CompTIA Security+ Practice Test of the Day 260331

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 4.9 (Given a scenario, use data sources to support an investigation) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260331

10 questions • Single best answer

Question 1

An incident response analyst at a large e-commerce company is investigating a suspected data breach that may have involved unauthorized access to a backend database server containing customer payment information. The analyst has access to multiple log sources and needs to determine which external IP addresses made successful connections to the database server's listening port over the past 30 days. The analyst also wants to identify any connection attempts from those same IP addresses that were blocked by perimeter controls during the same time period. Which log source would BEST provide information about both allowed and denied network connections at the network perimeter, including source and destination IP addresses and port numbers?

A. Application logs B. Firewall logs C. IPS/IDS logs D. Endpoint logs

Question 2

A security analyst at a healthcare organization is investigating a suspected unauthorized disclosure of patient records after receiving a tip from the compliance officer. The analyst has determined that access may have occurred through the organization's web-based electronic health records (EHR) portal used by clinical staff. The analyst needs to identify exactly which authenticated user accounts accessed specific patient records, at what times those access events occurred, and what actions — such as viewing, exporting, or modifying records — were performed within the application during the suspected window of unauthorized activity. Which data source would MOST directly provide details about authenticated user activity and actions taken within the web application itself?

A. Network flow records B. Firewall logs C. Application logs D. Packet captures

Question 3

A threat hunter at a financial services firm is investigating a potentially compromised workstation after a security alert indicates that an unusual process attempted to access the Local Security Authority Subsystem Service (LSASS) process memory — a technique commonly used by attackers to harvest credentials. The threat hunter needs to determine which parent process spawned the suspicious child process, the exact time the process was created, and the full command-line arguments used to launch it. The analyst is looking for the data source that most specifically records process creation events, including parent-child process relationships, on individual hosts. Which data source would BEST support this investigation?

A. IPS/IDS logs B. Firewall logs C. Endpoint logs D. Vulnerability scan results

Question 4

During an investigation into a suspected privilege escalation incident at a government agency, a security analyst needs to determine whether a standard domain user account was used to access a sensitive administrative network share on a Windows file server. The analyst is specifically looking for evidence of successful and failed logon events to the server, privilege use events, and file object access events that may indicate unauthorized access to restricted files. The analyst has confirmed that auditing policy is properly configured on the system. Which OS-specific log source on the Windows server would contain the audit records necessary to support this investigation?

A. IPS/IDS signature event logs B. Network flow records from the switch C. Application event logs from the file sharing service D. Windows Security event logs

Question 5

A network security engineer at a technology company receives an alert indicating that the organization's intrusion detection system has triggered a signature match on traffic destined for a web server in the DMZ. The engineer reviews the IDS logs to determine the specific signature that was matched, the source IP address of the suspicious traffic, and whether additional alerts from the same source were generated within the past 24 hours. The engineer notes that the IDS sensor is configured in passive tap/monitor mode with no inline blocking capability. Which statement MOST accurately describes what the IDS logs will contain and what action the sensor took in response to the matched traffic?

A. IDS logs will not be generated in passive mode because the sensor must be deployed inline to produce alert records B. IDS logs will contain signature match details, source and destination information, and alert timestamps, but the traffic will not have been blocked by the sensor C. IDS logs will reflect the same allow and deny records as firewall logs, making a separate firewall review redundant for this investigation D. IDS logs only capture events for confirmed successful attacks; attempted intrusions that did not succeed are not recorded

Question 6

An analyst at a managed security service provider (MSSP) is investigating a suspected data exfiltration incident at a client organization. The client believes that large volumes of sensitive engineering documents were transferred to an external cloud storage service over a four-week period, primarily during off-hours. The analyst needs to determine the volume of data transferred from specific internal source hosts to external IP addresses, the timing and duration of each transfer session, and the total bytes transferred per destination — without needing to inspect the actual content of what was transmitted. Which data source would BEST support this investigation by providing traffic volume and connection metadata without capturing full packet payloads?

A. Application logs from the document management system B. Automated vulnerability scan reports C. Network flow records such as NetFlow or IPFIX D. OS-specific security event logs from the affected endpoints

Question 7

A digital forensics examiner is investigating an insider threat case involving an employee suspected of leaking confidential product development documents to a competitor. The examiner has obtained a set of files recovered from the employee's personal cloud storage account and needs to determine when each document was originally created, when it was last modified, the identity of the user account that authored each file, and whether any files were altered after being copied from the corporate environment. The examiner wants to obtain this contextual information without necessarily reading the complete content of each document. Which data source would provide creation timestamps, modification timestamps, and authorship details associated with the files?

A. Packet captures of outbound web traffic from the corporate network B. Vulnerability scan output from the corporate network scanner C. Firewall logs from the perimeter security appliance D. File metadata

Question 8

Following a security incident in which an attacker exploited an unpatched vulnerability in a publicly accessible web application, the CISO of a retail company has directed the security team to identify all other systems in the environment that may be susceptible to similar unpatched vulnerabilities. The team must produce a prioritized remediation list that includes the specific CVEs present on each affected system, the CVSS severity scores, and the installed software versions involved. The team needs a data source that systematically identifies and enumerates known weaknesses across the organization's entire infrastructure. Which data source would BEST fulfill this requirement?

A. Firewall logs from the perimeter and internal network zones B. Full packet captures collected from the network core switch C. Vulnerability scan results D. IPS/IDS alert logs from the past 90 days

Question 9

A security analyst at a software development company is investigating a suspected command injection attack against one of the company's internal REST APIs. The analyst needs to inspect the exact HTTP requests submitted to the API endpoint — including the full URI path, request headers, query string parameters, and request body — to determine whether malicious input was injected, what the specific payload looked like, and what the server returned in its HTTP response codes and response bodies. The analyst requires complete visibility into the application-layer content of the network transactions. Which data source would allow the analyst to inspect the full content of network communications at the application layer, including request payloads and server responses?

A. Endpoint process creation and command-line audit logs B. Network flow records such as NetFlow C. Packet captures D. Automated SIEM correlation reports

Question 10

The security operations team at a large enterprise has recently deployed a SIEM solution that ingests logs from firewalls, endpoint agents, IDS sensors, and directory service authentication systems. The security manager wants the team to have a single, real-time visual interface that shows the current count of critical and high-severity alerts, the top 10 internal source IP addresses generating alerts, a geographic distribution map of external login attempts, and the total number of open incidents — enabling the team to maintain continuous situational awareness throughout each shift without running manual queries against raw log data. Which SIEM capability is the security manager describing as the primary interface for this shift-based operational visibility?

A. Packet capture analysis module B. Vulnerability scan integration feed C. Security dashboard D. Chain of custody documentation log

Desk Mat CTA Block

Tired of Googling acronyms while practicing/studying?
Keep them all under your keyboard.

📋 GET_THE_DESK_MAT

Take more CompTIA Security+ practice tests

CompTIA Security+ Practice Test of the Day 260331

ByThe Test Master

Related Post

CompTIA Security+ Practice Test of the Day 260410

CompTIA Security+ Practice Test of the Day 260409

CompTIA Security+ Practice Test of the Day 260408

Leave a Reply Cancel reply

You missed

CEH v13 Domain 3.3 Practice Test 002

CEH v13 Domain 3.2 Practice Test 002

CEH v13 Domain 3.1 Practice Test 002

CEH v13 Domain 2.3 Practice Test 002