Try 10 focused CompTIA Security+ SY0-701 questions on Security Operations, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Security+ SY0-701 on Web View full CompTIA Security+ SY0-701 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA Security+ SY0-701 |
| Topic area | Security Operations |
| Blueprint weight | 28% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Security Operations for CompTIA Security+ SY0-701. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 28% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Security Operations
A security analyst is investigating suspicious remote logins to a Linux web server from unfamiliar IP addresses. The goal is to understand how accounts were accessed and whether the attacker moved laterally from this host. Which TWO data sources should the analyst prioritize collecting to support this investigation? (Select TWO.)
Options:
A. Daily configuration backups from core switches and routers
B. Historical CPU and memory utilization graphs from the server monitoring tool
C. Web server access logs that record client IP addresses, timestamps, and requested URLs
D. Operating system authentication logs that record SSH and local logon attempts and results
E. Results of the last quarterly external vulnerability scan against the web server
Correct answers: C and D
Explanation: This question focuses on which data sources to capture for a login-focused investigation, which is a core part of basic digital forensics and incident response in Security+ Domain 4.
When investigating suspicious logins, the primary need is event-level evidence that shows:
Web server access logs provide visibility into incoming HTTP(S) requests, including client IPs, timestamps, URLs, and often user identity (for authenticated sessions). Operating system authentication logs provide a record of SSH and local login attempts and results, including usernames and source IP addresses.
Together, these two sources let an analyst reconstruct the authentication activity and correlate specific suspicious IPs or usernames with concrete events. By contrast, configuration backups, performance metrics, and old vulnerability scans may be useful for context but do not directly show who logged in and what they did, so they are not the priority evidence sources for this specific type of investigation.
Topic: Security Operations
During an investigation of suspected data exfiltration by a terminated employee, the security team believes the affected workstation may need to be used as evidence in a potential lawsuit and regulatory inquiry. The team wants to ensure any evidence they collect remains admissible and defensible. Which of the following actions/controls will BEST meet these requirements? (Select TWO.)
Options:
A. Run anti-malware and disk cleanup utilities on the original workstation to quickly remove any malicious tools.
B. Allow only the system owner to access and review the evidence so they can explain technical details to investigators.
C. Maintain a detailed chain-of-custody log every time the workstation or evidence media changes hands.
D. Power off the workstation immediately by unplugging it to ensure that no additional changes occur in memory or on disk.
E. Create a forensic disk image using a write-blocker and record cryptographic hash values of both the original and the image.
Correct answers: C and E
Explanation: This scenario focuses on the goals of digital forensics when evidence may be used in legal cases or regulatory inquiries. Forensics is not just about finding out what happened; it is also about preserving and documenting evidence so that it can stand up to external scrutiny.
For admissibility and defensibility, investigators must show that the evidence is authentic, reliable, and unaltered. Two core practices support this:
Option review:
By focusing on evidence integrity and documented handling, the correct actions align with the core goals of digital forensics in supporting investigations, regulatory inquiries, and legal proceedings.
Topic: Security Operations
A SOC analyst is tuning SIEM use cases to quickly flag possible data exfiltration from the company’s file servers to the internet. The security manager specifically wants alerts for unusually large outbound transfers and traffic to unexpected external destinations or protocols.
Which of the following actions/controls will BEST meet these requirements? (Select TWO.)
Options:
A. Create a correlation rule to alert when endpoints initiate new outbound connections using uncommon protocols (such as FTP or SSH) to foreign IP ranges not normally contacted by the organization.
B. Alert whenever antivirus detects and quarantines malware on a workstation.
C. Monitor and alert when a server’s CPU utilization exceeds 90% for more than 10 minutes.
D. Generate an alert when a user has more than five failed VPN login attempts within five minutes.
E. Configure a SIEM alert when a single internal host uploads more than 10GB of data to one external IP address within one hour.
Correct answers: A and E
Explanation: This scenario is about configuring monitoring to detect data exfiltration, which is the unauthorized transfer of data out of an organization’s environment. Common indicators of compromise (IOCs) for exfiltration include unusually large outbound data transfers, connections to unexpected or rare external destinations, and use of uncommon protocols (such as FTP or SSH) that are not part of normal business traffic.
A Security+‑level practitioner should be able to map these requirements to specific, concrete SIEM or firewall rules that watch for large outbound volumes and unusual destinations/protocols, rather than generic security events like failed logins or high CPU usage. The best answers are those that implement targeted network‑centric alerts tied to exfiltration behavior, not just general attack or performance symptoms.
Topic: Security Operations
Which of the following statements about post-incident reviews and lessons-learned meetings is NOT correct?
Options:
A. They provide an opportunity to document what worked well so successful practices can be reused in future incidents.
B. They are primarily used to assign blame to individuals whose actions contributed to the incident.
C. They support continuous improvement by driving updates to playbooks, training, and configurations based on what was learned.
D. They help identify gaps and weaknesses in existing procedures, tools, and controls revealed during the incident.
Best answer: B
Explanation: Post-incident reviews and lessons-learned meetings occur after an incident has been contained and resolved. Their main purpose is continuous improvement of the incident response process and supporting controls. The focus is on understanding what happened, what went well, what did not, and what should change to reduce the likelihood or impact of similar incidents in the future.
Effective reviews are process-focused and forward-looking. They identify gaps in procedures, tools, and communication; capture successful actions; and result in specific follow-up items such as updating playbooks, tuning alerts, adjusting access controls, or providing additional training. Treating the review primarily as a blame session is counterproductive because it discourages honest discussion and hides useful information needed to improve defenses.
Within the Security+ Domain 4 (Security operations), these reviews are a critical part of the incident response lifecycle, closing the loop from detection and response back into preparation and readiness for the next event.
Topic: Security Operations
Which of the following statements about security automation and orchestration use cases is NOT correct?
Options:
A. Automation tools can collect logs and memory snapshots from affected hosts to support forensic investigations.
B. Security automation can be used to automatically open and populate incident tickets based on SIEM alerts.
C. Automated workflows should always delete suspicious files immediately, without preserving copies for forensics, to minimize storage use.
D. Automated playbooks can temporarily disable user accounts when suspicious login patterns are detected.
Best answer: C
Explanation: This question focuses on common and appropriate use cases for security automation and orchestration in security operations. Modern environments often use SOAR platforms and scripts to respond quickly to alerts, reduce manual work, and standardize responses. Typical automated actions include blocking IP addresses, disabling or locking accounts, opening and enriching tickets, and collecting forensic artifacts.
The unsafe pattern is to destroy potential evidence, such as deleting suspicious files without preserving copies. Effective security operations must balance rapid containment with the need to retain artifacts for possible forensic analysis, root-cause investigation, and legal or compliance needs.
Topic: Security Operations
A SOC manager is onboarding a new analyst and wants to demonstrate how the organization’s SOAR platform reduces manual effort. Review the SOAR playbook run log in the exhibit.
Which description BEST explains how the SOAR platform is helping in this scenario?
Playbook: Suspicious outbound connection
1. Triggered by SIEM alert ID 88421
2. Created incident ticket INC-2025 in ITSM system
3. Queried threat intel for IP 203.0.113.50 -> reputation: MALICIOUS
4. Appended IP reputation and WHOIS data to ticket
5. Sent API request to EDR to isolate host LAPTOP-22
6. Notified security analyst in Slack with summary and ticket link
Options:
A. It guarantees permanent blocking of all malicious IP addresses at the perimeter firewall without any analyst involvement.
B. It replaces the SIEM by generating correlation rules and collecting all raw logs directly from endpoints and network devices.
C. It performs in-depth malware reverse engineering on suspicious binaries before any alerts reach a human analyst.
D. It orchestrates multiple security tools to automatically create tickets, enrich alerts with threat intelligence, and initiate endpoint isolation based on predefined rules.
Best answer: D
Explanation: The exhibit shows a SOAR playbook being triggered by a SIEM alert and then automatically carrying out several response steps. After the SIEM generates alert ID 88421, the SOAR platform creates an incident ticket, enriches the alert by querying a threat intelligence source, updates the ticket with this context, sends an API request to isolate the affected endpoint via EDR, and finally notifies an analyst via chat.
This sequence illustrates key SOAR capabilities in security operations: automating ticket creation in an ITSM system, enriching alerts with external intelligence and context, and performing basic containment actions such as EDR-based host isolation. These automations reduce repetitive manual work, speed up the initial triage and containment, and allow analysts to focus on higher-level investigation and decision-making rather than clicking through multiple tools.
SOAR does not typically replace the SIEM, perform deep malware reverse engineering, or automatically guarantee permanent firewall blocking unless those actions are explicitly built into a playbook and shown in the workflow. The exhibit only supports conclusions about orchestration of ticketing, enrichment, and endpoint containment.
Topic: Security Operations
A SOC analyst at a mid-sized company receives multiple EDR alerts indicating ransomware activity on a single on-premises file server. The server is still online, and logs show no signs of compromise on other systems. The organization’s incident response plan emphasizes: (1) stopping the spread of the ransomware, (2) preserving the infected server for forensic analysis, and (3) keeping other business services online. Which immediate containment action is the BEST choice?
Options:
A. Immediately power off the infected file server and begin restoring it from the most recent known-good backup.
B. Disable all user accounts in the domain until the investigation is complete, then selectively re-enable them.
C. Unplug all network uplinks from the data center to immediately cut off network connectivity for every server.
D. Use network controls (for example, switch or firewall rules or EDR network isolation) to isolate only the infected file server from the network while leaving it powered on.
Best answer: D
Explanation: This scenario focuses on the containment phase of the incident response lifecycle. The organization has a single identified infected file server exhibiting ransomware behavior, while other systems appear unaffected. The incident response plan sets three clear priorities: stop the spread of ransomware, preserve the affected system for forensic analysis, and keep other business services available.
In early containment, the goal is to limit the attacker’s reach and prevent additional damage while avoiding unnecessary impact on unaffected systems. The best approach is to isolate only the compromised host at the network level (for example, using switch port shutdowns, VLAN changes, firewall rules, or EDR network isolation) while leaving it powered on so that memory, disk, and log evidence remain intact for later forensic work. This targeted isolation balances confidentiality and integrity (by stopping further encryption and lateral movement) with availability (by keeping other systems online).
Other, more drastic actions like disconnecting an entire data center, shutting down the infected server immediately, or disabling all user accounts can severely harm business operations or destroy important evidence. Those steps may be considered later or in extreme situations, but they are not the best immediate containment choice given the stated priorities.
Topic: Security Operations
Which of the following statements about selecting data sources for a digital forensics investigation is NOT correct?
Options:
A. For suspected account takeover in a cloud email service, IdP authentication logs, email access logs, and mailbox audit logs are relevant evidence sources.
B. For suspiciously large data transfers from a single workstation, host firewall logs, EDR telemetry, and network flow records are useful data sources.
C. For a suspected web server compromise, collecting web server access logs, error logs, and application logs from the relevant time window is important.
D. When investigating malware on a workstation, it is usually sufficient to rely only on an anti-malware scan report; capturing disk images or volatile memory is unnecessary in most cases.
Best answer: D
Explanation: Digital forensics relies on collecting the right data sources for the type of incident being investigated. For a web server compromise, logs from the web server and application reveal malicious requests and errors. For suspicious data transfers, endpoint and network telemetry identify which processes communicated and what traffic flowed. For account takeover, identity provider and application logs show authentication patterns and mailbox activity.
By contrast, relying only on an anti-malware scan report for a malware case is unsafe. A proper investigation often requires a forensic disk image and, when possible, a memory capture to preserve artifacts such as binaries, scripts, persistence mechanisms, and in-memory indicators, as well as to allow repeatable, defensible analysis later.
Topic: Security Operations
A security analyst is reviewing a SIEM dashboard with thousands of events and needs to quickly view only the activity generated by a single suspicious workstation with IP address 10.1.5.23. Which action should the analyst take in the SIEM to focus on the relevant events?
Options:
A. Create a correlation rule that detects multiple users logging in from 10.1.5.23
B. Normalize all collected logs into a common schema before analysis
C. Aggregate events by event type to combine similar events into single entries
D. Apply a filter to show only events where the source IP is 10.1.5.23
Best answer: D
Explanation: This question targets how to use basic SIEM capabilities to focus on relevant log data during security monitoring. When an analyst needs to investigate a specific host, the most direct technique is to filter the event view by an attribute unique to that host, such as its IP address.
In a SIEM or log management tool, filtering is used to limit the displayed events based on selected fields and values (for example, a certain user, IP, hostname, or event type). This reduces noise and allows the analyst to concentrate on the subset of data that matters for the current investigation.
Techniques like correlation, aggregation, and normalization are also important, but they serve different purposes: correlation links related events into higher-level alerts, aggregation reduces duplicate or similar events, and normalization standardizes fields across different log sources. None of these directly fulfills the immediate need to see only events from one specific workstation as effectively as applying a filter on that workstation’s IP address.
Topic: Security Operations
A security analyst is investigating a short VPN outage that occurred overnight. The SIEM displays the following log excerpt:
| Time (UTC) | Event Type | Details |
|---|---|---|
| 01:12:05 | Config backup | Firewall config backup completed |
| 01:30:18 | Change | Firewall policy updated by user admin2 (no ticket) |
| 01:33:42 | VPN error | Multiple VPN connection failures detected |
| 01:40:11 | Incident ticket created | INC-1045 opened for VPN outage |
Based on this exhibit, which issue most clearly shows that formal change management and approval processes are not being followed?
Options:
A. An incident ticket was opened for the VPN outage seven minutes after the first error.
B. The firewall configuration was modified without any associated change ticket identifier.
C. A firewall configuration backup was taken before the firewall policy update occurred.
D. Several VPN connection failures occurred shortly after the firewall policy update.
Best answer: B
Explanation: This scenario highlights why formal change management and approval processes are critical for secure operations. The log excerpt shows a firewall policy update at 01:30:18 performed by admin2 with the note “no ticket.” In a mature environment, any production firewall change should be tied to an approved change request with documented risk assessment, testing, approval, and implementation details.
Without a change ticket, there is no clear evidence that the modification was reviewed or approved, and it becomes harder to trace who requested the change, why it was made, and what was supposed to be modified. This directly impacts both risk reduction (unreviewed changes can cause outages or security gaps) and traceability (difficulty reconstructing events during incident investigations).
The other entries in the exhibit, such as the VPN errors, the incident ticket, and the configuration backup, may indicate impact or good practices, but they do not themselves prove that the change management process is being violated. The explicit mention of “no ticket” is the clearest sign that the formal approval and tracking process was bypassed.
Use the CompTIA Security+ SY0-701 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Security+ SY0-701 on Web View CompTIA Security+ SY0-701 Practice Test
Read the CompTIA Security+ SY0-701 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.