CompTIA CySA+ CS0-003 Cybersecurity
Analyst Exam QUESTIONS AND
ANSWERS ALREADY GRADED A+
Domain 1: Security Operations (Questions 1-15)
1. A security analyst is reviewing SIEM logs and notices multiple failed login attempts for a
single user account from an IP address outside the organization, followed by a successful login
from a different IP address 5 minutes later. What type of attack is MOST likely occurring?
A) Brute force attack
B) Password spraying
C) Credential stuffing
D) Pass-the-hash attack
Correct Answer: A
Rationale: Multiple failed login attempts followed by a successful login is characteristic of a
brute force or dictionary attack. Password spraying attempts one password across many
accounts, not multiple attempts on one account. Credential stuffing uses stolen credentials but
typically doesn't generate multiple failures on one account. Pass-the-hash requires already
compromised credentials.
2. An analyst is configuring a SIEM to receive logs from various sources. Which log source
would provide the MOST detailed information about user authentication events?
A) Firewall logs
B) DNS server logs
,C) Domain controller security logs
D) Web server access logs
Correct Answer: C
Rationale: Domain controller security logs capture all authentication events including successful
and failed logins, account lockouts, privilege use, and Kerberos events. This provides the most
detailed information about user authentication. Firewall logs show network traffic, DNS logs
show resolution queries, and web server logs show HTTP requests.
3. Which threat hunting methodology involves searching for specific indicators of compromise
(IoCs) that are already known to exist?
A) Hypothesis-driven hunting
B) Intelligence-driven hunting
C) Investigation-driven hunting
D) Random hunting
Correct Answer: B
Rationale: Intelligence-driven hunting uses known indicators of compromise (IoCs), tactics,
techniques, and procedures (TTPs) from threat intelligence feeds to search for specific threats.
Hypothesis-driven hunting uses analyst-generated theories about attacker behavior.
Investigation-driven hunting follows up on anomalies.
4. A security analyst is using Wireshark to capture network traffic. Which filter would show
ONLY traffic to or from IP address 192.168.1.100?
A) ip.addr == 192.168.1.100
B) ip.src == 192.168.1.100
C) ip.dst == 192.168.1.100
D) host == 192.168.1.100
Correct Answer: A
Rationale: ip.addr == 192.168.1.100 captures traffic where the IP address appears in either
source or destination field. ip.src only captures source traffic, ip.dst only destination traffic.
While host works in tcpdump, Wireshark uses ip.addr for this syntax.
, 5. An organization's SOC is implementing a new SIEM. Which of the following is the MOST
important factor for effective alerting?
A) Number of log sources connected
B) Properly tuned correlation rules
C) Total storage capacity
D) Vendor reputation
Correct Answer: B
Rationale: Properly tuned correlation rules are essential for reducing false positives and
ensuring that true security incidents generate alerts. Without effective rules, even with many
log sources, analysts become overwhelmed with noise. Storage capacity and vendor reputation
are secondary to proper tuning.
6. A security analyst is investigating a potential data exfiltration incident. Which log type
would be MOST useful for identifying the volume of data transferred from an internal host to
an external IP address?
A) Authentication logs
B) NetFlow records
C) Application logs
D) System event logs
Correct Answer: B
Rationale: NetFlow records provide metadata about network flows including source/destination
IPs, ports, protocol, and most importantly—bytes transferred. This allows analysts to identify
large data transfers indicative of exfiltration. Authentication logs show login events, application
logs show application-specific events, and system logs show OS events.
7. Which of the following is an example of a "living off the land" attack technique?
A) Using PowerShell to download and execute a payload
B) Exploiting a zero-day vulnerability
C) Sending a phishing email with a malicious attachment
D) Conducting a DDoS attack
Correct Answer: A
Analyst Exam QUESTIONS AND
ANSWERS ALREADY GRADED A+
Domain 1: Security Operations (Questions 1-15)
1. A security analyst is reviewing SIEM logs and notices multiple failed login attempts for a
single user account from an IP address outside the organization, followed by a successful login
from a different IP address 5 minutes later. What type of attack is MOST likely occurring?
A) Brute force attack
B) Password spraying
C) Credential stuffing
D) Pass-the-hash attack
Correct Answer: A
Rationale: Multiple failed login attempts followed by a successful login is characteristic of a
brute force or dictionary attack. Password spraying attempts one password across many
accounts, not multiple attempts on one account. Credential stuffing uses stolen credentials but
typically doesn't generate multiple failures on one account. Pass-the-hash requires already
compromised credentials.
2. An analyst is configuring a SIEM to receive logs from various sources. Which log source
would provide the MOST detailed information about user authentication events?
A) Firewall logs
B) DNS server logs
,C) Domain controller security logs
D) Web server access logs
Correct Answer: C
Rationale: Domain controller security logs capture all authentication events including successful
and failed logins, account lockouts, privilege use, and Kerberos events. This provides the most
detailed information about user authentication. Firewall logs show network traffic, DNS logs
show resolution queries, and web server logs show HTTP requests.
3. Which threat hunting methodology involves searching for specific indicators of compromise
(IoCs) that are already known to exist?
A) Hypothesis-driven hunting
B) Intelligence-driven hunting
C) Investigation-driven hunting
D) Random hunting
Correct Answer: B
Rationale: Intelligence-driven hunting uses known indicators of compromise (IoCs), tactics,
techniques, and procedures (TTPs) from threat intelligence feeds to search for specific threats.
Hypothesis-driven hunting uses analyst-generated theories about attacker behavior.
Investigation-driven hunting follows up on anomalies.
4. A security analyst is using Wireshark to capture network traffic. Which filter would show
ONLY traffic to or from IP address 192.168.1.100?
A) ip.addr == 192.168.1.100
B) ip.src == 192.168.1.100
C) ip.dst == 192.168.1.100
D) host == 192.168.1.100
Correct Answer: A
Rationale: ip.addr == 192.168.1.100 captures traffic where the IP address appears in either
source or destination field. ip.src only captures source traffic, ip.dst only destination traffic.
While host works in tcpdump, Wireshark uses ip.addr for this syntax.
, 5. An organization's SOC is implementing a new SIEM. Which of the following is the MOST
important factor for effective alerting?
A) Number of log sources connected
B) Properly tuned correlation rules
C) Total storage capacity
D) Vendor reputation
Correct Answer: B
Rationale: Properly tuned correlation rules are essential for reducing false positives and
ensuring that true security incidents generate alerts. Without effective rules, even with many
log sources, analysts become overwhelmed with noise. Storage capacity and vendor reputation
are secondary to proper tuning.
6. A security analyst is investigating a potential data exfiltration incident. Which log type
would be MOST useful for identifying the volume of data transferred from an internal host to
an external IP address?
A) Authentication logs
B) NetFlow records
C) Application logs
D) System event logs
Correct Answer: B
Rationale: NetFlow records provide metadata about network flows including source/destination
IPs, ports, protocol, and most importantly—bytes transferred. This allows analysts to identify
large data transfers indicative of exfiltration. Authentication logs show login events, application
logs show application-specific events, and system logs show OS events.
7. Which of the following is an example of a "living off the land" attack technique?
A) Using PowerShell to download and execute a payload
B) Exploiting a zero-day vulnerability
C) Sending a phishing email with a malicious attachment
D) Conducting a DDoS attack
Correct Answer: A
