Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 4.9 (Given a scenario, use data sources to support an investigation) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A SOC analyst is reviewing firewall logs during an investigation of suspected unauthorized access. The logs show repeated outbound connections to an unfamiliar IP address on TCP port 443. Which data source should the analyst consult next to confirm whether the traffic is malicious?
#2. During an incident, an analyst notices multiple failed logins from one internal host. What log source best helps determine if this is a brute-force attack?
#3. A web server reports multiple HTTP 500 errors. Which logs are most relevant for identifying if this is an attack?
#4. An attacker exploited a zero-day vulnerability in a custom application. Which data source is LEAST likely to reveal the initial compromise?
#5. A SOC analyst needs to determine whether an unusual spike in DNS traffic is malicious or due to a new legitimate application. What tool or data source is MOST helpful?
#6. After responding to a malware outbreak, an analyst needs to identify lateral movement within the network. Which log data source is BEST to analyze?
#7. Which log type BEST helps verify if a malicious file downloaded by an endpoint executed?
#8. A SOC team is using chain of custody documentation during log review. Why is this step important?
#9. If an IDS alert is generated for suspicious outbound traffic, which additional log source would BEST confirm if data exfiltration occurred?
#10. What investigation source is MOST helpful in confirming if a specific vulnerability has been remediated after patching?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | A | A SOC analyst is reviewing firewall logs during an investigation of suspected unauthorized access. The logs show repeated outbound connections to an unfamiliar IP address on TCP port 443. Which data source should the analyst consult next to confirm whether the traffic is malicious? A. Packet capture (PCAP) data (Correct): To confirm if network traffic is malicious, a packet capture (PCAP) provides the most granular and definitive data. It contains the raw network packets, allowing the analyst to inspect the traffic’s source, destination, protocol headers, and even the content of the payload (if it can be decrypted). This is the best source for a deep-dive analysis of suspicious network activity. B. Application logs (Incorrect): Application logs would show which application initiated the connection. While useful, they would not provide the network-level detail needed to confirm if the content of the traffic is malicious, especially since port 443 traffic is encrypted. C. Vulnerability scan reports (Incorrect): Vulnerability scan reports are used to identify potential weaknesses in a system. They are a proactive security tool and do not provide data about live, real-time traffic to an unfamiliar IP address. D. System performance dashboard (Incorrect): A system performance dashboard shows metrics like CPU, memory, and network usage. It can indicate that a process is active, but it lacks the packet-level detail necessary to confirm whether the outbound traffic itself is malicious. |
| 2 | C | During an incident, an analyst notices multiple failed logins from one internal host. What log source best helps determine if this is a brute-force attack? A. Network firewall logs (Incorrect): Network firewall logs monitor traffic between network segments but typically do not contain the granular details of authentication attempts. They would show a connection being established but not the failed login itself. B. Endpoint antivirus logs (Incorrect): Endpoint antivirus logs are used to detect and respond to malicious software. They do not record authentication events or failed logins. C. Authentication/OS security logs (Correct): The most direct and definitive source for identifying multiple failed login attempts is the system’s own authentication or OS security logs (e.g., the Windows Security Event Log or a Linux /var/log/auth.log). These logs are purpose-built to record and detail every login attempt, including the user, source host, time, and whether it was successful or not. This is precisely the information needed to confirm a brute-force attack.D. Packet capture (Incorrect): While a packet capture could potentially contain the authentication traffic, it is a resource-intensive and impractical method compared to simply consulting the system’s own, purpose-built authentication logs, which already contain the required information in an organized format. |
| 3 | B | A web server reports multiple HTTP 500 errors. Which logs are most relevant for identifying if this is an attack? A. Firewall logs (Incorrect): Firewall logs monitor and filter network traffic but do not have visibility into the HTTP status codes generated by a web server. They would only show that a connection was made, not the result of the request. B. Application logs (Correct): HTTP 500 errors are “Internal Server Errors” that originate from the web application itself. The most relevant logs for investigating the cause are the application logs (e.g., web server logs like Apache or Nginx access/error logs, or logs from the application framework). These logs will contain the specific details of the request that triggered the error, including the URL, parameters, and the server-side exception or crash information, which is critical for identifying a potential attack. C. Network flow records (Incorrect): Network flow records (e.g., NetFlow) provide metadata about traffic volume and connections. They do not contain the application-level details like HTTP status codes. D. IDS signature logs (Incorrect): An IDS might detect a signature that indicates an attack, but it doesn’t always correlate to a specific application error. The application logs are the primary source for confirming the server-side impact and cause of the 500 error. |
| 4 | D | An attacker exploited a zero-day vulnerability in a custom application. Which data source is LEAST likely to reveal the initial compromise? A. Endpoint detection logs (Incorrect): Endpoint Detection and Response (EDR) systems are designed to detect suspicious behavior, even if the attack method is new. An EDR might spot unusual process execution or file changes caused by the zero-day exploit, making its logs a likely source of information. B. Application logs (Incorrect): An exploit targeting a custom application would likely cause it to behave abnormally. These anomalies, such as crashes or unusual error messages, would often be logged in the application logs, which could provide clues about the initial compromise. C. Network packet captures (Incorrect): The initial exploit would likely involve a network connection. A network packet capture (PCAP) would contain the actual data of the attack, making it a highly likely and granular source for a forensic investigation of the initial compromise, even if the traffic is encrypted. D. Scheduled vulnerability scans (Correct): A zero-day vulnerability is, by definition, an unknown flaw for which no patch or public signature exists. Vulnerability scanners rely on databases of known vulnerabilities. Therefore, a scheduled vulnerability scan would be least likely to detect a zero-day vulnerability or its exploitation, as it would not be in the scanner’s knowledge base. |
| 5 | A | A SOC analyst needs to determine whether an unusual spike in DNS traffic is malicious or due to a new legitimate application. What tool or data source is MOST helpful? A. SIEM dashboard trending DNS queries (Correct): A SIEM (Security Information and Event Management) system is specifically designed to collect, aggregate, and analyze logs from multiple sources, including DNS servers. A dashboard that trends DNS queries would provide an analyst with a comprehensive, real-time view of the DNS traffic spike, showing the specific domains being queried, the frequency, and the source hosts. This data is the most direct and helpful for determining if the traffic is malicious (e.g., to a command-and-control server) or benign (e.g., to a new software vendor’s domain). B. HR employee roster (Incorrect): An HR roster contains employee information. This data is completely irrelevant for analyzing network traffic patterns or identifying malicious activity on the network. C. Endpoint antivirus logs (Incorrect): Endpoint antivirus logs are used to detect and respond to malicious files on a single host. While a malicious application could be the cause, antivirus logs do not provide a network-wide view of DNS traffic spikes or the specific domain names being queried. D. Firewall ACL configuration (Incorrect): A firewall’s ACL configuration defines the rules for traffic, but it does not provide the logs or real-time data needed to investigate an active traffic spike. The configuration is a static document, not an analysis tool. |
| 6 | B | After responding to a malware outbreak, an analyst needs to identify lateral movement within the network. Which log data source is BEST to analyze? A. DHCP logs (Incorrect): DHCP logs record IP address assignments to hosts. While useful for host identification, they do not provide information about the network traffic or connections between hosts, which is what is needed to track lateral movement. B. NetFlow or network flow logs (Correct): NetFlow or network flow logs are the best data source for identifying lateral movement. These logs provide metadata about network conversations, including the source and destination IP addresses, ports, and timestamps. By analyzing this data, an analyst can trace the connections from the initially compromised host to other internal hosts, which is the signature of an attacker moving laterally through the network. C. Email server logs (Incorrect): Email server logs track email traffic. They would be useful for investigating the initial infection vector if it was an email, but they are not a source for tracking an attacker’s subsequent movements within the network. D. SIEM compliance reports (Incorrect): SIEM compliance reports are typically for auditing and demonstrating adherence to policies. They are not a data source for real-time or forensic analysis of a specific attack’s movement. While a SIEM would ingest the relevant logs, the reports themselves are not the source of the raw data |
| 7 | B | Which log type BEST helps verify if a malicious file downloaded by an endpoint executed? A. Firewall logs (Incorrect): A firewall logs network traffic at a perimeter or network segment boundary. It would show the download of the file but has no visibility into what happens on the host’s file system or if the file was executed after the download was complete. B. Antivirus/endpoint logs (Correct): Antivirus logs or, more comprehensively, Endpoint Detection and Response (EDR) logs are specifically designed to monitor file activity, process execution, and system changes on a host. They would provide direct evidence of whether a downloaded file was scanned, quarantined, or allowed to execute and what actions it attempted to perform, making them the best source for this type of verification. C. Switch interface logs (Incorrect): Switch interface logs track the status and traffic flow of network ports. They are not designed to monitor host-level activities like file downloads or executable processes. D. Vulnerability scan results (Incorrect): Vulnerability scans are proactive tools used to identify known weaknesses in a system’s configuration or software. They do not provide log data about a specific incident involving a malicious file’s execution |
| 8 | A | A SOC team is using chain of custody documentation during log review. Why is this step important? A. It ensures evidence integrity for potential legal action (Correct): The primary purpose of chain of custody documentation is to maintain a detailed, unbroken record of the handling and storage of evidence. This is crucial for proving in court or during a formal investigation that the evidence (in this case, logs) has not been tampered with or altered, thereby preserving its integrity and admissibility. B. It improves SIEM alerting capabilities (Incorrect): Chain of custody is a procedural and administrative process for handling evidence. It has no direct impact on the technical functionality of a SIEM, such as its ability to generate alerts. C. It enables faster packet capture analysis (Incorrect): Chain of custody is a documentation process and does not affect the technical speed or efficiency of analyzing network data like packet captures. D. It prevents zero-day exploitation (Incorrect): Zero-day exploitation is a form of attack. Chain of custody is a post-incident response and forensic process; it is not a preventative security measure. |
| 9 | D | If an IDS alert is generated for suspicious outbound traffic, which additional log source would BEST confirm if data exfiltration occurred? A. DHCP logs (Incorrect): DHCP logs record IP address assignments to network devices. They provide no information about network traffic content or whether data is being exfiltrated. B. VPN authentication logs (Incorrect): VPN authentication logs track user access to a VPN. They can show who connected and when, but they do not provide details on the content of the traffic or if data was exfiltrated. C. Switch spanning tree logs (Incorrect): Spanning Tree Protocol (STP) logs are used to prevent network loops. They are a network infrastructure logging source and have no relevance to data exfiltration. D. Endpoint DLP logs (Correct): Data Loss Prevention (DLP) systems are specifically designed to monitor and prevent the unauthorized transmission of sensitive data. An Endpoint DLP solution would be deployed on the host where the data resides and would log any attempts to exfiltrate classified data. Therefore, these logs would provide the most direct and definitive evidence to confirm if data exfiltration occurred. |
| 10 | C | What investigation source is MOST helpful in confirming if a specific vulnerability has been remediated after patching? A. SIEM dashboards (Incorrect): SIEM dashboards are used for monitoring and threat detection. While a SIEM might show logs related to patching, it does not actively test for the presence of a vulnerability. It is a monitoring tool, not a verification tool for remediation. B. Firewall access lists (Incorrect): Firewall access lists are network security controls. They are used to allow or deny traffic but do not provide any information about the vulnerabilities present on a host or whether they have been patched. C. Vulnerability scan reports (Correct): Vulnerability scan reports are the most direct and reliable source for confirming a vulnerability has been remediated. A scan performed after patching will actively test for the presence of the specific vulnerability. If the vulnerability no longer appears in the post-patch report, it provides conclusive evidence of successful remediation. D. Email server logs (Incorrect): Email server logs track email traffic. They have no relevance to the state of a system’s vulnerabilities or whether a patch has been successfully applied. |