Question 55 of 1,152
Security OperationshardMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to classify the alert as a likely false positive, verify it against the maintenance record, and tune the rule. This conclusion is drawn from the scheduled alert analysis pattern: a server connecting to a known vendor update site at fixed intervals is characteristic of a legitimate heartbeat or update mechanism, not the irregular, stealthy behavior of command-and-control traffic. On the Security+ SY0-701 exam, this scenario tests your ability to distinguish between benign scheduled activity and actual threats, a common trap where students overreact to any alert without considering context. The key is to correlate the alert’s timing and destination with operational baselines—if the pattern matches a documented maintenance window or update schedule, it’s a false positive. Remember the mnemonic “PATTERN” for false positive analysis: Pattern matches, Action is routine, Time is fixed, Trust the record, Evaluate the rule, No threat.

SY0-701 Security Operations Practice Question

This SY0-701 practice question tests your understanding of security operations. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

10:00:02 patch-srv-12  service 'AcmePatchAgent' started by NT AUTHORITY\SYSTEM
10:00:05 patch-srv-12  DNS query: updates.acmecorp.com -> 198.51.100.44
10:00:05 patch-srv-12  outbound TLS connection to 198.51.100.44:443
10:00:07 SIEM rule 'possible beaconing every 15 minutes' triggered
10:15:03 patch-srv-12  DNS query: updates.acmecorp.com -> 198.51.100.44
10:15:03 patch-srv-12  outbound TLS connection to 198.51.100.44:443
10:15:04 EDR metadata: process hash matches approved vendor signature
CMDB: Asset group = Patch Management Server; maintenance window = daily 10:00-10:30

Based on the exhibit, what is the most likely SOC conclusion and next action?

A scheduled alert fired on a server that repeatedly connects to a vendor update site at fixed intervals. The security team wants to know whether the alert represents a real threat or a harmless operational pattern.

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Exhibit

10:00:02 patch-srv-12  service 'AcmePatchAgent' started by NT AUTHORITY\SYSTEM
10:00:05 patch-srv-12  DNS query: updates.acmecorp.com -> 198.51.100.44
10:00:05 patch-srv-12  outbound TLS connection to 198.51.100.44:443
10:00:07 SIEM rule 'possible beaconing every 15 minutes' triggered
10:15:03 patch-srv-12  DNS query: updates.acmecorp.com -> 198.51.100.44
10:15:03 patch-srv-12  outbound TLS connection to 198.51.100.44:443
10:15:04 EDR metadata: process hash matches approved vendor signature
CMDB: Asset group = Patch Management Server; maintenance window = daily 10:00-10:30

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Classify the alert as a likely false positive, verify it against the maintenance record, and tune the rule.

The scheduled alert firing at fixed intervals to a known vendor update site strongly suggests a legitimate update or heartbeat mechanism, not malicious C2 traffic. Option B correctly directs the analyst to verify against maintenance records (confirming the pattern is expected) and then tune the rule to reduce future false positives, which is the standard SOC workflow for benign scheduled activity.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Treat the activity as confirmed command-and-control traffic and isolate the server immediately.

    Why it's wrong here

    Isolation would be appropriate if the destination or process were unrecognized or tampered with.

  • Classify the alert as a likely false positive, verify it against the maintenance record, and tune the rule.

    Why this is correct

    The logs show a signed, approved patch agent on a server explicitly assigned to patch management, connecting to the vendor update host on a predictable schedule. That pattern matches normal operations rather than covert beaconing. The best SOC action is to validate the asset and change context, document the finding, and tune the detection logic or allowlist the known-good behavior.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Assume DNS poisoning is occurring and immediately flush the DNS cache on every endpoint.

    Why it's wrong here

    DNS poisoning would need evidence of wrong name resolution or unexpected address changes, which is absent here.

  • Open a credential theft incident and reset all administrator passwords across the environment.

    Why it's wrong here

    Nothing in the exhibit indicates account misuse, token theft, or suspicious authentication behavior from this host.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates see 'scheduled alert' and 'fixed intervals' and immediately think of C2 beaconing, but the key differentiator is the destination being a known vendor update site, which points to a false positive rather than a threat.

Detailed technical explanation

How to think about this question

Under the hood, scheduled update checks often use HTTP/HTTPS GET requests to a fixed URL (e.g., updates.vendor.com) with predictable intervals (e.g., every 24 hours). Security teams can verify this by checking the destination IP against threat intelligence feeds, inspecting the User-Agent string (e.g., 'VendorUpdateAgent/1.0'), and correlating with change management logs. Tuning the rule might involve adding an exception for the specific source IP, destination domain, or time window to prevent recurrence.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A SOC analyst notices unusual lateral movement in the network at 2 AM. The IR playbook dictates: identify and contain (isolate the affected machine), then eradicate (remove the malware), then recover (restore from backup), then document. Skipping containment before eradication risks the attacker regaining access. Questions like this test the sequence and rationale of incident response phases.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SY0-701 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SY0-701 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SY0-701 question test?

Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Classify the alert as a likely false positive, verify it against the maintenance record, and tune the rule. — The scheduled alert firing at fixed intervals to a known vendor update site strongly suggests a legitimate update or heartbeat mechanism, not malicious C2 traffic. Option B correctly directs the analyst to verify against maintenance records (confirming the pattern is expected) and then tune the rule to reduce future false positives, which is the standard SOC workflow for benign scheduled activity.

What should I do if I get this SY0-701 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.