CompTIA CySA+ Practice Questions: Security Operations and Monitoring

32 free, exam-style CompTIA CySA+ (CS0-003) practice questions covering Security Operations and Monitoring. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.

🚀 Take the full CompTIA CySA+ quiz 📘 CompTIA CySA+ study guide

Q1. What does a SIEM correlation rule detecting 'multiple failed logins followed by a successful login' MOST likely indicate?

Explanation: This pattern suggests an attacker successfully guessed credentials after multiple attempts. Learn more.

Q2. What is the PRIMARY purpose of performing threat hunting in a SIEM?

Explanation: Threat hunting involves actively searching for indicators that may have evaded automated detection. Learn more.

Q3. Which log source would be MOST valuable for investigating a suspected DNS exfiltration attempt?

Explanation: DNS query logs would show unusual domain lookups that might indicate data being encoded in DNS requests. Learn more.

Q4. What does a sudden increase in NetFlow data to an external IP address MOST likely indicate?

Explanation: Large unexpected outbound transfers could indicate data being stolen from the network. Learn more.

Q5. What is the PRIMARY benefit of implementing a deception technology solution?

Explanation: Deception tech lures attackers into interacting with fake assets, revealing their presence. Learn more.

Q6. During log analysis, you notice multiple Event ID 4672 entries followed by PsExec execution. What does this MOST likely indicate?

Explanation: This sequence suggests privilege escalation followed by lateral movement using PsExec. Learn more.

Q7. What does a SIEM alert showing 'unusual geolocation login' MOST likely indicate?

Explanation: Logins from unexpected locations may indicate credential theft or unauthorized access. Learn more.

Q8. When reviewing IDS alerts, which pattern would MOST likely indicate a port scan?

Explanation: Port scans typically involve systematic connection attempts across port ranges. Learn more.

Q9. What does a sudden spike in DNS queries for random subdomains MOST likely indicate?

Explanation: Malware often uses DGA to establish C2 communications by generating random domains. Learn more.

Q10. Which log would be MOST useful for investigating a potential brute force attack against a web application?

Explanation: Web server logs record authentication attempts and HTTP status codes. Learn more.

Q11. What is the PRIMARY benefit of implementing canary tokens in a network?

Explanation: Canary tokens trigger alerts when accessed, revealing intrusion attempts. Learn more.

Q12. What does a SIEM correlation rule detecting 'RDP connections followed by unusual process execution' MOST likely indicate?

Explanation: This pattern suggests an attacker moving through the network after initial access. Learn more.

Q13. Which technique would be MOST effective for detecting credential dumping activity?

Explanation: Credential dumping often involves accessing the LSASS process memory space. Learn more.

Q14. When analyzing packet captures, what would a large number of TCP SYN packets without corresponding ACKs MOST likely indicate?

Explanation: Half-open connections are characteristic of SYN flood DoS attacks. Learn more.

Q15. Which Windows Event Log would contain information about account lockouts?

Explanation: The Security log records authentication events including account lockouts. Learn more.

Q16. What does the presence of unexpected PowerShell scripts in TEMP directories MOST likely indicate?

Explanation: Attackers often use PowerShell for fileless attacks, dropping scripts in temp folders. Learn more.

Q17. Which technique would be MOST effective for detecting DNS tunneling?

Explanation: DNS tunneling often uses unusually long queries or high query volumes. Learn more.

Q18. What does a sudden increase in GPO modifications MOST likely indicate?

Explanation: Attackers with domain admin privileges often modify GPOs to maintain persistence. Learn more.

Q19. Which log source would be MOST valuable for investigating a suspected insider threat?

Explanation: DLP logs track attempts to access or transfer sensitive data. Learn more.

Q20. What is the PRIMARY purpose of a threat intelligence feed in a SIEM?

Explanation: Threat intel enriches alerts with information about known malicious entities. Learn more.

Q21. Which technique would be MOST effective for detecting beaconing malware?

Explanation: Beaconing creates regular callbacks to C2 servers at set intervals. Learn more.

Q22. What does the presence of unexpected scheduled tasks with obfuscated commands MOST likely indicate?

Explanation: Attackers often use scheduled tasks for persistence with hidden commands. Learn more.

Q23. What is the PRIMARY benefit of network segmentation for incident response?

Explanation: Segmentation limits how far an attacker can spread through the network. Learn more.

Q24. When reviewing proxy logs, what would a high volume of requests to pastebin.com MOST likely indicate?

Explanation: Attackers often use paste sites to exfiltrate small amounts of data. Learn more.

Q25. What does a SIEM alert for 'unusual after-hours file access' MOST likely indicate?

Explanation: Access during unusual hours may indicate stolen credentials being used. Learn more.

Q26. Which technique would be MOST effective for detecting process hollowing?

Explanation: Process hollowing can be detected by examining memory for mismatches between on-disk and in-memory PE structures. Learn more.

Q27. When analyzing NetFlow data, what would a spike in traffic to TCP port 3389 MOST likely indicate?

Explanation: Port 3389 is used by RDP and is a common target for brute force attacks. Learn more.

Q28. What does the presence of unexpected WMI event subscriptions MOST likely indicate?

Explanation: Attackers use WMI subscriptions for persistence and execution. Learn more.

Q29. Which technique would be MOST effective for detecting C2 traffic in encrypted channels?

Explanation: TLS fingerprinting can identify malicious C2 even without decryption. Learn more.

Q30. When reviewing authentication logs, what would multiple failed NTLM logins followed by a successful Kerberos login MOST likely indicate?

Explanation: This pattern suggests an attacker found valid credentials through spraying. Learn more.

Q31. What does a SIEM alert for 'unusual PowerShell command-line length' MOST likely indicate?

Explanation: Attackers often use long, obfuscated PowerShell commands to evade detection. Learn more.

Q32. Which technique would be MOST effective for detecting DLL side-loading?

Explanation: DLL side-loading can be detected by examining where DLLs are loaded from. Learn more.

More CompTIA CySA+ practice topics