- A
Immediately block the user account and the source IP address at the CASB.
Why wrong: This is too aggressive without confirmation that the activity is malicious. The account could be compromised, but a permanent block may alert an attacker and hinder forensic collection. Containment should be done as part of a coordinated incident response, not as a solo action.
- B
Contact the user directly by phone to verify whether they initiated the download.
Why wrong: While verification is useful, this should not be the first step. If the account is compromised, contacting the user may tip off the attacker. The incident response process should be initiated first to ensure proper evidence handling and coordination.
- C
Initiate the organization's incident response process for a potential data exfiltration event.
Correct. The combination of anomalous data volume and unusual geolocation strongly suggests a security incident. The analyst should follow the incident response plan, which typically includes preserving logs, engaging the incident response team, and escalating per policy.
- D
Disable the SharePoint document library and remove all user permissions to prevent further data loss.
Why wrong: Disabling the entire library would cause a denial of service to legitimate users and is excessive. The focus should be on the specific account and session, not on shutting down the resource for everyone.
Quick Answer
The correct answer is to initiate the organization’s incident response process for a potential data exfiltration event. This is the most appropriate action because the CASB log reveals two critical red flags: a massive deviation from the user’s baseline (500 GB versus 10 MB daily) and an impossible geographic origin, which together strongly suggest an account compromise and active data theft. On the Security+ SY0-701 exam, this scenario tests your understanding that incident response steps begin with detection and containment, not with immediate technical fixes like blocking the IP or disabling the account—those come later within the structured process. A common trap is to jump to a reactive measure, but the correct first step is always to follow the formal incident response plan to preserve evidence and coordinate safely. Memory tip: think “IR before IT”—always trigger the incident response process before taking any standalone technical action.
SY0-701 Security Operations Practice Question
This SY0-701 practice question tests your understanding of security operations. Compare every option against the stated constraints before choosing — the best answer satisfies all requirements, not just the most obvious one. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A security analyst is monitoring logs from the cloud access security broker (CASB) and observes that a user account downloaded 500 GB of data from a highly sensitive SharePoint document library within a single hour. The user's historical baseline shows an average daily download of less than 10 MB. Additionally, the log shows the session originated from an IP address in a country where the company has no employees or business operations. Which of the following actions is the most appropriate for the analyst to take?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Initiate the organization's incident response process for a potential data exfiltration event.
Option C is correct because the combination of a massive data download (500 GB vs. a 10 MB baseline) and a session originating from a country with no business presence strongly indicates a potential data exfiltration event. Initiating the incident response process ensures that the organization follows a structured, documented procedure to contain, analyze, and remediate the threat, preserving forensic evidence and coordinating response actions. The CASB log provides the initial indicators, but the incident response plan is the appropriate framework for handling such high-risk anomalies.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Immediately block the user account and the source IP address at the CASB.
Why it's wrong here
This is too aggressive without confirmation that the activity is malicious. The account could be compromised, but a permanent block may alert an attacker and hinder forensic collection. Containment should be done as part of a coordinated incident response, not as a solo action.
- ✗
Contact the user directly by phone to verify whether they initiated the download.
Why it's wrong here
While verification is useful, this should not be the first step. If the account is compromised, contacting the user may tip off the attacker. The incident response process should be initiated first to ensure proper evidence handling and coordination.
- ✓
Initiate the organization's incident response process for a potential data exfiltration event.
Why this is correct
Correct. The combination of anomalous data volume and unusual geolocation strongly suggests a security incident. The analyst should follow the incident response plan, which typically includes preserving logs, engaging the incident response team, and escalating per policy.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Disable the SharePoint document library and remove all user permissions to prevent further data loss.
Why it's wrong here
Disabling the entire library would cause a denial of service to legitimate users and is excessive. The focus should be on the specific account and session, not on shutting down the resource for everyone.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates may choose to immediately block or contact the user, failing to recognize that the incident response process is the systematic, first-step action for potential data exfiltration, as it balances containment with forensic preservation and legal considerations.
Detailed technical explanation
How to think about this question
Under the hood, CASBs use user and entity behavior analytics (UEBA) to establish baselines (e.g., average daily download volume) and trigger alerts when deviations exceed thresholds (e.g., 50,000x increase). The IP geolocation mismatch is often cross-referenced with corporate VPN and remote access logs to rule out legitimate proxies. In a real-world scenario, the analyst would preserve the CASB logs, capture network flows (NetFlow/IPFIX), and potentially isolate the endpoint via EDR before engaging the incident response team to determine if the data was encrypted or exfiltrated via HTTPS or SMB over QUIC.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A SOC analyst notices unusual lateral movement in the network at 2 AM. The IR playbook dictates: identify and contain (isolate the affected machine), then eradicate (remove the malware), then recover (restore from backup), then document. Skipping containment before eradication risks the attacker regaining access. Questions like this test the sequence and rationale of incident response phases.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Security Operations — study guide chapter
Learn the concepts, then practise the questions
- →
Security Operations practice questions
Targeted practice on this topic area only
- →
All SY0-701 questions
1,152 questions across all exam domains
- →
Security+ SY0-701 study guide
Full concept coverage aligned to exam objectives
- →
SY0-701 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SY0-701 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
General Security Concepts practice questions
Practise SY0-701 questions linked to General Security Concepts.
Threats, Vulnerabilities, and Mitigations practice questions
Practise SY0-701 questions linked to Threats, Vulnerabilities, and Mitigations.
Security Architecture practice questions
Practise SY0-701 questions linked to Security Architecture.
Security Operations practice questions
Practise SY0-701 questions linked to Security Operations.
Security Program Management and Oversight practice questions
Practise SY0-701 questions linked to Security Program Management and Oversight.
Security+ social engineering questions
Practise SY0-701 questions linked to Security+ social engineering questions.
Security+ cryptography practice questions
Practise SY0-701 questions linked to Security+ cryptography.
Security+ IAM questions
Practise SY0-701 questions linked to Security+ IAM questions.
Security+ risk management questions
Practise SY0-701 questions linked to Security+ risk management questions.
Security+ incident response questions
Practise SY0-701 questions linked to Security+ incident response questions.
Security+ malware questions
Practise SY0-701 questions linked to Security+ malware questions.
Security+ vulnerability management questions
Practise SY0-701 questions linked to Security+ vulnerability management questions.
Practice this exam
Start a free SY0-701 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SY0-701 question test?
Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Initiate the organization's incident response process for a potential data exfiltration event. — Option C is correct because the combination of a massive data download (500 GB vs. a 10 MB baseline) and a session originating from a country with no business presence strongly indicates a potential data exfiltration event. Initiating the incident response process ensures that the organization follows a structured, documented procedure to contain, analyze, and remediate the threat, preserving forensic evidence and coordinating response actions. The CASB log provides the initial indicators, but the incident response plan is the appropriate framework for handling such high-risk anomalies.
What should I do if I get this SY0-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
8 more ways this is tested on SY0-701
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A security analyst receives an alert about a user account that has been attempting to authenticate from an unusual geographic location outside of business hours. The analyst reviews the event logs and sees that the authentication attempt was successful, but the user has not reported any suspicious activity. Which of the following actions should the analyst take NEXT?
medium- A.Disable the user account immediately to prevent further access
- ✓ B.Contact the user to verify whether the authentication was legitimate
- C.Continuously monitor the account for additional suspicious activity
- D.Revoke all active sessions for the user account
Why B: The correct next step is to contact the user to verify whether the authentication was legitimate. Since the authentication was successful and the user has not reported suspicious activity, the analyst must first gather context from the user before taking any disruptive action. This aligns with the incident response process of validation and scoping before containment.
Variation 2. A SOC analyst receives an alert that a domain admin account authenticated to a file server at 02:14 from a jump host that is normally used only by the infrastructure team. The Windows logs also show a scheduled task launching a backup script at the same time, and the backup team says the task was created during yesterday's change window. What is the best next step to determine whether this is a false positive?
medium- A.Disable the domain admin account immediately and wait for the backup team to respond.
- ✓ B.Correlate the authentication event with the change ticket and the scheduled task details.
- C.Escalate the alert as confirmed compromise because the login occurred after hours.
- D.Delete the scheduled task so it cannot be used again.
Why B: Option B is correct because the alert involves a domain admin authentication from a jump host at an unusual time, but the scheduled task was created during a change window. Correlating the authentication event with the change ticket and the scheduled task details allows the SOC analyst to verify if the activity was authorized, preventing unnecessary incident response. This step aligns with the incident response process of validating alerts before taking action.
Variation 3. A SIEM correlates three failed MFA prompts for a payroll admin account from one IP, a successful login two minutes later from the same IP, and a new mailbox forwarding rule to an external address. What is the best immediate action?
medium- A.Reset the password and leave the account enabled so the user can keep working.
- ✓ B.Disable the account and revoke active sessions and tokens.
- C.Delete the forwarding rule and monitor the account for a few hours.
- D.Wait for the user to confirm the login before taking any action.
Why B: Option B is correct because the combination of failed MFA prompts followed by a successful login and immediate creation of an external mailbox forwarding rule is a classic indicator of account compromise (e.g., adversary-in-the-middle or token theft). Disabling the account and revoking active sessions and tokens stops the attacker from maintaining access and prevents further data exfiltration via the forwarding rule, which is the most urgent containment step in incident response.
Variation 4. A SIEM alert shows five failed logins to an administrator account, followed by a successful login from a new city three minutes later. The account owner says they did not sign in. What should the analyst do first?
easy- A.Ignore the alert because the login eventually succeeded.
- ✓ B.Temporarily disable the account and open an incident for investigation.
- C.Reset the password only and close the alert.
- D.Reboot the user's laptop to clear any malicious activity.
Why B: Option B is correct because the alert shows a classic indicator of account compromise: multiple failed logins followed by a successful authentication from an unusual location. The account owner's denial of the login confirms unauthorized access, so the immediate priority is to contain the threat by disabling the account and opening an incident for formal investigation. This aligns with the NIST SP 800-61 incident response process, specifically the containment phase before eradication or recovery.
Variation 5. A SIEM alert shows a payroll administrator account signed in at 02:10 from a country the employee has never visited. The employee says they are on vacation at home and did not travel. What should the analyst do first?
easy- A.Immediately disable the account and wait for the employee to return.
- ✓ B.Verify the login context with the user or manager and review recent authentication history.
- C.Close the alert as a false positive because the user is on vacation.
- D.Reimage the user’s workstation before checking any logs.
Why B: Option B is correct because the first step in incident response is to verify the alert's validity and gather context before taking action. The analyst should review the SIEM logs for authentication details (e.g., source IP, geolocation, timestamp) and confirm with the user or manager whether the login was expected. This aligns with the NIST SP 800-61 incident response process, which emphasizes triage and validation before containment.
Variation 6. A privileged cloud administrator account shows two suspicious events: an API key was created from an unfamiliar IP address, and a mailbox forwarding rule was added five minutes later. The account is still active and may be in attacker control. Which two actions should the analyst take first to preserve evidence while limiting additional abuse? Select two.
hard- ✓ A.Export the relevant identity and audit logs before making changes, so the original event trail is preserved.
- ✓ B.Revoke the suspicious API key or active session token, so the attacker loses immediate access.
- C.Delete the mailbox forwarding rule and empty the trash folder, so the attacker cannot read old messages.
- D.Reimage the admin workstation immediately, because the issue must have started on the endpoint.
- E.Disable all company email for every user until the account investigation is finished.
Why A: Option A is correct because exporting identity and audit logs before any changes preserves the original event trail, which is critical for forensic analysis and chain of custody. If logs are altered or rotated after the fact, evidence of the attacker's actions (e.g., API key creation from an unfamiliar IP) could be lost or overwritten, hindering the investigation.
Variation 7. After a phishing account compromise has been contained and the attacker’s mailbox forwarding rule was removed, what should the team do next?
easy- A.Stop the investigation because the forwarding rule was deleted.
- ✓ B.Reset credentials and verify there are no other persistence methods before recovery.
- C.Close the ticket and tell the user to be more careful next time.
- D.Wait one week before taking any action so the attacker does not notice.
Why B: After removing a mailbox forwarding rule, the team must reset the compromised account's credentials and verify that no other persistence mechanisms (e.g., additional forwarding rules, OAuth app grants, or mailbox delegation) remain. This ensures the attacker cannot regain access using cached credentials or alternate backdoors, which is critical before returning the account to production.
Variation 8. Based on the exhibit, what should the team do next after the account has been contained?
medium- A.Close the incident because the password reset removed the attacker from the environment.
- ✓ B.Remove mailbox persistence, revoke all tokens and app consent, then monitor for reentry.
- C.Reimage the user's laptop before reviewing mailbox settings.
- D.Restore the mailbox from backup to remove the forwarding rule and keep the user productive.
Why B: Option B is correct because after containing a compromised account (e.g., disabling it or resetting its password), the attacker may still have established persistence mechanisms such as mailbox forwarding rules, OAuth app consent grants, or session tokens that survive a password reset. Removing these artifacts and revoking all tokens and app consents ensures the attacker cannot regain access via delegated permissions or persistent mailbox rules. Monitoring for reentry is critical to detect any residual access or new compromise attempts.
Last reviewed: Jun 11, 2026
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.