerA

Helps determine if traffic is malicious.

Why this answer

Querying threat intelligence for the destination IPs is the correct next step because the spike in outbound traffic from a web server suggests a potential data exfiltration attempt or command-and-control (C2) communication. Since the signature-based IDS did not alert, the traffic may be using non-standard ports or encrypted channels that evade known signatures. Threat intelligence can reveal if the destination IPs are associated with known malicious actors, botnets, or recent threat campaigns, providing context to determine if the traffic is benign or malicious.

Exam trap

CompTIA often tests the misconception that a signature-based IDS failing to alert means the traffic is safe, leading candidates to incorrectly choose increasing IDS sensitivity or checking for zero-days, rather than recognizing that the analyst must pivot to threat intelligence to identify unknown or evasive threats.

How to eliminate wrong answers

Option B is wrong because immediately disabling the server is a drastic, reactive measure that could disrupt legitimate services without first confirming malicious activity; a SOC analyst should investigate and contain, not blindly shut down. Option C is wrong because checking for zero-day vulnerabilities is premature and unrelated to the immediate symptom of outbound traffic spikes; zero-day checks are part of vulnerability management, not real-time traffic analysis. Option D is wrong because increasing the IDS sensitivity threshold would likely generate more false positives and does not address the root cause—the IDS missed the traffic because it was not signature-based, not because of sensitivity settings.

97
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Only monthly vulnerability scan summaries
B.Only user password age reports
C.Only physical datacenter access logs
D.Container runtime events, Kubernetes audit logs, and network flow from the pod
AnswerD

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Container runtime events (e.g., from containerd or CRI-O) capture process spawns like an unexpected shell, Kubernetes audit logs record API calls that could indicate a compromised pod mounting the host filesystem, and network flow logs from the pod (e.g., via eBPF or Calico) reveal outbound connections to an unknown IP. Together, these three telemetry sources provide direct, real-time evidence of the three suspicious behaviors described, making them the most useful for detection and investigation.

Exam trap

CompTIA often tests the distinction between passive, periodic compliance artifacts (vulnerability scans, password reports) and active, real-time telemetry (runtime events, audit logs, network flows) that directly capture the sequence of malicious actions in a containerized environment.

How to eliminate wrong answers

Option A is wrong because monthly vulnerability scan summaries are point-in-time snapshots of known CVEs and cannot detect real-time anomalous behavior like a shell spawn, filesystem mount, or outbound connection. Option B is wrong because user password age reports are identity and access management artifacts unrelated to runtime container activity or network flows. Option C is wrong because physical datacenter access logs track human entry to facilities, not container-level process or network events, and cannot refute or support a workload compromise.

98
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.A scheduled password rotation completed successfully
B.The file share requires more storage capacity
C.Credential access or lateral movement activity that warrants high-priority investigation
D.The SIEM parser is always broken
AnswerC

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

The presence of a deception credential in a file share that is used to authenticate to a server, with no legitimate user knowing it, strongly indicates that an attacker has discovered and used the credential to gain unauthorized access. This is a classic sign of credential access (stealing credentials) followed by lateral movement (using them to authenticate to another system). Such activity is a high-priority incident because it suggests the attacker has moved beyond initial compromise and is actively expanding their foothold, which requires immediate containment and investigation.

Exam trap

Cisco often tests the distinction between benign administrative actions (like password rotation) and malicious credential abuse; the trap here is that candidates may dismiss the credential usage as a routine operation rather than recognizing it as a high-priority indicator of compromise.

How to eliminate wrong answers

Option A is wrong because a scheduled password rotation completing successfully would not involve a credential that no legitimate user should know; password rotations are planned events that update credentials for authorized use, not create unknown credentials used for authentication. Option B is wrong because the file share requiring more storage capacity is a capacity planning issue unrelated to security events; it does not explain why a credential unknown to legitimate users is being used to authenticate to a server.

99
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Office document spawning a script interpreter from a user context
B.High CPU usage on the print server
C.A password expiry warning
D.Successful DHCP renewal
AnswerA

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

Option A is correct because the scenario describes a classic phishing attack where a malicious macro or embedded script in an Office document (the invoice) executes wscript.exe from the user's profile. This behavior matches the detection logic of 'Office document spawning a script interpreter from a user context,' which is a key indicator of script-based malware execution. The root-cause analysis would identify the malicious document as the initial vector, directly explaining the subsequent process execution.

Exam trap

Cisco often tests the distinction between a security detection logic (process ancestry) and unrelated operational metrics (CPU usage, password expiry) to see if candidates can focus on the direct cause of a security incident rather than being distracted by noise.

How to eliminate wrong answers

Option B is wrong because high CPU usage on the print server is unrelated to the endpoint execution of wscript.exe from a user profile; it describes a performance issue, not a security event involving script execution. Option C is wrong because a password expiry warning is an administrative notification that does not explain the execution of a script interpreter from a user context; it is a separate operational concern, not a root cause for malicious process spawning.

100
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.DNS tunnelling
B.SSL certificate expiry
C.MFA fatigue or push-bombing attack
D.Password spraying only
AnswerC

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

The scenario describes MFA fatigue (also called push-bombing), where an attacker repeatedly sends MFA push notifications to a user until the user, annoyed or confused, approves one. This is a social engineering technique that exploits human behavior, not a technical vulnerability. Option C correctly identifies this attack pattern, which is a known tactic in credential-stuffing and account-takeover campaigns.

Exam trap

Cisco often tests the distinction between technical exploits (like DNS tunnelling) and human-factor attacks (like MFA fatigue), so candidates may mistakenly choose a technical-sounding option when the question describes user behavior rather than a protocol-level attack.

How to eliminate wrong answers

Option A is wrong because DNS tunnelling encodes data in DNS queries/responses to exfiltrate data or establish C2 channels; it does not involve repeated MFA prompts or user approval. Option B is wrong because SSL certificate expiry causes browser warnings or connection failures, not repeated MFA push notifications; it is a certificate lifecycle issue, not an authentication attack.

101
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.The SIEM parser is always broken
B.A scheduled password rotation completed successfully
C.Credential access or lateral movement activity that warrants high-priority investigation
D.The file share requires more storage capacity
AnswerC

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

A deception credential that no legitimate user should know being used to authenticate to a server is a classic indicator of credential theft and lateral movement. In the alert triage phase, this finding warrants high-priority investigation because it suggests an attacker has successfully extracted the credential from the file share and is using it to move laterally within the network, which is a critical security incident.

Exam trap

Cisco often tests the concept that deception credentials are specifically designed to detect credential theft and lateral movement, and candidates may mistakenly think this indicates a benign process like password rotation or a SIEM misconfiguration.

How to eliminate wrong answers

Option A is wrong because a broken SIEM parser would typically cause missing or malformed logs, not the generation of a specific, actionable alert about a deception credential being used for authentication. Option B is wrong because a scheduled password rotation would update the credential on the server, not trigger an authentication event using the old deception credential; password rotation does not involve authentication attempts with the credential being rotated.

102
MCQmedium

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Review application logs for query errors, authentication events, and abnormal database access
B.Disable the WAF rule because it may be noisy
C.Ask users to change passwords without checking logs
D.Treat every HTTP 200 as proof of exploitation
AnswerA

HTTP 200 can occur for blocked, handled, or successful requests; application and database context determine impact.

Why this answer

Option A is correct because the WAF alerts indicate potential SQL injection attempts, but HTTP 200 responses do not rule out successful exploitation. The analyst must review application logs for actual query errors, authentication anomalies, or unauthorized database access to confirm whether the injection succeeded. Without log correlation, the analyst cannot determine if the WAF blocked the attack or if the payload bypassed it and executed on the backend.

Exam trap

Cisco often tests the misconception that HTTP 200 means no compromise occurred, when in fact SQL injection can succeed while returning a normal status code, especially with blind injection or when the application catches errors gracefully.

How to eliminate wrong answers

Option B is wrong because disabling the WAF rule without investigation removes a critical security control and ignores the possibility that the alerts represent real attacks that bypassed detection or were partially blocked. Option C is wrong because forcing password changes without verifying logs fails to address the root cause and may cause unnecessary user disruption; it assumes compromise without evidence, which violates the principle of validate-before-remediate.

103
MCQmedium

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Correlate DNS query logs with endpoint process and network connection telemetry
B.Search only for successful HTTP 200 responses
C.Block all DNS traffic from the subnet
D.Delete the host from the SIEM asset inventory
AnswerA

The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.

Why this answer

Option A is correct because correlating DNS query logs with endpoint process and network connection telemetry directly validates command-and-control (C2) beaconing. The algorithmically generated domains (AGDs) and NXDOMAIN responses are classic indicators of a domain generation algorithm (DGA) attempting to resolve a C2 server that may be offline or blocked. By linking the DNS queries to specific processes and network connections on the endpoint, the analyst can confirm whether the workstation is executing malicious code that generates these queries, rather than benign software or a false positive.

Exam trap

Cisco often tests the misconception that NXDOMAIN responses are irrelevant or that blocking all traffic is a safe containment step, when in reality the key is to correlate multiple data sources to confirm malicious activity without prematurely destroying evidence.

How to eliminate wrong answers

Option B is wrong because searching only for successful HTTP 200 responses would miss the majority of DGA-based C2 traffic, which often results in NXDOMAIN responses when the C2 server is not yet active or has been sinkholed; C2 beaconing frequently relies on failed DNS resolutions as part of its algorithm. Option C is wrong because blocking all DNS traffic from the subnet would immediately disrupt network operations for all hosts, potentially alerting the adversary and destroying volatile evidence such as active network connections and process memory, violating the containment trade-off principle of preserving forensic data before taking disruptive action.

104
MCQhard

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Web server access logs from the public website
B.Endpoint antivirus quarantine reports only
C.Cloud audit logs for identity, policy, and key-management API calls
D.Packet captures from user laptops only
AnswerC

Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.

Why this answer

Option C is correct because cloud audit logs (e.g., AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs) capture control-plane API calls such as IAM policy changes, access key creation, and failed console logons. These logs directly record identity and access management operations, providing the strongest evidence of control-plane compromise by showing who made the changes, from which source IP, and at what time.

Exam trap

Cisco often tests the distinction between data-plane logs (e.g., web server logs) and control-plane logs (e.g., cloud audit logs), tricking candidates into choosing web logs because they seem more familiar, even though they cannot capture IAM or key management events.

How to eliminate wrong answers

Option A is wrong because web server access logs from a public website only record HTTP requests to the application layer (e.g., GET/POST to a web app), not IAM policy changes or key creation, which are control-plane operations. Option B is wrong because endpoint antivirus quarantine reports only detect malware on individual hosts, not cloud-level identity or policy changes; they are irrelevant to control-plane API calls.

105
MCQhard

During a penetration test, a tester successfully exploits a vulnerability in a web application and gains a shell on the backend server. The tester then attempts to pivot to other hosts. Which of the following security controls would be most effective in limiting lateral movement in this scenario?

A.Host-based intrusion prevention system (HIPS)
B.Full disk encryption
C.Network segmentation with strict firewall rules
D.Application whitelisting
AnswerC

Segmentation limits the ability to connect to other hosts, hindering lateral movement.

Why this answer

Network segmentation with strict firewall rules (C) is the most effective control because it directly restricts the ability of an attacker who has compromised one host to initiate connections to other hosts. By enforcing least-privilege network access between segments (e.g., using VLANs and ACLs), lateral movement techniques such as port scanning, SMB relay, or RDP brute force are blocked at the network layer, regardless of the attacker's shell access.

Exam trap

CompTIA often tests the misconception that endpoint controls like HIPS or application whitelisting are sufficient to stop lateral movement, but the trap here is that once an attacker has a shell, they can often bypass or disable host-based controls, whereas network segmentation is a preventive control that operates independently of the compromised host's state.

How to eliminate wrong answers

Option A is wrong because a host-based intrusion prevention system (HIPS) monitors and blocks malicious behavior on the compromised host itself, but once the attacker has a shell, they can often disable or evade HIPS before pivoting; HIPS does not prevent network-level lateral movement to other hosts. Option B is wrong because full disk encryption protects data at rest on the compromised host's storage, but it does nothing to prevent the attacker from using the host as a pivot point to reach other systems over the network. Option D is wrong because application whitelisting controls which executables can run on the compromised host, but the attacker already has a shell and can use built-in OS tools (e.g., PowerShell, netcat) or living-off-the-land binaries to pivot; whitelisting does not block network connections to other hosts.

106
MCQeasy

A company uses a cloud-based identity provider (IdP) for single sign-on (SSO) to all applications. The SOC receives an alert that a user's account logged in from an IP address associated with a country where the company has no offices. The user is currently on a planned vacation and is not in that country. The analyst reviews the authentication logs and sees the login used a valid token and correct multi-factor authentication (MFA) method. Which of the following is the BEST initial step to handle this alert?

A.Review the user's recent activity for other anomalies.
B.Add the IP address to the block list.
C.Contact the user to verify if they logged in.
D.Disable the user account immediately.
AnswerC

Quickest way to confirm if it was the user or a compromise.

Why this answer

Option D is correct because quickly contacting the user can confirm whether the login was authorized (e.g., using a VPN or traveling). Disabling the account or blocking the IP without verification could impact productivity. Option C is a good follow-up but not the first step.

107
MCQhard

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Increase the dashboard refresh interval
B.Move logs to cold storage immediately
C.Log normalization and field mapping in the parser
D.Disable all enrichment lookups
AnswerC

Detection rules depend on consistent normalized fields across sources.

Why this answer

Option C is correct because inconsistent field mapping (source IP, user, action) prevents the SIEM from correlating events correctly. Log normalization via a parser ensures that fields from the new cloud log source are transformed into a consistent schema (e.g., ECS or CIM), enabling analytics to function. Without fixing the parser, the data remains unusable regardless of other configuration changes.

Exam trap

Cisco often tests the misconception that performance tuning (e.g., refresh intervals) or storage management (e.g., cold storage) can fix data quality issues, when the real problem is a misconfigured parser or normalization step in the ingestion pipeline.

How to eliminate wrong answers

Option A is wrong because increasing the dashboard refresh interval does not address the root cause of inconsistent field mapping; it only changes how often the dashboard updates, which would still show incomplete or misaligned data. Option B is wrong because moving logs to cold storage immediately would archive the data without resolving the parsing issue, making the logs inaccessible for real-time analytics and failing to fix the mapping inconsistency.

108
Matchingmedium

Match each regulatory framework to its focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data privacy in EU

Payment card security

Healthcare data protection

Financial reporting controls

Federal information security

Why these pairings

Compliance frameworks are essential for governance.

109
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as?

A.Password spraying only
B.MFA fatigue or push-bombing attack
C.DNS tunnelling
D.SSL certificate expiry
AnswerB

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

Repeated MFA prompts that the user eventually approves out of frustration or habit is the hallmark of MFA fatigue (also called push-bombing). The attacker sends a flood of push notifications to the user's device, hoping the user will mistakenly approve one to stop the annoyance. This bypasses the MFA control without needing to compromise the second factor.

Exam trap

Cisco often tests the distinction between 'MFA fatigue' and 'password spraying' — candidates mistakenly choose password spraying because they focus on the repeated attempts, but the key is that the attacker already has the password and is abusing the MFA approval process, not guessing passwords.

How to eliminate wrong answers

Option A is wrong because password spraying involves trying a few common passwords against many accounts, not targeting a single user with repeated MFA prompts. Option C is wrong because DNS tunnelling encodes data in DNS queries/responses to exfiltrate data or establish C2, not to overwhelm a user with MFA approval requests.

110
Multi-Selecthard

A SIEM correlation rule for impossible travel is creating noise from VPN users. Which refinements should improve fidelity? (Choose two.)

Select 2 answers
A.Disable all identity alerts
B.Require a second signal such as new device, failed MFA, or mailbox rule creation
C.Add trusted VPN egress ranges as named/known locations
D.Treat every VPN login as malicious
AnswersB, C

Combining identity anomalies reduces false positives.

Why this answer

Option B is correct because requiring a second signal—such as a new device, failed MFA, or mailbox rule creation—adds an additional layer of verification that helps confirm the user's identity and intent. This reduces false positives from VPN users whose IP addresses may change rapidly, as the SIEM can now correlate the impossible travel event with other suspicious activities that indicate a genuine compromise rather than a legitimate VPN connection.

Exam trap

Cisco often tests the misconception that disabling identity alerts is a valid refinement, but this would eliminate all identity-based detection, whereas the correct approach is to add context (trusted ranges and secondary signals) to reduce noise without losing detection capability.

111
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Delete historical flow records to reduce SIEM cost
B.Assume encryption means the transfer is safe
C.Correlate flow volume with database audit logs and the destination reputation
D.Disable all outbound internet access for the organisation
AnswerC

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option C is correct because correlating the flow volume with database audit logs allows you to identify which specific records or queries were accessed during the anomalous transfers, while checking the destination reputation helps determine if the unfamiliar AS is known for data exfiltration or is a legitimate service. This combination directly addresses the suspicious behavior—large encrypted outbound transfers during off-hours—by linking network evidence to host-based logs, which is essential for triaging a potential data breach. Without this correlation, you cannot distinguish between a legitimate backup or replication job and malicious exfiltration.

Exam trap

Cisco often tests the misconception that encryption implies trustworthiness, but the trap here is that encrypted traffic can still be malicious, and the correct triage step is to correlate network flows with host-based logs and external reputation data rather than assuming safety or destroying evidence.

How to eliminate wrong answers

Option A is wrong because deleting historical flow records destroys forensic evidence and violates data retention policies (e.g., PCI DSS, GDPR), and it does not address the triage need to investigate the suspicious activity. Option B is wrong because encryption does not guarantee safety; attackers commonly use TLS/SSL to exfiltrate data covertly, and the encryption itself is a red flag when combined with off-hours transfers to an unfamiliar AS.

112
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Assume encryption means the transfer is safe
B.Delete historical flow records to reduce SIEM cost
C.Disable all outbound internet access for the organisation
D.Correlate flow volume with database audit logs and the destination reputation
AnswerD

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option D is correct because correlating the flow volume with database audit logs allows the analyst to verify if the outbound transfers correspond to legitimate database queries or exports, while checking the destination reputation helps determine if the autonomous system is known for malicious activity. This combination provides the clearest triage value by directly linking the network anomaly to potential data exfiltration or a compromised database server, without prematurely disrupting operations or ignoring the encryption indicator.

Exam trap

The trap here is that candidates assume encryption (option A) guarantees safety, but Cisco tests the understanding that encryption can be used to conceal malicious activity, and the correct triage step is to correlate with other logs and threat intelligence rather than making assumptions based on encryption alone.

How to eliminate wrong answers

Option A is wrong because encryption does not imply safety; in fact, encrypted outbound transfers during off-hours to an unfamiliar AS are a classic indicator of data exfiltration (e.g., using TLS to hide stolen data). Option B is wrong because deleting historical flow records destroys forensic evidence and violates retention policies (e.g., PCI DSS, GDPR), and it does not help triage the current alert. Option C is wrong because disabling all outbound internet access is an overly drastic response that would disrupt legitimate business operations and is not a triage step; it should only be considered after analysis confirms a threat.

113
MCQmedium

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Reinstall the browser used by the user
B.Living-off-the-land binary misuse and the downloaded file's hash, origin, and child process
C.Ignore it because certutil is signed by Microsoft
D.Only check whether antivirus signatures are current
AnswerB

Certutil can be abused to download payloads; file and process context establishes whether execution is malicious.

Why this answer

Option B is correct because certutil.exe is a known living-off-the-land binary (LOLBin) that attackers abuse to download payloads from external URLs, bypassing application whitelisting. The root-cause analysis must focus on the downloaded file's hash (to identify malware), its origin (the external URL), and any child processes spawned (to trace execution chain), as these directly explain the malicious activity.

Exam trap

Cisco often tests the misconception that signed Microsoft binaries are inherently safe, tricking candidates into ignoring LOLBin abuse, when the real focus should be on the downloaded file's hash, origin, and execution chain.

How to eliminate wrong answers

Option A is wrong because reinstalling the browser does not address the root cause; the attack used certutil.exe, not the browser, so the browser is irrelevant to the download or execution. Option C is wrong because ignoring the alert due to certutil being signed by Microsoft is a dangerous misconception; attackers exploit legitimate signed binaries (LOLBins) to evade detection, and the activity is clearly anomalous and requires investigation.

114
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Sign-in logs, MFA result, device details, and mailbox audit events
B.The organisation's public DNS zone file
C.Only the user's browser cache
D.Only DHCP logs from the London office
AnswerA

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option A is correct because the UEBA rule indicates a possible account compromise (impossible travel followed by mailbox rule creation). The analyst must first verify the sign-in logs for authentication source IPs, MFA result to check if the attacker bypassed MFA, device details to identify if a known device was used, and mailbox audit events to confirm the forwarding rule. These four data sources provide the minimum evidence needed to assess the scope of compromise before containment.

Exam trap

Cisco often tests the candidate's ability to prioritize server-side logs (sign-in, MFA, audit) over client-side artifacts (browser cache) or unrelated infrastructure (DNS zone file) when investigating a UEBA alert for account compromise.

How to eliminate wrong answers

Option B is wrong because the organisation's public DNS zone file is irrelevant to a user-level authentication and mailbox rule anomaly; DNS records do not contain user sign-in or mailbox audit data. Option C is wrong because the user's browser cache is a client-side artifact that may be overwritten or inaccessible, and it does not provide server-side evidence of authentication events or mailbox rule creation, which are critical for forensic analysis.

115
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Only physical datacenter access logs
B.Only user password age reports
C.Container runtime events, Kubernetes audit logs, and network flow from the pod
D.Only monthly vulnerability scan summaries
AnswerC

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Container runtime events (e.g., from containerd or CRI-O) capture process spawns like a shell inside the container, Kubernetes audit logs record API calls that mount host paths (e.g., `hostPath` volumes), and network flow logs (e.g., from CNI plugins or eBPF) show outbound connections to unknown IPs. Together, these three telemetry sources provide the full kill chain—execution, privilege escalation, and exfiltration—making option C the most useful for detection engineering.

Exam trap

Cisco often tests the misconception that host-level logs (like datacenter access or password reports) are sufficient for container security, when in fact container-specific telemetry is required to detect runtime anomalies like shell execution and unauthorized mounts.

How to eliminate wrong answers

Option A is wrong because physical datacenter access logs track who entered the facility, not container-level activities like shell execution or network flows; they are irrelevant to a workload compromise. Option B is wrong because user password age reports indicate password policy compliance, not real-time runtime behavior; they cannot detect a shell spawning or outbound connections from a container.

116
Multi-Selectmedium

A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)

Select 2 answers
A.Suppress alerts only with documented criteria and expiry
B.Delete noisy detections permanently without review
C.Route every alert directly to executives
D.Add enrichment such as asset criticality and threat-intel context
AnswersA, D

Time-bound suppression preserves governance.

Why this answer

Option A is correct because suppressing alerts based on documented criteria (e.g., known false-positive signatures, scheduled maintenance windows) with an expiry date ensures that the suppression is temporary and reviewed periodically. This reduces alert fatigue while maintaining visibility into potential threats, as expired suppressions automatically re-enable alerting. Without an expiry, a suppression could inadvertently hide malicious activity that later matches the same criteria.

Exam trap

Cisco often tests the misconception that permanently deleting noisy detections is acceptable, but the trap is that this violates the principle of defense in depth by removing the ability to detect future variations of the same threat.

117
MCQmedium

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Suricata or Snort in IDS mode on a monitored network tap or SPAN port
B.A vulnerability scanner run once per quarter
C.Host-based file integrity monitoring only
D.Inline IPS mode with drop rules for all signatures
AnswerA

IDS mode observes traffic and alerts on signatures while avoiding inline blocking impact.

Why this answer

Suricata or Snort in IDS mode on a monitored network tap or SPAN port is correct because it passively inspects packet payloads against signatures without affecting traffic flow, meeting the requirement to detect exploit traffic and generate alerts without blocking. IDS mode ensures no inline packet drops, while a tap or SPAN port provides full packet visibility for signature matching.

Exam trap

Cisco often tests the distinction between IDS and IPS modes, where candidates mistakenly choose inline IPS (Option D) because they think blocking is required for security, but the question explicitly states 'without blocking traffic,' making passive IDS the correct choice.

How to eliminate wrong answers

Option B is wrong because a vulnerability scanner run once per quarter is a proactive assessment tool that does not provide real-time packet payload inspection or alert generation for exploit traffic. Option C is wrong because host-based file integrity monitoring only detects changes to files on a host, not network-based exploit traffic in packet payloads. Option D is wrong because inline IPS mode with drop rules for all signatures actively blocks traffic, which violates the requirement to generate alerts without blocking traffic.

118
MCQmedium

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Ignore it because certutil is signed by Microsoft
B.Reinstall the browser used by the user
C.Living-off-the-land binary misuse and the downloaded file's hash, origin, and child process
D.Only check whether antivirus signatures are current
AnswerC

Certutil can be abused to download payloads; file and process context establishes whether execution is malicious.

Why this answer

Option C is correct because certutil.exe is a known living-off-the-land binary (LOLB) that attackers abuse to download payloads, bypassing application whitelisting. The analyst must focus on the downloaded file's hash (for threat intelligence), its origin URL (to assess the C2 infrastructure), and any child processes spawned (to trace the execution chain). In the containment trade-off phase, preserving these artifacts is critical for forensic analysis while isolating the host.

Exam trap

Cisco often tests the misconception that signed Microsoft binaries are inherently safe, but the trap here is that certutil.exe is a dual-use tool—legitimate for administrators but weaponized by attackers for LOLB attacks.

How to eliminate wrong answers

Option A is wrong because certutil being signed by Microsoft does not make it safe; attackers abuse its legitimate functionality (e.g., -urlcache -split -f) to download malicious files, a classic LOLB technique. Option B is wrong because reinstalling the browser does not address the root cause—the misuse of a system binary—and destroys evidence of the download and execution chain. Option D is wrong because antivirus signatures are reactive and may miss fileless or obfuscated payloads; the analyst must investigate the downloaded file's hash and behavior, not just signature currency.

119
MCQmedium

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Tune DHCP lease duration
B.Use only a firewall deny rule for port 443
C.Create and test a YARA rule against known-good and known-bad samples
D.Create a CVE entry
AnswerC

YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.

Why this answer

YARA rules are specifically designed to identify and classify malware samples based on textual or binary patterns, including unique strings and byte sequences. By testing a YARA rule against known-good and known-bad samples, the analyst can validate its accuracy and ensure it reliably detects related files from the same campaign while minimizing false positives.

Exam trap

Cisco often tests the distinction between detection methods (YARA) and network-level controls (DHCP, firewall) or vulnerability management (CVE), leading candidates to choose a familiar but irrelevant option like a firewall rule.

How to eliminate wrong answers

Option A is wrong because tuning DHCP lease duration affects network address assignment and renewal timing, not malware detection or file analysis. Option B is wrong because using only a firewall deny rule for port 443 would block HTTPS traffic but does not help identify or correlate malware samples based on strings or byte patterns. Option D is wrong because creating a CVE entry is a formal process for documenting a vulnerability, not a method for detecting related malware files based on unique strings or byte patterns.

120
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Assume encryption means the transfer is safe
B.Disable all outbound internet access for the organisation
C.Delete historical flow records to reduce SIEM cost
D.Correlate flow volume with database audit logs and the destination reputation
AnswerD

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option D is correct because correlating flow volume with database audit logs and destination reputation provides direct evidence of whether the encrypted outbound transfer is legitimate database replication or exfiltration. This approach leverages existing security controls (flow records, audit logs, threat intelligence) to validate the activity without assuming encryption implies safety or disrupting operations.

Exam trap

Cisco often tests the misconception that encryption guarantees safety (Option A) or that immediate blocking (Option B) is the best triage step, when in fact correlation with multiple data sources (Option D) is the proper detection engineering approach to reduce false positives while preserving signal.

How to eliminate wrong answers

Option A is wrong because encryption does not imply safety; attackers commonly use encryption to hide exfiltration, and assuming otherwise ignores the suspicious timing (off-hours) and unfamiliar ASN. Option B is wrong because disabling all outbound internet access is a drastic, disruptive response that would block legitimate business operations and is not a triage step; it violates the principle of least disruption during investigation. Option C is wrong because deleting historical flow records destroys forensic evidence needed for root cause analysis and compliance, and does not address the immediate triage need.

121
MCQhard

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix?

A.Log normalization and field mapping in the parser
B.Disable all enrichment lookups
C.Increase the dashboard refresh interval
D.Move logs to cold storage immediately
AnswerA

Detection rules depend on consistent normalized fields across sources.

Why this answer

Log normalization and field mapping in the parser ensure that source IP, user, and action fields from the new cloud log source are consistently transformed into the schema expected by the SIEM or analytics platform. Without this, the analytics engine cannot correlate or alert on the data because the fields are not recognized or are mapped to incorrect attributes, leading to failed analytics.

Exam trap

Cisco often tests the misconception that analytics failures are due to display or enrichment issues, when the real problem is almost always a parsing or normalization mismatch at the ingestion layer.

How to eliminate wrong answers

Option B is wrong because disabling all enrichment lookups would remove valuable context (e.g., geo-IP, threat intelligence) but does not fix the root cause of inconsistent field mapping; the logs would still be parsed incorrectly. Option C is wrong because increasing the dashboard refresh interval only changes how often the dashboard updates its display; it has no effect on how the raw log data is parsed or normalized, so the analytics would still fail.

122
Drag & Dropmedium

Arrange the steps for a typical digital forensics investigation process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Digital forensics follows identification, preservation, collection, examination, and presentation.

123
Multi-Selectmedium

Which TWO of the following are essential steps in the incident response phase of 'Containment, Eradication, and Recovery'? (Choose two.)

Select 2 answers
A.Reimage all systems in the environment
B.Disconnect the organization from the internet
C.Remove malicious files and artifacts from affected systems
D.Collect and preserve forensic evidence
E.Isolate affected systems from the network
AnswersC, E

Eradication removes the threat.

Why this answer

Option C is correct because removing malicious files and artifacts from affected systems is a core step in the eradication phase, ensuring that the root cause of the incident is eliminated and the system can be safely restored to normal operations. This step directly addresses the removal of malware, persistence mechanisms, and unauthorized changes that were identified during analysis.

Exam trap

CompTIA often tests the distinction between 'containment' actions (like isolation) and 'eradication' actions (like removal of artifacts), and the trap here is that candidates confuse 'collecting forensic evidence' (which belongs to the identification phase) with a step in the containment/eradication process.

124
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.The SIEM parser is always broken
B.A scheduled password rotation completed successfully
C.Credential access or lateral movement activity that warrants high-priority investigation
D.The file share requires more storage capacity
AnswerC

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

The deception credential is a honeytoken—a fake credential placed in a file share to detect unauthorized use. Since no legitimate user should know it, any authentication attempt using it indicates an attacker has accessed the file share (credential access) and is attempting to move laterally (lateral movement). This warrants high-priority investigation because it directly signals a breach in progress.

Exam trap

Cisco often tests the distinction between a detection artifact (like a honeytoken) and a configuration issue (like a broken parser), so candidates mistakenly attribute the alert to a technical failure rather than recognizing it as a deliberate security control triggering on malicious activity.

How to eliminate wrong answers

Option A is wrong because a broken SIEM parser would cause missing or malformed logs, not the generation of an authentication event using a deception credential; the detection itself is valid. Option B is wrong because a scheduled password rotation would change the credential's password, but the deception credential is a static honeytoken not subject to rotation, and its use would still be malicious regardless of rotation status.

125
MCQeasy

An analyst needs to identify which process on a Windows system is making outbound connections to the internet. Which tool should be used?

A.netstat -an
B.Task Manager
C.Resource Monitor
D.Performance Monitor
AnswerC

Displays network activity per process.

Why this answer

Resource Monitor (resmon.exe) provides a real-time view of network activity, including which processes are making outbound TCP and UDP connections, along with the remote addresses and ports. Unlike netstat, it directly associates network connections with specific process names and allows filtering by process, making it the most efficient tool for identifying the exact process responsible for outbound internet traffic.

Exam trap

CompTIA often tests the distinction between tools that show aggregate network usage (Task Manager) versus those that show per-connection process mapping (Resource Monitor), leading candidates to choose Task Manager because they associate it with network activity without realizing it lacks connection-level detail.

How to eliminate wrong answers

Option A is wrong because netstat -an shows all active connections and listening ports but does not display the process name or PID by default; without the -b or -o flags, it cannot identify which process owns a connection. Option B is wrong because Task Manager's default view shows CPU, memory, disk, and network utilization per process, but it does not list individual outbound connections or remote addresses, only aggregate network usage. Option D is wrong because Performance Monitor is designed for long-term performance logging and analysis of system counters, not for real-time identification of specific process-to-remote-address connections.

126
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Only user password age reports
B.Only physical datacenter access logs
C.Container runtime events, Kubernetes audit logs, and network flow from the pod
D.Only monthly vulnerability scan summaries
AnswerC

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Container runtime events (e.g., `docker events` or CRI-O logs) capture the unexpected shell execution and host filesystem mount. Kubernetes audit logs record the API calls that initiated the pod, revealing the attacker's initial access vector. Network flow logs from the pod (e.g., via Calico or Cilium) show the outbound connections to the unknown IP, linking the lateral movement to the compromised container.

Together, these three telemetry sources provide the complete chain of events needed for root-cause analysis.

Exam trap

Cisco often tests the misconception that a single log source (e.g., only network flows) is sufficient for root-cause analysis, when in reality a combination of container runtime, Kubernetes audit, and network telemetry is required to reconstruct the full attack chain.

How to eliminate wrong answers

Option A is wrong because user password age reports are irrelevant to container workload activity; they track local user account password expiration policies and cannot capture runtime events, mounts, or network flows inside a pod. Option B is wrong because physical datacenter access logs record who entered the facility, not what happens inside a container; they provide no visibility into shell execution, filesystem mounts, or outbound connections from a workload.

127
Multi-Selecteasy

Which TWO of the following are best practices for secure log management? (Choose TWO)

Select 2 answers
A.Enable log encryption in transit and at rest
B.Implement log aggregation from multiple sources
C.Disable logging on non-critical systems to save space
D.Store logs on the same server for easy access
E.Use a common log format for all sources
AnswersA, B

Encryption protects log integrity and confidentiality.

Why this answer

Option A is correct because encrypting logs in transit (e.g., using TLS/SSL for syslog over TCP 6514) and at rest (e.g., AES-256 encryption on the storage volume) ensures confidentiality and integrity, preventing unauthorized access or tampering. This aligns with security frameworks like NIST SP 800-92 and PCI DSS requirements for protecting log data.

Exam trap

CompTIA often tests the misconception that 'common log format' is a security best practice, but it is actually an operational convenience; the trap is confusing operational efficiency with security controls.

128
MCQhard

A security analyst is reviewing SIEM alerts and sees multiple failed logon events from a single external IP address across several user accounts within two minutes. The source IP is from a known malicious geolocation. What type of attack is most likely occurring?

A.Password spraying attack
B.Distributed denial-of-service (DDoS) attack
C.Brute-force attack
D.Pass-the-hash attack
AnswerC

Multiple failed logon attempts from one IP across accounts indicates a brute-force attack.

Why this answer

The scenario describes multiple failed logon attempts from a single external IP against several user accounts within a short time window. This pattern is characteristic of a brute-force attack, where an attacker systematically tries common or guessed passwords across multiple accounts to gain unauthorized access. The single source IP and rapid sequence of failures distinguish it from a password spraying attack, which spreads attempts across many accounts slowly to avoid lockout thresholds.

Exam trap

The trap here is confusing a brute-force attack with a password spraying attack; CompTIA often tests this by emphasizing the speed and source IP concentration versus the slow, distributed nature of password spraying.

How to eliminate wrong answers

Option A is wrong because a password spraying attack uses a small number of common passwords against many accounts over an extended period to evade account lockout, not rapid attempts from one IP against multiple accounts. Option B is wrong because a DDoS attack aims to overwhelm a service with traffic to cause denial of service, not to authenticate via logon events. Option D is wrong because a pass-the-hash attack involves capturing and reusing NTLM or Kerberos hashes to authenticate without knowing the plaintext password, which does not generate failed logon events from a single external IP.

129
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Only DHCP logs from the London office
B.The organisation's public DNS zone file
C.Only the user's browser cache
D.Sign-in logs, MFA result, device details, and mailbox audit events
AnswerD

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option D is correct because the scenario describes a potential account takeover or lateral movement, where an impossible travel event (logins from London and Singapore within 12 minutes) is followed by a suspicious mailbox forwarding rule. The analyst must first verify the sign-in logs for authentication details, MFA results to check if the MFA was bypassed or prompted, device details to identify if a known or managed device was used, and mailbox audit events to confirm the forwarding rule creation and its origin. These combined data sources provide the most direct evidence to determine if the activity is malicious or a false positive.

Exam trap

CompTIA often tests the misconception that network-level logs (like DHCP or DNS) are sufficient for investigating user account anomalies, but the correct approach requires focusing on authentication and audit logs that directly capture user identity and actions.

How to eliminate wrong answers

Option A is wrong because DHCP logs only show IP address assignments and cannot provide authentication context, MFA results, or mailbox audit events needed to investigate the impossible travel and forwarding rule. Option B is wrong because the organization's public DNS zone file contains domain name mappings and is irrelevant to user authentication events or mailbox rule changes; it would not help trace the user's activity. Option C is wrong because the user's browser cache is a client-side artifact that may show browsing history but cannot reveal server-side authentication logs, MFA challenges, or mailbox audit events, and it is not a reliable source for enterprise security investigations.

130
Multi-Selecthard

A threat hunter suspects data exfiltration over HTTPS from a database server. Which data sources are most useful? (Choose two.)

Select 2 answers
A.Database audit logs showing queried objects and accounts
B.Printer toner status
C.Building temperature logs
D.NetFlow or proxy logs showing destination, volume, and timing
AnswersA, D

Database logs reveal whether sensitive data was accessed before transfer.

Why this answer

Database audit logs record which objects (tables, columns) were queried and by which accounts, directly revealing unauthorized access or unusual data retrieval patterns that could indicate exfiltration. NetFlow or proxy logs capture destination IP addresses, data volumes, and timing of HTTPS sessions, allowing the hunter to spot large or anomalous outbound transfers to suspicious hosts, even though the payload is encrypted.

Exam trap

Cisco often tests the misconception that encrypted traffic (HTTPS) is completely opaque, leading candidates to overlook metadata sources like NetFlow or proxy logs that can reveal exfiltration patterns without decryption.

131
Multi-Selectmedium

A Security Operations Center (SOC) analyst is tuning a SIEM rule to reduce false positives. Which three of the following are valid approaches to improve the signal-to-noise ratio of a detection rule? (Choose three.)

Select 3 answers
.Adding a whitelist for known benign source IP addresses or user accounts.
.Increasing the severity level of the alert to ensure faster response.
.Adjusting the time window for event correlation to reduce overlapping alerts.
.Removing the rule entirely to eliminate all associated noise.
.Refining the event frequency threshold to require a higher number of occurrences.
.Adding additional event sources to broaden the scope of detection.

Why this answer

Adding a whitelist for known benign source IP addresses or user accounts is a valid approach because it directly reduces false positives by excluding traffic that is known to be safe from triggering the rule. This improves the signal-to-noise ratio by ensuring that only truly suspicious activity generates alerts, without altering the detection logic itself.

Exam trap

CompTIA often tests the misconception that increasing severity or adding more data sources improves detection quality, when in fact these actions can degrade the signal-to-noise ratio by amplifying noise or misdirecting analyst attention.

132
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Credential access or lateral movement activity that warrants high-priority investigation
B.The file share requires more storage capacity
C.A scheduled password rotation completed successfully
D.The SIEM parser is always broken
AnswerA

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

A deception credential is a deliberately planted fake credential (e.g., a honey token) that no legitimate user should ever use. When it is used to authenticate to a server, it indicates that an attacker has discovered the credential and is attempting to use it for lateral movement or credential access. This is a high-fidelity alert that warrants immediate investigation because it directly signals unauthorized activity.

Exam trap

Cisco often tests the concept that deception credentials are not used by legitimate users or automated processes, so any authentication with them is malicious; the trap is confusing this with routine administrative actions like password rotation or storage issues.

How to eliminate wrong answers

Option B is wrong because the file share requiring more storage capacity is a capacity management issue, not a security detection concern; it would not generate an authentication event. Option C is wrong because a scheduled password rotation would use legitimate, known credentials and would not involve a deception credential that no legitimate user should know; password rotation tools do not authenticate with honey tokens.

133
MCQmedium

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Disable the SIEM parser for PowerShell events
B.Reimage every workstation in the department
C.Close the alert because HTTPS is expected traffic
D.Decode the command and inspect the process tree, parent document, and network destination
AnswerD

Encoded PowerShell launched by Office is a high-signal chain; decoding and process-tree review confirms intent and scope.

Why this answer

Option D is correct because the encoded PowerShell command is the primary indicator of malicious intent; decoding it reveals the attacker's instructions. Inspecting the process tree (winword.exe spawning powershell.exe) confirms the infection vector (phishing attachment), and analyzing the parent document and network destination identifies the payload and C2 server. This sequence directly addresses root-cause analysis by tracing the attack from initial access to execution.

Exam trap

CompTIA often tests the misconception that encoded commands or HTTPS traffic are inherently benign, tempting candidates to dismiss the alert or take premature remediation steps instead of performing forensic analysis.

How to eliminate wrong answers

Option A is wrong because disabling the SIEM parser for PowerShell events would blind the security team to future attacks, not investigate the current alert. Option B is wrong because reimaging every workstation is a drastic remediation step that should only occur after confirming the scope of compromise through forensic analysis, not as a first analytic pivot. Option C is wrong because HTTPS is commonly used by malware to blend in with legitimate traffic; assuming it is benign ignores the context of an encoded PowerShell launch from a document reader.

134
MCQeasy

During an incident response, the team identifies that a workstation was compromised via a phishing email. Which of the following should be performed immediately after containment?

A.Notify law enforcement about the phishing campaign.
B.Collect forensic evidence from the workstation.
C.Conduct a root cause analysis of the phishing email.
D.Eradicate the malware from the workstation.
AnswerD

Eradication follows containment to remove the threat.

Why this answer

Option D is correct because, immediately after containment, the priority is to eradicate the malware from the workstation to prevent reinfection or lateral movement. Containment isolates the system, but eradication removes the malicious artifacts (e.g., registry keys, scheduled tasks, or malicious binaries) to ensure the system is clean before recovery. This step aligns with the NIST SP 800-61 incident response lifecycle, where eradication follows containment to eliminate the threat's foothold.

Exam trap

CompTIA often tests the order of the incident response phases (containment, eradication, recovery, lessons learned) and the trap here is that candidates mistakenly choose 'Collect forensic evidence' (Option B) because they confuse the need for evidence with the immediate priority of removing the active threat after containment.

How to eliminate wrong answers

Option A is wrong because notifying law enforcement is a post-incident activity that occurs after eradication and recovery, not immediately after containment; premature notification can delay technical response and may not be required for every phishing incident. Option B is wrong because collecting forensic evidence should occur before containment (or during containment with proper imaging), not after containment, as containment actions (e.g., disconnecting the network) can alter volatile data if evidence collection is delayed. Option C is wrong because conducting a root cause analysis is part of the lessons-learned phase, which happens after eradication and recovery; performing it immediately after containment wastes time that should be spent removing the active threat.

135
MCQmedium

Based on the exhibit, which type of issue is most likely affecting the server's network performance?

A.Faulty network cable or interface
B.Duplex mismatch between the server and switch
C.Incorrect TCP/IP configuration
D.Outdated network driver
AnswerA

High CRC and frame errors suggest physical layer problems.

Why this answer

The exhibit shows excessive CRC errors and runts on the server's network interface, which are classic symptoms of a faulty physical layer component such as a damaged cable or failing NIC. These errors indicate that frames are being corrupted during transmission, and the interface is discarding them, leading to retransmissions and degraded performance. A faulty cable or interface directly causes these physical-layer issues, unlike configuration or driver problems.

Exam trap

CompTIA often tests the distinction between physical-layer errors (CRC, runts) and data-link layer issues (duplex mismatch, collisions), leading candidates to mistakenly choose duplex mismatch when the exhibit shows CRC errors instead of late collisions.

How to eliminate wrong answers

Option B is wrong because a duplex mismatch typically causes late collisions and FCS errors, not CRC errors and runts; the interface counters would show alignment errors and excessive collisions. Option C is wrong because incorrect TCP/IP configuration (e.g., wrong subnet mask, gateway, or DNS) would cause connectivity failures or routing issues, not physical-layer CRC errors. Option D is wrong because an outdated network driver might cause performance issues or interface resets, but it would not generate CRC errors or runts at the hardware level; those are physical-layer phenomena.

136
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Successful DHCP renewal
B.A password expiry warning
C.High CPU usage on the print server
D.Office document spawning a script interpreter from a user context
AnswerD

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

Option D is correct because the scenario describes a classic technique where a malicious macro or script embedded in an Office document executes wscript.exe (Windows Script Host) from the user's profile. This detection logic directly identifies the suspicious parent-child process relationship of an Office application spawning a script interpreter, which is a strong indicator of a script-based attack, such as a macro virus or initial access payload.

Exam trap

CompTIA often tests the concept of process lineage and anomalous parent-child relationships, where candidates may mistakenly focus on system-level performance or network events instead of recognizing that the key indicator is the Office document spawning a script interpreter from the user's profile.

How to eliminate wrong answers

Option A is wrong because a successful DHCP renewal is a routine network operation that does not involve process execution anomalies or user-initiated scripts, making it irrelevant to detecting a malicious script spawned from an Office document. Option B is wrong because a password expiry warning is an authentication event unrelated to process creation or script execution, and it does not indicate any compromise or suspicious activity on the endpoint. Option C is wrong because high CPU usage on the print server is a performance metric for a different system component and has no direct correlation with a user endpoint running wscript.exe from a script interpreter invoked by an Office document.

137
MCQmedium

A security analyst notices that an IDS is generating a high number of false positives for legitimate encrypted traffic. Which tuning method should the analyst use to reduce false positives without reducing detection capability?

A.Whitelist the source IP addresses of known, trusted servers.
B.Disable the signatures that trigger for encrypted traffic.
C.Increase the sensitivity threshold for the encrypted traffic signatures.
D.Enable full packet capture and analyze the encrypted traffic manually.
AnswerA

Whitelisting reduces false positives by exempting known benign traffic.

Why this answer

Whitelisting the source IP addresses of known, trusted servers reduces false positives by instructing the IDS to ignore alerts for encrypted traffic from those specific hosts. This approach preserves detection capability because the IDS continues to apply all signatures to traffic from other, potentially malicious sources. It is a targeted tuning method that does not disable detection mechanisms or alter sensitivity thresholds, which could otherwise miss real threats.

Exam trap

CompTIA often tests the misconception that disabling signatures or increasing thresholds is an acceptable tuning method, but the trap here is that those actions reduce detection capability, whereas whitelisting trusted sources is the only option that maintains full detection for untrusted traffic.

How to eliminate wrong answers

Option B is wrong because disabling signatures that trigger for encrypted traffic would eliminate detection of any malicious activity hidden within that encrypted stream, such as command-and-control traffic or data exfiltration, thus reducing detection capability. Option C is wrong because increasing the sensitivity threshold for encrypted traffic signatures would actually make the IDS less likely to trigger on any encrypted traffic, potentially missing real attacks while still generating false positives for legitimate traffic that exceeds the new threshold. Option D is wrong because enabling full packet capture and manually analyzing encrypted traffic is not a tuning method; it is a resource-intensive forensic approach that does not reduce false positives in real-time and does not scale for ongoing operations.

138
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Publish the indicators on a public GitHub repository
B.Send the indicators to all customers
C.Ignore the indicators because TLP markings are optional
D.Use them internally with only people who need to know and avoid wider redistribution
AnswerD

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

TLP:AMBER+STRICT restricts sharing to recipients within the organization who need to know, prohibiting further redistribution outside the organization. The SOC must use these indicators internally only with personnel who require them for detection and response, avoiding any external sharing. This ensures compliance with the Traffic Light Protocol (TLP) standard defined by FIRST.org.

Exam trap

CompTIA often tests the misconception that TLP markings are optional or advisory, when in fact they are binding protocols that dictate strict handling and redistribution rules, especially with the 'STRICT' qualifier.

How to eliminate wrong answers

Option A is wrong because publishing indicators on a public GitHub repository violates the TLP:AMBER+STRICT restriction, which explicitly forbids sharing outside the organization. Option B is wrong because sending indicators to all customers would constitute unauthorized redistribution beyond the intended recipients, breaching the 'strict' constraint. Option C is wrong because TLP markings are mandatory for handling sensitive information; ignoring them could lead to data leaks and non-compliance with security policies.

139
Multi-Selectmedium

Which THREE of the following are essential tools and technologies used in a Security Operations Center (SOC) for monitoring and detection?

Select 3 answers
A.Firewall
B.Endpoint Detection and Response (EDR)
C.Intrusion Detection/Prevention System (IDS/IPS)
D.Security Information and Event Management (SIEM) system
E.Vulnerability scanner
AnswersB, C, D

Host-level monitoring and detection.

Why this answer

Endpoint Detection and Response (EDR) is essential in a SOC because it provides continuous monitoring and analysis of endpoint activities, enabling detection of advanced threats such as fileless malware and ransomware. EDR tools collect telemetry data from endpoints, correlate it with threat intelligence, and allow for automated response actions, which are critical for real-time incident detection and investigation.

Exam trap

CompTIA often tests the distinction between tools that provide continuous monitoring and detection (SIEM, EDR, IDS/IPS) versus tools that are preventive or periodic (firewall, vulnerability scanner), leading candidates to incorrectly include the latter as essential SOC monitoring technologies.

140
MCQhard

During a forensic investigation, an analyst finds a suspicious registry key that runs a program at startup. What is the best way to determine if the program is malicious?

A.Search the startup folder for the file
B.Compute the hash of the executable and query threat intelligence
C.Execute the program in a sandbox and observe behavior
D.Check the file's last modified timestamp
AnswerB

Hash check indicates known malicious status.

Why this answer

Computing the hash of the executable and querying threat intelligence (e.g., VirusTotal, AlienVault OTX) provides a definitive, objective indicator of known maliciousness by comparing the file's cryptographic fingerprint against global threat databases. This is the fastest and most reliable method to determine if the program is malicious without risking execution or relying on circumstantial evidence.

Exam trap

Cisco often tests the distinction between 'best first step' and 'thorough analysis'—candidates mistakenly choose sandbox execution (Option C) because it seems more comprehensive, but the exam prioritizes speed and safety via hash-based threat intelligence queries.

How to eliminate wrong answers

Option A is wrong because searching the startup folder only confirms the file's location, not its maliciousness; legitimate programs also reside there. Option C is wrong because executing the program in a sandbox, while useful for behavioral analysis, is time-consuming and could still expose the system to risk if the sandbox is misconfigured; it is not the 'best' first step. Option D is wrong because the last modified timestamp is metadata that can be easily altered (timestomping) and provides no indication of malicious intent.

141
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Only physical datacenter access logs
B.Container runtime events, Kubernetes audit logs, and network flow from the pod
C.Only monthly vulnerability scan summaries
D.Only user password age reports
AnswerB

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Option B is correct because container runtime events (e.g., Docker/containerd exec logs) capture the unexpected shell launch, Kubernetes audit logs record the pod creation and mount operations, and network flow logs (e.g., NetFlow, eBPF-based tools) reveal the outbound connection to the unknown IP. Together, these provide the granular, real-time telemetry needed to detect and investigate the compromise, unlike static or coarse-grained logs.

Exam trap

Cisco often tests the misconception that any single log source (e.g., only network flows or only audit logs) is sufficient, when in reality container compromises require correlating runtime, orchestration, and network telemetry to fully understand the attack chain.

How to eliminate wrong answers

Option A is wrong because physical datacenter access logs only track physical entry and have no visibility into container-level activities like shell execution, filesystem mounts, or outbound network flows. Option C is wrong because monthly vulnerability scan summaries are point-in-time snapshots of known CVEs and cannot capture dynamic runtime events such as a shell spawning or live network connections. Option D is wrong because user password age reports are identity management artifacts unrelated to runtime container behavior or network telemetry.

142
Multi-Selecthard

An organization has identified a ransomware outbreak on several workstations. Which TWO actions should the incident response team take immediately?

Select 2 answers
A.Pay the ransom to recover data quickly.
B.Disconnect all network shares to prevent encryption.
C.Contact law enforcement for guidance.
D.Reimage all affected systems immediately.
E.Isolate the affected workstations from the network.
AnswersB, E

Prevents ransomware from encrypting shared data.

Why this answer

Isolating affected systems prevents further spread, and disconnecting network shares stops lateral movement. Contacting law enforcement can be done later; paying ransom is not recommended; reimaging may destroy evidence before investigation.

143
Multi-Selecthard

A SOC team is tuning a SIEM to reduce false positives. Which THREE of the following metrics should the team consider when evaluating detection effectiveness? (Choose THREE)

Select 3 answers
A.False Positive Rate
B.Number of detected events
C.Precision
D.Mean Time to Detect (MTTD)
E.True Positive Rate (Recall)
AnswersA, C, E

Measures the proportion of negatives incorrectly flagged as positive.

Why this answer

A is correct because False Positive Rate (FPR) measures the proportion of benign events incorrectly flagged as malicious, directly indicating how much noise the SIEM generates. Reducing FPR is a primary goal when tuning detection rules to minimize analyst fatigue and improve alert fidelity.

Exam trap

CompTIA often tests the distinction between metrics that measure detection accuracy (FPR, Precision, Recall) versus metrics that measure operational efficiency (MTTD, event volume), leading candidates to mistakenly include MTTD or raw event counts as effectiveness metrics.

144
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Only the user's browser cache
B.The organisation's public DNS zone file
C.Sign-in logs, MFA result, device details, and mailbox audit events
D.Only DHCP logs from the London office
AnswerC

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option C is correct because the alert indicates a potential account compromise (impossible travel from London to Singapore in 12 minutes) followed by a suspicious mailbox rule creation. The clearest next triage step is to examine sign-in logs for authentication source IPs and timestamps, MFA result to verify if the second factor was passed, device details to check for known or managed devices, and mailbox audit events to confirm who created the forwarding rule and when. This combination directly validates whether the user's credentials were used from two geographically impossible locations and whether the mailbox rule was created by the legitimate user or an attacker.

Exam trap

Cisco often tests the concept that during alert triage, the analyst must correlate multiple log sources (authentication, MFA, device, and mailbox audit) rather than focusing on a single, irrelevant log type like DHCP or DNS, which do not provide the necessary evidence for impossible travel and mailbox rule investigations.

How to eliminate wrong answers

Option A is wrong because browser cache only stores local web data (cookies, history) and cannot provide evidence of authentication source IPs, MFA status, or mailbox rule creation events; it is irrelevant for investigating impossible travel and mailbox forwarding. Option B is wrong because the organization's public DNS zone file contains DNS records (A, MX, CNAME) for external resolution and has no relation to user authentication logs, MFA results, or mailbox audit events; it cannot help triage the alert. Option D is wrong because DHCP logs from the London office only record IP address assignments within that subnet and do not include authentication details, MFA results, or mailbox audit events; they cannot confirm the user's identity or the mailbox rule creation.

145
Multi-Selectmedium

A security analyst is reviewing alerts from multiple security tools. Which three of the following are key indicators of a potential credential-based attack in the environment? (Choose three.)

Select 3 answers
.Multiple failed logon attempts followed by a single successful logon from the same source IP address.
.A single user account logging in from two geographically distant locations within a short time window.
.An account that has been inactive for 90 days suddenly authenticating to a critical server.
.A spike in outbound DNS traffic from a workstation during business hours.
.An increase in the number of TCP SYN packets sent to a single external IP address.
.A system event log showing a successful logon after a scheduled patch reboot.

Why this answer

Multiple failed logon attempts followed by a single successful logon from the same source IP address is a classic indicator of a password spraying or brute-force attack. The attacker tries many usernames or passwords, and when one succeeds, the pattern shifts from failures to a success. This sequence is a key sign of credential compromise.

Exam trap

CompTIA often tests the distinction between credential-based attacks (e.g., brute-force, password spraying) and other attack types like reconnaissance (SYN scan) or data exfiltration (DNS tunneling), so candidates must focus on the authentication sequence rather than traffic volume or protocol anomalies.

146
Drag & Dropmedium

Arrange the steps for configuring a firewall rule set in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Firewall rule configuration involves identifying traffic, creating rules, applying to interface, testing, and monitoring.

147
MCQhard

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.CVSS vector string
B.Sigma rule
C.YARA rule
D.OpenIOC package only
AnswerB

Sigma is designed as a generic detection-rule format that can be translated into SIEM-specific queries.

Why this answer

Sigma rules are the correct choice because they are designed as a generic, open-source signature format for log events, making them portable across multiple SIEM platforms (e.g., Splunk, Elastic, QRadar) without vendor lock-in. For suspicious rundll32 execution, a Sigma rule can describe the specific event log patterns (e.g., Event ID 4688 with CommandLine containing 'rundll32.exe') that can be converted into each SIEM's native query language. This portability directly meets the threat hunter's goal of creating a detection that can be reused across different environments.

Exam trap

Cisco often tests the distinction between detection artefacts (Sigma, YARA) and vulnerability scoring (CVSS), and the trap here is that candidates may confuse YARA's file-scanning capability with log-based SIEM detection, forgetting that YARA rules cannot be directly converted to SIEM queries without significant rework.

How to eliminate wrong answers

Option A is wrong because a CVSS vector string is a standardized score for vulnerability severity (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), not a detection artefact for identifying suspicious process execution like rundll32; it describes risk, not a pattern to match in logs. Option C is wrong because YARA rules are primarily designed for file-based pattern matching (e.g., identifying malware binaries by byte sequences or strings), not for parsing Windows Event Logs or SIEM log streams; while YARA can be used for memory analysis, it is not natively portable to SIEM platforms for log-based detection.

148
MCQhard

Refer to the exhibit. The snippet is from a Windows Security log showing event ID 4688 (Process Creation). Which of the following actions should the analyst take first?

A.Kill the process with PID 0x1234
B.Investigate the creator process
C.Quarantine the file C:\Users\admin\AppData\Local\Temp\svchost.exe
D.Disable rundll32.exe on the system
AnswerB

The creator process is running from a non-standard location (Temp folder), indicating compromise.

Why this answer

The analyst should first investigate the creator process (parent process) because the suspicious svchost.exe spawned from rundll32.exe in a temp directory indicates a classic LOLBins (Living Off the Land Binaries) attack. Event ID 4688 logs the parent process PID (0x1234) and the child process; tracing the parent reveals the initial compromise vector, such as a malicious script or document that invoked rundll32.exe to execute the payload.

Exam trap

CompTIA often tests the misconception that the immediate child process (svchost.exe) is the primary threat, but the trap is that the parent process (rundll32.exe) holds the key to understanding the attack chain and should be investigated first.

How to eliminate wrong answers

Option A is wrong because killing the process with PID 0x1234 (the parent rundll32.exe) would remove the immediate threat but destroy forensic evidence needed to trace the attack chain; the analyst must first investigate to understand the full scope. Option C is wrong because quarantining the file C:\Users\admin\AppData\Local\Temp\svchost.exe is premature without confirming it is malicious via hash analysis or sandboxing, and it ignores the parent process that may have additional indicators. Option D is wrong because disabling rundll32.exe system-wide is an extreme, disruptive action that breaks legitimate Windows functionality (e.g., DLL execution for system utilities) and should only be considered after thorough investigation confirms persistent abuse.

149
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.High CPU usage on the print server
B.A password expiry warning
C.Successful DHCP renewal
D.Office document spawning a script interpreter from a user context
AnswerD

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

Option D is correct because the scenario describes a classic phishing attack where a malicious macro or embedded script in an Office document (the invoice) executes wscript.exe, a Windows Script Host interpreter, from the user's profile. This detection logic directly correlates the initial vector (Office document) with the suspicious process execution (script interpreter) in the user context, which is a key indicator of malware or unauthorized script activity.

Exam trap

The trap here is that candidates may focus on the process name (wscript.exe) alone and overlook the critical context of the Office document spawning it, leading them to choose a generic detection like high CPU usage or ignore the attack chain entirely.

How to eliminate wrong answers

Option A is wrong because high CPU usage on a print server is unrelated to endpoint script execution from an Office document; it indicates a performance or resource issue, not a security detection logic for script-based attacks. Option B is wrong because a password expiry warning is an administrative notification about credential aging, not a detection logic for malicious script execution or process spawning. Option C is wrong because successful DHCP renewal is a normal network configuration event that does not indicate malicious activity or script execution from an Office document.

150
MCQhard

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Disable the reporting user's account immediately
B.Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
C.Close all similar alerts as duplicates
D.Automatically delete all messages from the sender across all mailboxes
AnswerB

Early automation should gather context and evidence while keeping analysts in control of disruptive actions.

Why this answer

Option B is correct because it describes non-destructive, automated enrichment actions that gather evidence (URL reputation, sandbox analysis, mailbox search counts) without altering systems. This aligns with SOAR best practices for the initial triage phase, where the goal is to reduce analyst workload by providing contextual data while avoiding destructive actions until confirmation of a true positive.

Exam trap

Cisco often tests the distinction between automated enrichment (safe, reversible) and automated response (potentially destructive), tricking candidates into choosing immediate containment actions like account disablement before confirmation.

How to eliminate wrong answers

Option A is wrong because disabling the reporting user's account is a destructive action that could disrupt legitimate operations and violates the requirement to avoid destructive actions before confirmation. Option C is wrong because closing all similar alerts as duplicates prematurely assumes they are false positives or duplicates without evidence, which risks missing a real threat and bypasses proper triage analysis.

← PreviousPage 2 of 3 · 162 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Operations questions.