CompTIA Security+ Practice Test of the Day 260524

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 4.9 (Given a scenario, use data sources to support an investigation) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260524

10 questions • Single best answer

Question 1

A forensic investigator responding to a suspected insider threat is analyzing traffic patterns on the corporate network. Which data source would provide the MOST detailed view of actual packet-level communication between a suspect workstation and an external IP?

A. IPS/IDS logs B. Firewall logs C. Packet captures D. Endpoint logs

Question 2

A security analyst is investigating a malware infection and needs to determine which user account was logged into a Windows workstation at the time of the attack. Which log source is MOST useful?

A. Network logs B. Application logs C. OS-specific security logs D. IPS/IDS logs

Question 3

During an investigation into a web server compromise, the analyst needs to identify which URLs were requested and whether those requests were allowed or blocked. Which log source BEST supports this?

A. Endpoint logs B. Metadata C. Application logs D. Network logs

Question 4

An analyst uses a SIEM dashboard to correlate events across multiple systems after a suspected breach. The dashboard shows login failures, privilege escalation, and large outbound transfers all occurring within a 30-minute window. Which data source type does a SIEM dashboard primarily aggregate?

A. Packet captures B. Automated reports from vulnerability scans C. Log data from multiple sources D. Physical access records

Question 5

A threat analyst suspects an attacker used a compromised email account to exfiltrate data. Which metadata field would be MOST useful in tracing the attacker's origin?

A. Email body content B. Message-ID header C. Received and X-Originating-IP headers D. MIME content type

Question 6

A security team is investigating an alert but finds that logs from the affected system between 11 PM and midnight are completely absent. Which of the following is the MOST likely conclusion?

A. The system was in maintenance mode and logging was suspended B. The IDS signature failed to trigger during that window C. The attacker may have tampered with or cleared the logs D. The SIEM failed to normalize incoming log data

Question 7

An organization's IDS generates thousands of events daily. The security team uses automated reports to identify recurring patterns across a 30-day period. What is the PRIMARY advantage of using automated reports over manually reviewing raw IDS logs?

A. Automated reports eliminate false positives from IDS alerts B. Automated reports provide pattern analysis and trend visibility across large datasets efficiently C. Automated reports capture full packet contents for each IDS alert D. Automated reports replace the need for human analysis in incident response

Question 8

After a ransomware attack, investigators need to determine whether data was exfiltrated before encryption. Which combination of data sources would BEST support this determination?

A. Vulnerability scan results and endpoint logs B. Network logs and firewall logs showing outbound traffic volume C. OS-specific security logs and application logs D. IPS/IDS alerts and patch management reports

Question 9

A security analyst receives results from a recent vulnerability scan showing several critical CVEs on internet-facing servers. The analyst uses this data to prioritize patching. In the context of supporting investigations, what role do vulnerability scans serve?

A. They provide real-time threat intelligence about active attacks B. They identify attack surface weaknesses that could correlate with exploited vectors during an incident C. They capture network traffic for forensic reconstruction of attack paths D. They generate audit trails of user activity on target systems

Question 10

During a post-breach investigation, a security analyst reviews firewall logs and notices that connections to a suspicious IP were permitted for three weeks before being blocked. What critical gap does this finding expose?

A. The firewall rules were not following the principle of least privilege B. The IDS failed to generate alerts for the suspicious connection C. The threat was not detected and blocked in a timely manner, indicating a detection gap D. The firewall logs were not being forwarded to the SIEM