Security Operations for CompTIA SecurityX

Sample Practice Questions

1. Question 1

   A financial technology firm works collaboratively with business partners in the industry to share threat intelligence within a central platform. This collaboration gives partner organizations the ability to obtain and share data associated with emerging threats from a variety of adversaries. Which of the following should the organization most likely leverage to facilitate this activity? (Choose two.)
   1. A. CWPP
   2. B. YARA
   3. C. ATT&CK
   4. D. STIX
   5. E. TAXII
   6. F. JTAG
   Explanation

   The correct answers are: D. STIX, E. TAXII.

   Sharing emerging threat data across a partner community requires both a standard way to describe the intelligence and a standard way to move it, and that is exactly what STIX and TAXII provide. STIX, Structured Threat Information eXpression, gives a machine-readable schema for indicators, observables, campaigns, threat actors, and TTPs, and TAXII, Trusted Automated eXchange of Indicator Information, is the transport protocol that lets producers and consumers publish and pull those STIX objects between hubs and spokes. CWPP secures cloud workloads and is unrelated to intel exchange. YARA expresses rules for matching files or memory but is not a sharing protocol. ATT&CK is a knowledge base of adversary behavior, useful inside intelligence but not the wire format. JTAG is a hardware debug standard with no intel-sharing role, so STIX paired with TAXII is the canonical answer.

2. Question 2

   A security analyst is reviewing the following log: Which of the following possible events should the security analyst investigate further?
   1. A. A macro that was prevented from running
   2. B. A text file containing passwords that were leaked
   3. C. A malicious file that was run in this environment
   4. D. A PDF that exposed sensitive information improperly
   Explanation

   The correct answer is: C. A malicious file that was run in this environment.

   Among potential log events, the one warranting deeper investigation is a malicious file that actually executed in the environment, because successful code execution is a confirmed compromise rather than a near miss and starts the clock on containment, eradication, and recovery work. A macro that was prevented from running is a blocked event that confirms control efficacy and is logged for trend awareness rather than escalation. A text file that contains passwords represents a hygiene problem to remediate but is not by itself an active intrusion event unless paired with evidence of access. A PDF that improperly exposed sensitive information is a disclosure or data classification issue and is handled through privacy and DLP channels, not as an active execution event. Run-and-survived malware, by contrast, demands immediate forensic and IR action under NIST SP 800-61r2.

3. Question 3

   A security analyst wants to use lessons learned from a prior incident response to reduce dwell time in the future. The analyst is using the following data points: Which of the following would the analyst most likely recommend?
   1. A. Adjusting the SIEM to alert on attempts to visit phishing sites
   2. B. Allowing TRACE method traffic to enable better log correlation
   3. C. Enabling alerting on all suspicious administrator behavior
   4. D. Utilizing allow lists on the WAF for all users using GET methods
   Explanation

   The correct answer is: A. Adjusting the SIEM to alert on attempts to visit phishing sites.

   Dwell time is the interval between initial compromise and detection, so reducing it means catching the earliest links of the kill chain, which for most modern intrusions begins with a phishing-driven credential or payload delivery. Tuning the SIEM to alert when internal users visit known phishing destinations or newly registered look-alike domains pulls detection back to the reconnaissance and delivery phases of the Lockheed Martin Cyber Kill Chain, well before lateral movement or exfiltration. Allowing HTTP TRACE traffic does not improve correlation and instead reintroduces a deprecated method associated with cross-site tracing risk. Alerting on every suspicious administrator action is overly broad and floods the queue with false positives, raising rather than lowering mean time to detect because real signals drown in noise. WAF allow lists for GET methods constrain the application surface but do nothing to detect the initial phishing vector that drove the prior incident, so they cannot shorten dwell time for that attack pattern.

4. Question 4

   During a recent audit, a company's systems were assessed. Given the following information: Which of the following is the best way to reduce the attack surface?
   1. A. Deploying an EDR solution to all impacted machines in manufacturing
   2. B. Segmenting the manufacturing network with a firewall and placing the rules in monitor mode
   3. C. Setting up an IDS inline to monitor and detect any threats to the software
   4. D. Implementing an application-aware firewall and writing strict rules for the application access
   Explanation

   The correct answer is: A. Deploying an EDR solution to all impacted machines in manufacturing.

   Reducing the attack surface on machines that already carry the risk of exploitation and lateral movement is best accomplished by deploying endpoint detection and response to those machines, because EDR adds visibility into process, file, network, and registry activity and lets responders kill processes, isolate hosts, and roll back changes, which directly shrinks how far an attacker can travel once on an endpoint. Segmenting the network with firewall rules in monitor mode logs traffic but does not enforce anything and so does not reduce surface. An inline IDS detects but does not block, leaving the same surface exposed. An application-aware firewall with strict rules is valuable for network policy but operates at the network edge rather than at the host, where the manufacturing endpoints are exposed, so an EDR rollout to those impacted hosts delivers the strongest surface reduction.

5. Question 5

   A security engineer receives an alert from the SIEM platform indicating a possible malicious action on the internal network. The engineer generates a report that outputs the logs associated with the incident: Which of the following actions best enables the engineer to investigate further?
   1. A. Consulting logs from the enterprise password manager
   2. B. Searching dark web monitoring resources for exposure
   3. C. Reviewing audit logs from privileged actions
   4. D. Querying user behavior analytics data
   Explanation

   The correct answer is: D. Querying user behavior analytics data.

   Once a SIEM alert flags a possible malicious action that involves user activity, the most direct enrichment is to query user and entity behavior analytics so the engineer can see whether the flagged session is consistent with that identity's normal baseline or is an outlier in time, geography, host, or accessed resource. Password manager logs cover credential vault interactions and would not generally answer the broader question of whether the user's activity overall is anomalous. Dark web monitoring helps identify exposed credentials but is a slow, external check that does not validate the current alert. Reviewing privileged action audit logs is valuable when the user is privileged, but it is narrower than UEBA, which spans both privileged and standard identities and combines login, resource, and command telemetry into a behavioral picture suitable for fast triage.

Other CompTIA SecurityX domains

• Governance, Risk, and Compliance (15 questions)
• Security Architecture (26 questions)
• Security Engineering (48 questions)