CYSA-004 Practice Questions: Security Operations Domain

Correct answer (A): Low-volume outbound traffic at highly regular intervals to a rare destination is a classic beaconing pattern. The nearly exact five-minute cadence, very small payload size, first-seen domain, and single-host contact pattern all align with likely command-and-control traffic rather than normal application use or bulk transfer behavior.

Why the other options are wrong:
- Option B: Data uploads would usually involve much higher volume and less rigid timing. The stem instead shows small, repeating bursts.
- Option C: Vulnerability scanning would typically target many destinations or ports, not a single rare external endpoint every five minutes.
- Option D: Load balancer health checks would usually originate from infrastructure devices and be expected, not from a workstation with first-seen DNS activity.

Correct answer (B): The first step is to validate the AI claim against the original telemetry because AI-generated summaries can hallucinate, overstate certainty, or ignore contradictory evidence. The scenario also creates a sensitive-data handling problem because raw logs were submitted to an unapproved public tool. CySA+ analysts should not contain, escalate, or report based on unsupported AI output; they should verify the evidence and move analysis into an approved, access-controlled workflow.

Why the other options are wrong:
- Option A: Immediate isolation based only on an unsupported AI claim risks major disruption and skips evidence-based validation.
- Option C: Requesting more AI analysis does not solve the two core problems: the conclusion is unverified and the data was placed into an unapproved public tool.
- Option D: Executive reporting should contain validated facts, not unsupported AI conclusions, especially when the underlying workflow already has data-handling concerns.

Correct answer (B): EDR telemetry is the best source because the question is about host-level execution. Process trees, parent-child relationships, and command-line details can directly show whether the spreadsheet application launched PowerShell or another script interpreter. SIEM authentication events, firewall logs, and vulnerability scans may support broader investigation, but they do not directly confirm local execution behavior on the endpoint.

Why the other options are wrong:
- Option A: Authentication data can help correlate user activity, but it does not directly show whether Excel or another spreadsheet process spawned PowerShell on the host.
- Option C: Firewall logs may show follow-on network activity, but they do not reliably prove that the spreadsheet triggered local script execution.
- Option D: Vulnerability scans identify weaknesses and missing patches; they do not show what process actually ran on the laptop.

Correct answer (B): Threat hunting is proactive and hypothesis-driven, not just reviewing whatever has already alerted. The stated hypothesis is that stolen session tokens may be used for abnormal role assumption and privilege changes. The best hunt is therefore to query IAM and API activity directly for that sequence, especially by accounts that do not normally perform those actions.

Why the other options are wrong:
- Option A: This is reactive alert triage, not a proactive hunt based on a specific adversary pattern.
- Option C: Reimaging endpoints is a remediation action without evidence and does not answer the hunt question.
- Option D: Waiting for another alert defeats the purpose of threat hunting, which is intended to find suspicious activity before or without an existing detection.

Correct answer (C): SOAR is best used for repetitive, well-bounded, low-risk tasks. Enrichment and case creation fit that model because they speed analyst workflow without causing business disruption if the initial signal is wrong. In contrast, isolating hosts, disabling accounts, or deleting messages based on a single alert can create significant operational impact, especially in an environment with frequent false positives and remote users.

Why the other options are wrong:
- Option A: Host isolation may be justified in very high-confidence situations, but the stem highlights frequent false positives and a remote workforce, making fully automatic isolation too risky.
- Option B: Disabling an account after a single feed verdict is too disruptive for full automation without stronger validation or an approval gate.
- Option D: Message deletion can be useful in mature workflows, but immediately deleting from all mailboxes after one alert is riskier than enrichment and can impact legitimate business email.

Correct answer (A): A SIEM is the best choice because the analyst's goal is centralized collection and correlation of multiple telemetry sources in one place. VPN logs, DNS events, and Windows authentication logs are exactly the kind of cross-source data a SIEM aggregates into a timeline for investigation. EDR focuses on endpoint telemetry, IDS/IPS focuses on network detection or blocking, and SOAR automates workflows using data from other tools rather than serving as the primary correlation platform.

Why the other options are wrong:
- Option B: EDR provides rich host visibility and response actions, but it is not the primary tool for broad correlation across VPN, DNS, and server authentication sources.
- Option C: IDS/IPS can detect suspicious network traffic, but it does not serve as the main platform for centralized correlation of diverse logs over time.
- Option D: SOAR orchestrates actions and enrichment workflows, but it typically consumes data from systems like SIEMs rather than acting as the main log correlation engine.

Correct answer (B): Long subdomains, frequent TXT queries, and regular intervals make DNS tunneling suspicious, but they do not prove exfiltration by themselves. The strongest next step is to correlate the DNS activity to the generating host process and review the destination's reputation or expected business use. CySA+ emphasizes corroboration across network and host telemetry before declaring a finding exploitable or malicious.

Why the other options are wrong:
- Option A: The pattern is suspicious, but declaring confirmed exfiltration without host or process correlation is premature.
- Option C: Password reset does not address the immediate question and assumes identity theft without supporting evidence.
- Option D: Even if some DNS activity is protected in other scenarios, the provided telemetry is still useful. The analyst should investigate further rather than dismiss it.

Correct answer (C): Good detection engineering favors multiple contextual signals over one weak indicator. Option C combines periodicity, low-volume repeated communication, a rare destination, and suspicious endpoint process context. That combination is much more characteristic of beaconing and will reduce false positives compared with rules that fire on a single new domain or common HTTPS traffic.

Why the other options are wrong:
- Option A: This repeats the same weak logic that caused the noise problem. A single connection to a newly seen domain is common in normal workstation activity.
- Option B: A large number of DNS resolutions may indicate other issues, such as scanning or tunneling, but it does not specifically improve fidelity for low-volume beaconing.
- Option D: Destination port 443 is normal for legitimate encrypted traffic and would create excessive noise.

Correct answer (A): Repeated denied MFA prompts followed by a successful approval, combined with a new device fingerprint and immediate high-volume data access, strongly suggests MFA fatigue or push bombing. The success event does not make the activity benign; it increases concern that an attacker gained access.

Why the other options are wrong:
- Option B: Password typos do not explain repeated MFA denials, the changed device fingerprint, or the large data download immediately after login.
- Option C: A successful MFA event does not prove legitimacy. In this scenario, the surrounding indicators make the successful approval more suspicious, not less.
- Option D: The pattern is focused on one account and is followed by valid access and data retrieval, which is more consistent with account compromise than service disruption.

Correct answer (A): Behavior-based logic is more durable than static indicators when an adversary changes infrastructure or hashes. Encoded PowerShell, suspicious parent-child process relationships, and follow-on network activity provide a stronger and more resilient detection pattern.

Why the other options are wrong:
- Option B: Single IP-based rules are brittle and will likely miss the same technique once the attacker changes infrastructure.
- Option C: Alerting on every PowerShell execution would create excessive noise and does not reflect good detection engineering for a SOC.
- Option D: Hash-based detection is narrow and easy for an attacker to evade by modifying the document or repackaging the payload.