CC · topic practice

Security Operations practice questions

Use this page to practise Security Operations questions for this certification. Focus on how the exam tests security operations in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Operations

What the exam tests

What to know about Security Operations

Security Operations questions on this certification test your ability to deploy and manage security operations concepts in scenario-based situations.

Core Security Operations concepts and how they apply in real-world cloud scenarios.

How to deploy security operations correctly and verify the outcome.

Troubleshooting security operations issues by interpreting error output and system state.

Cloud best practices and Security Operations design trade-offs tested by this certification.

Watch out for

Common Security Operations exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Security Operations questions

20 questions · select your answer, then reveal the explanation

A security analyst discovers that a user's account has been used to access sensitive data outside of normal business hours from an unfamiliar IP address. The user claims they were not logged in at that time. Which security operations process should be initiated first?

A SOC analyst reviews an alert indicating a high number of failed login attempts from a single external IP address targeting multiple user accounts. Which security control is most effective at preventing this type of attack?

An organization's security policy requires that all network traffic logs be retained for at least one year. The SIEM system is running low on storage, and the administrator must decide which data to archive first. Which data set is the least critical for ongoing security monitoring and can be archived earliest?

During a routine security audit, an analyst finds that several critical servers have misconfigured firewall rules allowing inbound SSH access from the entire internet. Which immediate action should the analyst take?

A security operations center receives an alert that a workstation has been infected with ransomware. The infection is isolated to one machine. What is the first step in the containment phase of incident response?

An organization uses a SIEM to correlate logs from multiple sources. A rule triggers when a user logs in from two geographically distant locations within a short time. What type of attack does this rule primarily detect?

A company's security policy requires that all incident response activities be logged and that evidence be preserved for potential legal action. During an incident, a responder mistakenly uses a personal USB drive to copy log files. Which principle of forensic evidence handling has been violated?

A SOC analyst notices that a large volume of outbound traffic is occurring from a single workstation to an external IP address known to be associated with a command-and-control server. What is the most likely conclusion?

An organization has implemented a SIEM solution. The security team wants to detect when a user attempts to access a file they do not have permission to read. Which log source is most important for this detection?

Which TWO of the following are common indicators of a phishing email? (Select TWO.)

Which THREE of the following are best practices for securing a network firewall? (Select THREE.)

Which TWO of the following are types of security controls used in defense in depth? (Select TWO.)

Which THREE of the following are essential components of an incident response plan? (Select THREE.)

Refer to the exhibit. The IDS alert indicates a possible SpyEye botnet check-in from an internal host. What immediate action should the analyst take?

Exhibit

Refer to the exhibit.

```
[IDS Alert] Signature: ET TROJAN Win32/SpyEye Checkin
Source IP: 10.10.10.5 -> Destination IP: 203.0.113.50
Time: 2023-03-15 14:32:45
Alert: Priority 1
```

Refer to the exhibit. A security analyst reviews this log entry. What type of attack is most likely occurring?

Exhibit

Refer to the exhibit.

```
[Windows Security Log]
Event ID 4625: An account failed to log on.
Account Name: jdoe
Source Network Address: 192.168.1.100
Failure Reason: Unknown user name or bad password.
Count: 15 occurrences in 5 minutes.
```
Question 16mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security engineer reviews this firewall ACL. Which of the following best describes the security posture?

Exhibit

Refer to the exhibit.

```
[Firewall Config]
access-list 100 permit tcp any host 10.0.1.10 eq 443
access-list 100 deny tcp any any eq 22
access-list 100 permit ip any any
```

A medium-sized e-commerce company operates a web application on three virtual servers behind a load balancer. The application handles credit card payments and stores customer data in a database server. The company has a security operations team that monitors logs from firewalls, IDS, and servers. One morning, the IDS generates a critical alert indicating a SQL injection attempt from an external IP to the web application. The alert shows that the injection string was ' OR '1'='1' -- . The web server logs confirm that the request returned a 200 OK status and a large response size. The database logs show a query that returned multiple rows. The security analyst needs to determine the best immediate course of action. The company has a documented incident response plan that includes containment, eradication, and recovery phases. Which action should the analyst take first?

Question 18hardmultiple choice
Read the full NAT/PAT explanation →

A financial institution has a security operations center that monitors network traffic using a SIEM. The SIEM receives logs from all network devices, servers, and endpoints. One analyst notices an anomaly: a user account, 'jsmith', which is normally used during business hours (9 AM to 5 PM), has been logging in from a remote IP address at 2 AM every day for the past week. The logins are successful, and the user is accessing internal file shares. The user jsmith works in the accounting department and has access to sensitive financial reports. The analyst checks the user's workstation logs and finds that the workstation is powered off at the time of the remote logins. The company uses two-factor authentication, but the log entries show that only the password was used. Which of the following is the most likely explanation and the best immediate action?

Question 19mediummultiple choice
Read the full NAT/PAT explanation →

A company's security operations center (SOC) receives an alert about suspicious outbound traffic from a server in the DMZ to an external IP address known for command-and-control activity. The SOC analyst reviews the logs and sees that the source port is 443 and the destination port is 8080. Which of the following actions should the analyst take FIRST?

A SOC analyst is investigating a potential data exfiltration incident. The logs show that an internal user transferred a large volume of data to a cloud storage service using HTTPS. The analyst finds that the user's workstation has BitLocker Drive Encryption enabled, and the user has administrative privileges. Which of the following best describes the PRIMARY challenge in investigating this incident?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Operations sessions

Start a Security Operations only practice session

Every question in these sessions is drawn from the Security Operations domain — nothing else.

Related practice questions

Related CC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CC exam test about Security Operations?
Security Operations questions on this certification test your ability to deploy and manage security operations concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Operations questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Operations domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CC topics?
Use the topic links above to move to related areas, or go back to the CC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CC exam covers. They are not copied from any real exam or dump site.