Cisco Certified CyberOps Associate Practice Exam 2025: Latest Questions

A SOC analyst is reviewing alerts and sees outbound connections from a workstation to many sequential destination ports on a single external IP within a short time window. Which activity does this pattern most likely indicate?

An analyst wants to quickly determine which process on a Windows host is responsible for an unusual outbound TCP connection observed in a packet capture. Which host-based data source is the BEST to correlate with the network observation?

A security team is implementing a control to reduce the impact of a compromised user account by limiting what that account can do. Which security principle is being applied?

A SOC receives an alert that a user clicked a link in a suspicious email. What is the MOST appropriate immediate action to help prevent further compromise while maintaining business continuity?

A SOC is tuning its SIEM to reduce false positives. A rule currently triggers on any single failed login. Which change is the BEST improvement while keeping detection value for password-guessing attacks?

An analyst investigates a suspected phishing incident. The email uses a display name matching the CFO, but the actual sender address is from a look-alike domain and passes through multiple mail relays. Which email header field is MOST useful to help validate the sending domain’s authorization to send on behalf of that domain?

A Linux server shows signs of compromise. During triage, you notice a new scheduled task that runs every minute and downloads a script from a remote site. Which artifact is the MOST relevant to review first to confirm persistence via scheduled execution?

A network sensor triggers on an inbound connection attempt to an internal host on TCP/445 followed by a series of connections from that host to many other internal hosts on TCP/445. Which interpretation BEST matches this behavior?

A SOC is analyzing web proxy logs and observes a workstation making periodic HTTPS connections to a rare domain at a consistent interval (every 60 seconds). The SNI indicates the rare domain, and the connections have similar byte counts each time. Which action provides the BEST next step to increase confidence that this is command-and-control (C2) beaconing?

An incident responder must collect evidence from a potentially compromised Windows endpoint. The system is powered on and shows suspicious processes. Which approach BEST preserves volatile evidence while maintaining forensic soundness?

An analyst notices repeated authentication failures followed by a successful login from the same internal workstation to multiple servers within 2 minutes. Which activity does this pattern MOST likely indicate?

A SOC receives an alert that a workstation created a scheduled task named "UpdateService" that runs PowerShell with an encoded command at user logon. What is the PRIMARY security concern with this artifact?

A security engineer is designing a log collection architecture for incident investigation. Which approach BEST supports integrity and nonrepudiation of collected logs?

A network sensor alerts on a TCP session where the client sends SYN, receives SYN-ACK, then immediately sends RST. This repeats to many destination ports on the same server. What is the MOST likely explanation?

A proxy log shows a user downloaded a file named "invoice.pdf.exe". On the endpoint, the file icon appears as a PDF and the user reports they "opened a PDF". Which Windows feature is MOST likely being abused to deceive the user?

During triage, you see multiple endpoints making DNS queries for randomized subdomains of a single domain (for example, a1x9z.example.com, p7k2q.example.com) at regular intervals. What is the MOST likely purpose of this activity?

An organization wants to reduce alert fatigue by prioritizing which security events are escalated. Which method BEST aligns with SOC best practices?

A SIEM correlation rule is intended to detect data exfiltration but produces many false positives when employees use legitimate cloud storage. Which tuning change is MOST effective while keeping detection value?

An endpoint EDR shows that a Word processor spawned a command shell, which then spawned PowerShell to download a script from the internet. Which MITRE ATT&CK tactic is MOST directly represented by the initial document launching the command shell?

A responder suspects an attacker is using a compromised Linux web server as a pivot. Netflow shows short, periodic outbound connections from the web server to an internal database server on TCP/22, but the database server is not supposed to accept SSH from the web tier. Which is the BEST next step to confirm and scope the intrusion with minimal disruption?

A SOC analyst receives an alert that a workstation attempted to resolve a very large number of random-looking subdomains for a single domain within a short time window (e.g., xj3k9.example.com, a91lz.example.com). No corresponding web traffic is seen. What is the MOST likely explanation?

A security operations team wants to reduce alert fatigue while still detecting new threats. Which approach is a BEST PRACTICE for tuning detection rules in a SIEM?

An analyst finds a Windows endpoint where PowerShell execution is blocked, but suspicious processes are still launching encoded commands through an Office document. Which Windows control would MOST directly help identify the parent-child process relationship and command-line used for the launches?

During an incident, a new critical vulnerability is announced that impacts an internet-facing service. Which action MOST appropriately aligns with incident response best practices when both mitigation and evidence preservation are required?

A network sensor flags repeated TCP SYN packets from an external IP to many sequential ports on a single internal host. The internal host replies with SYN-ACK on some ports, but the external IP never completes the three-way handshake. What activity does this MOST likely indicate?