Practice Free CS0-003 Exam Online Questions – Page 13

Question #121

An organization discovered a data breach that resulted in Pll being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements.

Which of the following actions would best address the reporting issue?

A . Creating a playbook denoting specific SLAs and containment actions per incident type
B . Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs
C . Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders
D . Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

Reveal Solution Hide Solution

Question #122

Exploit code for a recently disclosed critical software vulnerability was publicly available (or download for several days before being removed.

Which of the following CVSS v.3.1 temporal metrics was most impacted by this exposure?

A . Remediation level
B . Exploit code maturity
C . Report confidence
D . Availability

Reveal Solution Hide Solution

Question #123

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning.

Which of following best fits the type of scanning activity requested?

A . Uncredentialed scan
B . Discqyery scan
C . Vulnerability scan
D . Credentialed scan

Reveal Solution Hide Solution

Question #124

A company is in the process of implementing a vulnerability management program. no-lich of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

A . Non-credentialed scanning
B . Passive scanning
C . Agent-based scanning
D . Credentialed scanning

Reveal Solution Hide Solution

Question #125

A security analyst reviews a packet capture and identifies the following output as anomalous:

13:49:57.553161

TP10.203.10.17.45701>10.203.10.22.12930:Flags[FPU],seq108331482, win1024, urg0, length0

13:49:57.553162

IP10.203.10.17.45701>10.203.10.22.48968:Flags[FPU],seq108331482, win1024, urg0, length0

…

Which of the following activities explains the output?

A . Nmap Xmas scan
B . Nikto’s web scan
C . Socat’s proxying traffic using the urgent flag
D . Angry IP Scanner output

Reveal Solution Hide Solution

Question #126

An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically.

Which of the following is the best option to help the analyst implement this recommendation?

A . SOAR
B . SIEM
C . SLA
D . IoC

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

SOAR (Security Orchestration, Automation, and Response) is the best option to help the analyst implement the recommendation, as it reflects the software solution that enables security teams to integrate and coordinate separate tools into streamlined threat response workflows and automate repetitive tasks. SOAR is a term coined by Gartner in 2015 to describe a technology that combines the functions of security incident response platforms, security orchestration and automation platforms, and threat intelligence platforms in one offering. SOAR solutions help security teams to collect inputs from various sources, such as EDR agents, firewalls, or SIEM systems, and perform analysis and triage using a combination of human and machine power. SOAR solutions also allow security teams to define and execute incident response procedures in a digital workflow format, using automation to perform low-level tasks or actions, such as blocking an IP address or quarantining a device. SOAR solutions can help security teams to improve efficiency, consistency, and scalability of their operations, as well as reduce mean time to detect (MTTD) and mean time to respond (MTTR) to threats. The other options are not as suitable as SOAR, as they do not match the description or purpose of the recommendation. SIEM (Security Information and Event Management) is a software solution that collects and analyzes data from various sources, such as logs, events, or alerts, and provides security monitoring, threat detection, and incident response capabilities. SIEM solutions can help security teams to gain visibility, correlation, and context of their security data, but they do not provide automation or orchestration features like SOAR solutions. SLA (Service Level Agreement) is a document that defines the expectations and responsibilities between a service provider and a customer, such as the quality, availability, or performance of the service. SLAs can help to manage customer expectations, formalize communication, and improve productivity and relationships, but they do not help to implement technical recommendations like SOAR solutions. IoC (Indicator of Compromise) is a piece of data or evidence that suggests a system or network has been compromised by a threat actor, such as an IP address, a file hash, or a registry key. IoCs can help to identify and analyze malicious activities or incidents, but they do not help to implement response actions like SOAR solutions.

Question #127

Which of the following best describes root cause analysis?

A . It describes the tactics, techniques, and procedures used in an incident.
B . It provides a detailed path outlining the origin of an issue and how to eliminate it permanently.
C . It outlines the who-what-when-where-why, which is often used in conjunction with legal proceedings.
D . It generates a report of ongoing activities, including what was done, what is being done, and what will be done next.

Reveal Solution Hide Solution

Question #128

The analyst reviews the following endpoint log entry:

Which of the following has occurred?

A . Registry change
B . Rename computer
C . New account introduced
D . Privilege escalation

Reveal Solution Hide Solution

Question #129

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

A . Mean time to detect
B . Number of exploits by tactic
C . Alert volume
D . Quantity of intrusion attempts

Reveal Solution Hide Solution

Question #130

A security operations center receives the following alerts related to an organization’s cloud tenant:

Which of the following should an analyst do first to identify the initial compromise?

A . Search audit logs for all activity under project staging-01 and correlate any actions against VM edoifj34.
B . Search audit logs for [email protected] and correlate the successful API requests on project staging-oi.
C . Review audit logs for any successful compute instance actions targeting project staging-oi during the time of the alerts.
D . Review logs for any audit action targeting compute instance APIs during the time of the alerts on VM fd03lf.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

To identify the initial compromise, the analyst should start with the earliest suspicious activity in the timeline and pivot into the audit logs for the principal (identity) associated with that first alert.

Here, the first notable event is 02:00 excessive API failures tied to [email protected]. That commonly indicates password guessing, token misuse, or other authentication abuse attempts. The next events (02:15 metadata service access, 05:10 mass VM creation by a service account, 05:40 malware) look like follow-on activity after an initial foothold. Therefore, the best first step is to check whether those API failures were followed by any successful API calls by that user and then correlate those successful actions to the later stages in project staging-0 1.

This approach aligns with CySA+ guidance that analysts should use logs + timestamps to build a timeline and correlate events across identities/systems to understand scope and progression:

Sybex emphasizes correlating events from multiple sources and using that correlation to determine scope and impact:

Exact extract (Sybex Study Guide): “Security analysts are often asked to help analyze that data… Knowing if other events are correlated with the initial event… [and] understanding what systems, users, services, or other assets were involved…”

Secbay underscores that logs and timestamps are key to forming an accurate incident timeline (which is exactly what we’re doing by starting from the earliest alert):

Exact extract (Secbay Press): “System and application logs with timestamps help create a timeline of events, aiding in understanding when specific actions occurred during the incident.”

Why Option B is best vs. the others

B starts with the earliest suspicious identity and seeks successful API activity that would confirm compromise and explain subsequent actions (metadata access → service account actions → malware).

A is too broad initially (“all activity under project staging-01”) and anchors on a VM that only appears later; it’s not the best first pivot when you already have an earlier suspect identity.

C starts at the compute-instance phase (05:10) rather than the earliest authentication/API anomaly (02:00), so it’s more likely to find post-compromise actions rather than the initial entry.

D anchors on a specific later VM (fd031f) and compute APIs, again likely after the initial compromise.

Reference (CompTIA CySA+ CS0-003 documents / study guides used):

Mike Chapple & David Seidl, CompTIA CySA+ Study Guide (CS0-003): correlate other events with the initial event; identify involved users/systems/services

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): logs + timestamps build a timeline of events and support analysis of incident progression

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Exams