50 Cisco Certified CyberOps Associate Practice Questions: Question Bank 2025

An analyst observes repeated authentication failures for multiple user accounts from a single internal workstation, followed by one successful login to a privileged account. Which attack technique best explains this pattern?

A SOC wants to reduce false positives from alerts triggered by authorized vulnerability scans. What is the BEST approach?

A Windows endpoint alert indicates a new service was created and set to start automatically shortly after a user opened an email attachment. Why is this behavior most suspicious?

A packet capture shows a TCP three-way handshake completing to a server, but the client immediately sends a FIN and closes the connection without exchanging application data. What is the MOST likely explanation?

A SOC receives logs from firewalls, endpoints, DNS, and proxies. They need to quickly pivot from an alert about a suspicious domain to see related hosts, users, and process activity. Which capability is MOST important in the logging platform?

An endpoint detection alert shows PowerShell launching with an encoded command and then creating a scheduled task that runs every 15 minutes. What is the BEST next step for an analyst to validate maliciousness and scope impact?

A web server generates many outbound DNS queries with unusually long subdomain labels and high query volume, but the responses often contain NXDOMAIN. Which data exfiltration method does this MOST likely indicate?

A security incident requires preserving evidence for potential legal action. Which practice BEST supports chain of custody?

A SIEM rule triggers on "multiple failed logins" and generates excessive alerts during peak hours. The SOC wants to keep detection value but reduce alert fatigue. Which tuning change is MOST effective?

During investigation of suspected lateral movement, logs show a workstation connecting to many internal hosts on TCP 445 and 135, followed by a spike in failed logons and then a successful logon to an admin share (\\HOST\C$). Which conclusion is MOST supported by these indicators?

An analyst is reviewing SIEM alerts and sees repeated failed logins followed by a successful login to the same user account from the same source IP within a short time window. Which activity does this pattern MOST likely indicate?

A security team wants to ensure that collected logs can be used as evidence in an investigation and have not been altered. Which control BEST supports this requirement?

A Windows endpoint shows an unknown executable launching from the user profile's Temp directory at login. Which built-in Windows artifact is MOST useful to confirm whether the program is configured to persist at logon?

A SOC receives an alert that a host is making periodic outbound connections to a rare domain with low reputation. The connections occur every 60 seconds and transfer small, consistent payload sizes. What is the MOST likely explanation?

An IDS triggers on multiple TCP SYN packets to many different destination ports on the same internal server from a single external IP address, with few completed handshakes. What activity BEST matches this pattern?

After containment of a suspected malware infection, an analyst is asked to determine whether the malware executed and what it did on a Windows host. Which data source is MOST directly useful to identify process creation activity with parent-child relationships?

A SIEM rule is generating many false positives because it triggers whenever any user authenticates from a new geographic location. Which tuning approach BEST reduces false positives while maintaining detection value?

A company is designing an incident response process. Which step should occur FIRST after an incident has been confirmed, according to common best practices?

A packet capture shows an internal host repeatedly sending DNS queries where the subdomain portion is long, high-entropy, and changes every request (e.g., random-looking strings), while the second-level domain stays constant. The responses are mostly NXDOMAIN. What is the MOST likely explanation?

During a host investigation, an analyst finds a scheduled task that launches 'powershell.exe -EncodedCommand ...' under a user context every 5 minutes. The command line is heavily obfuscated. What is the BEST next step to understand the task's intent while minimizing risk to the environment?

A SOC analyst receives an alert that a workstation is making repeated outbound connections to random-looking domains (for example, xj3k9a.example, p0q7z.example) with short-lived DNS TTL values. Which technique is MOST likely being used by the malware?

During incident triage, an analyst wants to determine whether a suspicious process on a Linux host persists after reboot. Which artifact MOST directly indicates persistence via scheduled execution?

A security team is reviewing controls and wants to reduce risk from users reusing passwords across services. Which control BEST addresses this risk at the identity layer?

A SOC is overwhelmed by a high volume of low-confidence IDS alerts. Which approach is MOST effective to reduce noise while preserving detection capability?

An analyst sees web proxy logs with requests like: /index.php?id=1%20UNION%20SELECT%20username,password%20FROM%20users--. Which activity is MOST consistent with this pattern?

A Windows endpoint shows a suspicious PowerShell process that spawns from WINWORD.exe shortly after a user opened an email attachment. Which next step provides the BEST evidence to confirm malicious behavior while minimizing impact to the host?

A SOC manager is formalizing incident response procedures. Which document BEST defines who must be contacted, within what timeframes, and what communications are allowed during an incident?

NetFlow data shows a single internal host initiating connections to thousands of external IPs on TCP/445 with short timeouts and very few completed sessions. What is the MOST likely explanation?

A SIEM correlation rule should detect potential credential stuffing against a VPN portal. Which logic is MOST effective while limiting false positives?

After containment, an organization wants to ensure forensic evidence is admissible and defensible if legal action is pursued. Which practice is MOST important to maintain throughout evidence handling?

A SOC analyst wants to quickly reduce false positives from a rule that flags outbound HTTPS connections as suspicious. Which approach is the MOST effective first step?

On a Windows endpoint, which artifact is MOST useful to determine what program executed at user logon for persistence?

Which statement BEST describes the primary purpose of the Common Vulnerability Scoring System (CVSS) score?

During an investigation, an analyst needs to preserve evidence from a potentially compromised workstation. Which action is the BEST practice to maintain evidence integrity?

A firewall log shows repeated outbound connections from a single internal host to many sequential destination ports on the same external IP over a short time period. What is the MOST likely explanation?

An EDR alert indicates a Microsoft Office process spawned PowerShell with an encoded command. Why is this behavior considered high risk?

A SOC team wants to detect data exfiltration over DNS. Which pattern is MOST indicative of DNS tunneling?

A SOC is building correlation rules and wants to reduce alert duplication across tools (SIEM, IDS, EDR). Which design choice BEST supports consistent correlation and reporting?

A proxy log shows an internal host downloading an executable, followed by an immediate outbound connection to a rare domain over TCP/443. The TLS handshake uses Server Name Indication (SNI) for a domain that does not match the certificate subject. What is the MOST likely explanation?

A Linux server is suspected of compromise. You see a new cron entry executing a script from /tmp every minute, but the file disappears intermittently. Which next step is BEST to capture actionable evidence while minimizing changes to the system?

An analyst is asked to explain why a security control is considered "deterrent" rather than "preventive." Which control is the best example of a deterrent control?

During log review, a SOC analyst sees repeated authentication failures followed by a single successful login from the same source IP to an administrative account. Which activity does this pattern most strongly suggest?

A manager asks what the primary goal of a "lessons learned" meeting is after a security incident. What is the best answer?

A SIEM correlation rule is generating many false positives because DNS logs include internal resolvers and forwarders that cause duplicate events. Which approach most directly reduces this noise while preserving detection value?

A Windows endpoint alert shows a suspicious PowerShell command with "-enc" and a long Base64 string. What is the most appropriate immediate analyst action to validate the activity?

A SOC receives an IDS alert indicating possible SQL injection attempts against a web application. The HTTP requests show repeated single quotes (') and "UNION SELECT" patterns. What is the best next step for validation?

An analyst observes outbound connections from a user workstation to many external IPs on TCP/25. The organization does not run a mail server on workstations. Which interpretation is most likely?

A company wants to ensure incident responders can rapidly preserve evidence from endpoints while maintaining chain of custody. Which practice best supports this requirement?

A network sensor detects a TLS-encrypted session to an unfamiliar domain, but the SOC cannot decrypt payloads. Which data source provides the most actionable visibility to assess risk without decrypting content?

An EDR tool reports that a signed system binary was used to execute a malicious script, and the process tree shows: winword.exe -> powershell.exe -> rundll32.exe. The DLL executed was located in the user profile temp directory. Which conclusion best fits this evidence?