Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Endpoint Protection and Detection practice sets

350-701 Endpoint Protection and Detection • Complete Question Bank

350-701 Endpoint Protection and Detection — All Questions With Answers

Complete 350-701 Endpoint Protection and Detection question bank — all 0 questions with answers and detailed explanations.

80
Questions
Free
No signup
Certifications/350-701/Practice Test/Endpoint Protection and Detection/All Questions
Question 1mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A security administrator notices that several endpoints in the finance department are exhibiting unusual network behavior, including connections to known malicious IP addresses. The administrator has deployed Cisco Secure Endpoint (formerly AMP for Endpoints) with TETRA and has enabled the built-in firewall. What is the best course of action to quickly identify the root cause and contain the threat?

Question 2easymultiple choice
Read the full Endpoint Protection and Detection explanation →

An organization wants to prevent malware from executing on endpoints by using a file reputation service. Which Cisco technology provides cloud-based file reputation and analysis for endpoint protection?

Question 3hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

A security engineer is troubleshooting an issue where a known malicious file (SHA-256: 3a7c...f9e) is not being detected by Cisco Secure Endpoint on a Windows 10 endpoint. The file was downloaded from the internet. The policy has the 'File Reputation' setting set to 'Use cloud lookup', and the 'Exploit Prevention' module is enabled. The endpoint is connected to the internet and can reach the AMP cloud. What is the most likely reason for the missed detection?

Question 4hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

A security analyst is investigating an alert from Cisco Secure Endpoint indicating that an endpoint has been infected with ransomware. The analyst wants to determine the initial infection vector. Which feature of Cisco Secure Endpoint should the analyst use to trace the chain of events leading to the infection?

Question 5mediummulti select
Read the full Endpoint Protection and Detection explanation →

A company is deploying Cisco Secure Endpoint and wants to ensure that endpoints are protected against zero-day exploits. Which two features should be enabled to provide this protection? (Choose two.)

Question 6mediummulti select
Read the full Endpoint Protection and Detection explanation →

A network administrator is configuring endpoint protection policies for a large enterprise. The requirement is to allow only approved software to run on endpoints, while blocking all other executables. Which Cisco Secure Endpoint feature should be configured? (Choose two.)

Question 7hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

Refer to the exhibit. An analyst reviews the log from a Cisco Secure Endpoint connector. The file 'invoice.pdf.exe' was quarantined. What best describes the detection process that occurred?

Exhibit

Refer to the exhibit.

```
Cisco Secure Endpoint Connector Log
[2025-03-15 10:23:45] File scan initiated: C:\Users\jdoe\Downloads\invoice.pdf.exe
[2025-03-15 10:23:46] File reputation check: SHA256=2a3b...c4d5
[2025-03-15 10:23:46] Cloud lookup: result=UNKNOWN
[2025-03-15 10:23:47] File disposition: UNKNOWN
[2025-03-15 10:23:47] Local analysis: verdict=Malicious (score=85)
[2025-03-15 10:23:47] Action: Quarantine file
```
Question 8easymultiple choice
Read the full Endpoint Protection and Detection explanation →

Refer to the exhibit. A security engineer reviews the Cisco Secure Endpoint policy. If an endpoint is offline when a user downloads a file, what will happen?

Exhibit

Refer to the exhibit.

```
! Cisco Secure Endpoint Policy Snippet
! File Reputation Settings
file-reputation cloud-lookup enable
file-reputation local-cache enable
file-reputation timeout 5
! Exploit Prevention Settings
exploit-prevention enable
exploit-prevention level aggressive
! Malware Protection Settings
malware-protection enable
malware-protection scan-on-execution enable
malware-protection scan-on-write enable
```
Question 9mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A security analyst is investigating a compromised endpoint that is part of a botnet. The endpoint is running Cisco Secure Endpoint with TETRA. The analyst notices that the endpoint is communicating with a command-and-control (C2) server over HTTPS. Which TETRA feature would be most effective in detecting this traffic?

Question 10hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

A company with 5,000 endpoints is using Cisco Secure Endpoint. The security team receives an alert that a specific file (SHA256: 8f4a...b2c) has been detected as malware on 10 endpoints. The file has been quarantined on those endpoints. The team wants to ensure that no other endpoints in the organization have this file. Which feature should be used to locate the file across all endpoints?

Question 11mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A security engineer is troubleshooting an issue where Cisco AMP for Endpoints is not detecting a known malware sample on a Windows endpoint. The endpoint is running Windows 10 with the latest AMP connector installed and is connected to the corporate network. The malware sample was downloaded from a trusted source for testing. Which configuration is most likely causing the lack of detection?

Question 12easymultiple choice
Read the full Endpoint Protection and Detection explanation →

An organization wants to implement endpoint protection that uses behavioral analysis to detect ransomware. The solution must be able to roll back changes made by the ransomware after detection. Which Cisco endpoint security feature provides this capability?

Question 13hardmulti select
Read the full Endpoint Protection and Detection explanation →

Which TWO configuration steps are required to enable Cisco AMP for Endpoints to use the Threat Grid appliance for file analysis?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

An administrator reviews the AMP event log shown in the exhibit. The same file hash appears in all events. What is the most likely explanation for the third event showing a 'TETRA Event' with 'Action: Quarantine' and 'Disposition: Unknown'?

Exhibit

Refer to the exhibit.

Cisco AMP for Endpoints event log:

Event Type: Detection
Threat: W32.Ransomware
File Name: encrypt.exe
File Path: C:\Users\test\Downloads\encrypt.exe
Action: Blocked
Disposition: Malware
File Hash: a1b2c3d4e5f6...

Event Type: Detection
Threat: W32.Ransomware
File Name: encrypt.exe
File Path: C:\Users\test\AppData\Local\Temp\encrypt.exe
Action: Blocked
Disposition: Malware
File Hash: a1b2c3d4e5f6...

Event Type: TETRA Event
Threat: W32.Ransomware
File Name: encrypt.exe
File Path: C:\Users\test\AppData\Roaming\encrypt.exe
Action: Quarantine
Disposition: Unknown
File Hash: a1b2c3d4e5f6...
Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A company with 500 endpoints uses Cisco AMP for Endpoints with a private cloud and a single Threat Grid appliance for file analysis. The security team notices that some endpoints are not receiving updates to the local malware signatures for over 24 hours. The AMP console shows these endpoints as 'Out of Date'. The network team confirms that the endpoints can reach the private cloud server on TCP port 443. The endpoints are running Windows 10 with the latest AMP connector version. The private cloud server has sufficient disk space and is running normally. The AMP console shows that the 'Update Policy' is enabled and set to download signatures every 4 hours. Which action should the administrator take to resolve the issue?

Question 16mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A security engineer is deploying Cisco AMP for Endpoints to protect against malware. The company wants to block all executables from running in the Downloads folder except those signed by a specific trusted publisher. Which policy configuration should the engineer use?

Question 17hardmulti select
Read the full network assurance explanation →

Which THREE of the following are capabilities of Cisco Threat Response (CTR) that integrate with endpoint telemetry for accelerated detection and response?

Question 18hardmultiple choice
Read the full DHCP explanation →

Refer to the exhibit. A network administrator configured IP Source Guard and DHCP Snooping on a switch. A host connected to GigabitEthernet0/2 with MAC address 0050.7966.6801 has been assigned IP 192.168.1.10 via DHCP. The host now tries to use IP 192.168.1.20. What will happen?

Exhibit

Refer to the exhibit.

interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip verify source
 ip dhcp snooping limit rate 10
 ip dhcp snooping trust
!
interface GigabitEthernet0/2
 switchport mode access
 ip verify source
 ip dhcp snooping limit rate 5
!
ip dhcp snooping vlan 10
!
ip source binding 0050.7966.6801 vlan 10 192.168.1.10 interface GigabitEthernet0/2
Question 19mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure a site-to-site IPsec VPN on a Cisco ASA into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 20mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure a Cisco ASA for remote access VPN using AnyConnect in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediummatching
Read the full Endpoint Protection and Detection explanation →

Match each security technology to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detect and block malicious traffic inline

Monitor and alert on suspicious activity

Control access based on rules

Protect web applications from attacks

Encrypt traffic over public networks

Question 22mediummatching
Read the full Endpoint Protection and Detection explanation →

Match each threat type to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fraudulent emails to steal sensitive info

Malware that encrypts data for ransom

Distributed attack to overwhelm a service

Attacker intercepts communications

Attack on unknown vulnerability

Question 23mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A security engineer notices that several endpoints in the HR department have been infected with ransomware despite having Cisco AMP for Endpoints deployed. The AMP policy is set to 'Detect' for all file types. What is the most likely reason the ransomware was not blocked?

Question 24easymultiple choice
Read the full Endpoint Protection and Detection explanation →

A company wants to deploy Cisco AMP for Endpoints to protect against advanced malware. Which best practice should be followed when configuring the policy for the first time?

Question 25hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

An engineer is troubleshooting why AMP for Endpoints is not detecting a specific malicious file. The file hash is available and other endpoints detected it. What is the most likely cause for the detection failure on this endpoint?

Question 26mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A security team is designing an endpoint protection strategy for a mix of Windows and macOS endpoints. They want to use Cisco AMP for Endpoints with centralized management. Which deployment approach minimizes administrative overhead?

Question 27easymultiple choice
Read the full Endpoint Protection and Detection explanation →

During a ransomware attack, an endpoint protected by AMP for Endpoints successfully blocked the ransomware file. Which AMP policy action was likely applied?

Question 28hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

An analyst reviews an AMP for Endpoints event where a file was detected as malware but later determined to be a false positive. The analyst wants to prevent this file from being flagged in the future. What is the recommended action?

Question 29mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A company uses Cisco AMP for Endpoints and also deploys Cisco Firepower Next-Generation Firewall (NGFW) with AMP integration. The security team wants to see endpoint detections in the Firepower Management Center (FMC). What must be configured to enable this integration?

Question 30easymultiple choice
Read the full Endpoint Protection and Detection explanation →

An organization wants to enforce that specific sensitive files are never executed on endpoints. Which AMP for Endpoints feature is most appropriate?

Question 31hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

An incident responder is analyzing an endpoint that was compromised despite AMP for Endpoints being deployed. The AMP logs show the malware file had a disposition of 'Unknown' shortly before compromise, but later changed to 'Malicious' after cloud analysis. What is the most likely reason the file was not blocked initially?

Question 32mediummulti select
Read the full Endpoint Protection and Detection explanation →

Which THREE are recommended best practices for deploying Cisco AMP for Endpoints in a large enterprise?

Question 33hardmulti select
Read the full Endpoint Protection and Detection explanation →

Which TWO indicators of compromise (IOCs) can Cisco AMP for Endpoints detect and alert on?

Question 34easymulti select
Read the full Endpoint Protection and Detection explanation →

Which TWO actions can be taken on a malicious file detected by Cisco AMP for Endpoints?

Question 35mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

Refer to the exhibit. The file invoice.pdf was determined to be malicious by the AMP cloud, yet the endpoint allowed it to execute. What is the most likely reason?

Exhibit

Refer to the exhibit.

AMP for Endpoints connector log:

2025-01-15 10:23:45 [INFO] File scan initiated: C:\Users\jdoe\Documents\invoice.pdf
2025-01-15 10:23:46 [INFO] Sending file to cloud for analysis (SHA-256: abc123...)
2025-01-15 10:23:50 [INFO] Cloud analysis result: disposition = Malicious, score = 95
2025-01-15 10:23:50 [INFO] Action taken: Allow (policy rule: "Allow on low confidence")
Question 36hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

Refer to the exhibit. An engineer notices that a malicious file disguised as 'app.exe' in the FinanceApp folder (SHA-256 unknown to AMP) was blocked. However, another unknown executable in the same folder was also blocked, causing a false positive. What should the engineer change in the policy to allow only the legitimate 'app.exe' while still blocking unknown executables?

Exhibit

Refer to the exhibit.

AMP for Endpoints policy JSON snippet:

{
  "policy": {
    "name": "Windows_Workstations",
    "exclusions": {
      "file": [
        {
          "path": "C:\\Program Files\\FinanceApp\\*.exe",
          "action": "allow"
        }
      ],
      "process": [
        {
          "path": "C:\\Program Files\\FinanceApp\\app.exe",
          "action": "allow"
        }
      ]
    },
    "tetra": {
      "file_reputation": {
        "action_unknown": "block"
      }
    }
  }
}
Question 37easymultiple choice
Read the full Endpoint Protection and Detection explanation →

Refer to the exhibit. What happened to the file 'crack.exe'?

Exhibit

Refer to the exhibit.

Syslog output from AMP for Endpoints:

<134>Jan 15 11:00:00 C:\Program Files\Cisco\AMP\connector.exe: [TETRA Alert] File: C:\Users\test\Downloads\crack.exe SHA-256: d4e5f6... Disposition: Malicious Action: Blocked by policy (Blocked by TETRA. Policy: Workstations)
Question 38easymultiple choice
Read the full Endpoint Protection and Detection explanation →

A network administrator notices that an endpoint running the AMP connector is not sending events to the cloud. The connector status shows 'Connected' in the AMP console. What is the most likely cause?

Question 39mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A security engineer wants to implement file reputation analysis using Cisco AMP for Endpoints. The policy must block files that are known to be malicious in the cloud and quarantine unknown files for further analysis. Which AMP policy configuration achieves this?

Question 40hardmultiple choice
Read the full network assurance explanation →

An organization deploys AMP for Endpoints with the Orbital module to perform advanced endpoint telemetry. The team wants to create a query that retrieves all running processes with a network connection to an external IP address. Which Orbital query language syntax is correct?

Question 41easymultiple choice
Read the full Endpoint Protection and Detection explanation →

A company uses Cisco Umbrella to block malicious domains. An endpoint user reports that they cannot access a legitimate business website. The website resolves to a domain that is not on any block list. What is the most likely cause?

Question 42mediummultiple choice
Read the full network assurance explanation →

An incident responder notices that an AMP connector on a critical server has stopped sending 'IP to Application' mapping events after a software update. Which step should be taken to restore this telemetry?

Question 43hardmultiple choice
Read the full NAT/PAT explanation →

A security architect is designing a solution to detect and block ransomware using Cisco AMP. The requirement is that when a file executes and attempts to encrypt files in a monitored directory, the event must be captured and the process terminated immediately. Which AMP feature set should be used?

Question 44easymultiple choice
Read the full Endpoint Protection and Detection explanation →

An organization wants to deploy AMP for Endpoints in an offline environment where endpoints cannot connect to the internet. Which deployment option is appropriate?

Question 45mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst sees multiple AMP events for 'Trojan.Generic.37283212' on several endpoints. After updating the AMP signatures, the detection still occurs. What is the best next step to reduce false positives?

Question 46hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

A company uses Cisco Threat Response (CTR) to investigate a potential breach. The analyst sees an observable (SHA256) with a score of 90 in the threat grid. However, the AMP connector on the endpoint shows 'Allow' for that file. What could cause this discrepancy?

Question 47mediummulti select
Read the full Endpoint Protection and Detection explanation →

Which TWO of the following are required for successful registration of an AMP for Endpoints connector with the cloud?

Question 48hardmulti select
Read the full Endpoint Protection and Detection explanation →

Which TWO of the following are valid action types that can be assigned to a file in an AMP policy rule?

Question 49easymulti select
Read the full Endpoint Protection and Detection explanation →

Which THREE of the following are indicators of compromise (IOCs) that can be detected by Cisco AMP for Endpoints?

Question 50easymultiple choice
Read the full Endpoint Protection and Detection explanation →

Based on the exhibit, what does the 'Isolated: Yes' status indicate?

Exhibit

Refer to the exhibit.

```
show amp status
Connector Status: Connected
Last Connection: 2024-01-15 10:32:45 UTC
Policy Version: 2.3.4
Private Cloud: Disabled
Network Component: Enabled
Isolated: Yes
```
Question 51mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

Refer to the exhibit. A file with SHA256 hash 'a1b2c3d4e5f6...' is detected on an endpoint. The threat grid returns a score of 90 for this file. What action is taken by AMP?

Exhibit

Refer to the exhibit.

```
{
  "policy": {
    "name": "Default",
    "file_reputation": [
      {
        "threat_score": 100,
        "action": "block"
      },
      {
        "threat_score": 80,
        "action": "quarantine"
      },
      {
        "threat_score": 0,
        "action": "allow"
      }
    ],
    "custom_detections": [
      {
        "sha256": "a1b2c3d4e5f6...",
        "action": "block"
      }
    ]
  }
}
```
Question 52hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

Based on the exhibit, what is the root cause of the AMP connector's inability to connect to the cloud?

Exhibit

Refer to the exhibit.

```
2024-01-15 11:00:00 ERROR: Failed to connect to AMP cloud: Connection timed out
2024-01-15 11:01:00 WARNING: Retrying connection in 60 seconds
2024-01-15 11:02:00 INFO: Proxy configured: proxy.company.com:3128
2024-01-15 11:03:00 ERROR: Proxy authentication failed: 407 Proxy Authentication Required
```
Question 53easymultiple choice
Read the full Endpoint Protection and Detection explanation →

A network security engineer needs to block malicious file downloads on endpoints regardless of the user's location. Which Cisco solution should be integrated with the company's existing endpoint protection platform to achieve cloud-delivered threat intelligence?

Question 54mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

An organization has deployed Cisco AMP for Endpoints and wants to automatically isolate a host from the network when a high-severity malware detection occurs. Which integration must be configured to enable this automated response?

Question 55hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst observes that one endpoint is generating Alerts of type 'Trojan' in Cisco AMP, but other identical endpoints on the same software version show no issues. After verifying that the signature versions are consistent, what is the most likely cause of the discrepancy?

Question 56easymultiple choice
Read the full Endpoint Protection and Detection explanation →

A company wants to ensure that only authorized applications can run on endpoints. Which feature of Cisco AMP for Endpoints should be used to create a whitelist of allowed applications?

Question 57mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A SOC analyst notices that after deploying Cisco AMP for Endpoints, some legitimate business software is being blocked by the Exploit Prevention engine. What is the recommended action to allow this software while maintaining maximum security?

Question 58hardmultiple choice
Read the full network assurance explanation →

During a threat hunt, you need to retrieve forensic data from a remote endpoint that is currently not communicating with the AMP cloud. Which Cisco tool enables you to perform an on-demand scan and collect telemetry from that endpoint even when it is offline?

Question 59easymultiple choice
Read the full Endpoint Protection and Detection explanation →

Which component of Cisco AMP for Endpoints is responsible for preventing the execution of known malware by checking files against a continuously updated cloud database before they run?

Question 60mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A company has deployed Cisco AMP for Endpoints and wants to receive immediate notification when a file is detected as malicious by the cloud sandbox analysis. Which policy setting should be enabled?

Question 61hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

An organization is using Cisco Umbrella alongside Cisco AMP for Endpoints. A user reports that they cannot access a legitimate file-sharing website. However, the site is not categorized as malicious by Umbrella. What is the most likely reason for the block?

Question 62mediummulti select
Read the full Endpoint Protection and Detection explanation →

Which TWO of the following are capabilities of Cisco Orbital?

Question 63hardmulti select
Read the full Endpoint Protection and Detection explanation →

Which THREE of the following are valid methods to deploy Cisco AMP for Endpoints Connector on Windows endpoints?

Question 64easymulti select
Read the full Endpoint Protection and Detection explanation →

Which TWO of the following are indicators of compromise (IOCs) that can be detected by Cisco AMP for Endpoints?

Question 65mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A network engineer is troubleshooting an endpoint that failed to receive policy updates from the Cisco AMP cloud. The endpoint shows 'Out-of-Date' in the AMP console. The engineer verifies that the endpoint has outbound HTTPS access to the AMP cloud. What additional step should the engineer take to resolve the issue?

Question 66easymultiple choice
Read the full Endpoint Protection and Detection explanation →

An organization is deploying Cisco Secure Endpoint (AMP) for the first time in a Windows environment. The security team wants to ensure that any file executed from a USB drive is automatically scanned and blocked if malicious. Which policy feature should be enabled to achieve this?

Question 67hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company plans to deploy Cisco AMP for Endpoints across 10,000 endpoints in geographically diverse offices. The security team is concerned about WAN bandwidth usage when endpoints communicate with the AMP cloud. Which design approach best minimizes cloud communication traffic while maintaining effective protection?

Question 68mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

An incident responder uses the Cisco AMP for Endpoints console to investigate a potential malware outbreak. The endpoint shows multiple files with high prevalence and cloud verdicts of 'unknown'. The responder wants to quickly identify files that were executed from a malicious parent process. Which console feature best assists this analysis?

Question 69mediummulti select
Read the full Endpoint Protection and Detection explanation →

Which TWO of the following are valid detection methods used by Cisco AMP for Endpoints to identify malicious activity?

Question 70hardmulti select
Read the full Endpoint Protection and Detection explanation →

Which THREE actions should a security engineer take when configuring a Cisco AMP for Endpoints policy to minimize false positives while maintaining strong protection?

Question 71easymulti select
Read the full Endpoint Protection and Detection explanation →

Which TWO are required to successfully deploy Cisco AMP for Endpoints in a Windows domain environment with Group Policy?

Question 72hardmultiple choice
Read the full network assurance explanation →

A global enterprise with over 20,000 endpoints has been using Cisco AMP for Endpoints for two years. They recently migrated to a new SIEM and want to forward AMP events in near real-time. The security operations team notices that the SIEM is receiving duplicate events for the same file execution, causing alert fatigue. The AMP console shows that the 'Send to Syslog' action is enabled on two different policies, and both policies are applied to the same groups of endpoints. The team also uses the AMP APIs to pull data. The network engineer wants to eliminate duplicate events without losing any critical alerts. Which course of action should the engineer take?

Question 73mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

An organization is deploying Cisco Secure Endpoint (AMP) in a high-security environment where endpoints are air-gapped from the internet. The security team needs to maintain up-to-date threat intelligence without direct cloud access. They have a dedicated local server that can download feeds from the AMP cloud once and distribute to endpoints. The server runs the AMP Private Cloud software. However, after installation, endpoints are not receiving updates. The team verifies that the Private Cloud server can reach the AMP cloud via a managed proxy. The endpoints can communicate with the Private Cloud server on TCP 443. What is the most likely cause of the update failure?

Question 74easymultiple choice
Read the full Endpoint Protection and Detection explanation →

A financial company uses Cisco AMP for Endpoints to protect 500 Windows workstations. The security administrator notices that several endpoints in the accounting department are showing 'Out-of-Date' status for over a week. The administrator checks the AMP console and sees that the group policy for accounting has been modified to disable certain scanning features. The endpoints have Internet connectivity but are not updating their policy or receiving new definitions. The administrator suspects a misconfiguration. What should the administrator do first to resolve this issue?

Question 75hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is investigating a malware incident on an endpoint protected by Cisco AMP for Endpoints. The Device Trajectory shows that a file named 'invoice.exe' was detonated from a USB drive. The file's cloud verdict was 'Unknown' at the time of execution. The analyst sees that the file spawned multiple child processes that made outbound connections to a malicious IP. The AMP policy has 'Exploit Prevention' enabled but 'File Reputation' is set to 'Monitor' only. The analyst wants to prevent similar incidents in the future without blocking legitimate applications. Which action should the analyst recommend?

Question 76mediummultiple choice
Read the full Endpoint Protection and Detection explanation →

A university IT team manages 1,000 macOS laptops for students using Cisco AMP for Endpoints. They receive reports that some students' laptops are running slowly and fans are spinning constantly. The team checks the AMP console and sees that these endpoints are performing constant file scans on user directories. The team suspects that the AMP scanning is causing high CPU usage. They want to optimize performance without compromising security. The laptops use the default AMP policy with real-time scanning enabled. What should the team do?

Question 77easymultiple choice
Read the full Endpoint Protection and Detection explanation →

A small business uses Cisco AMP for Endpoints with a cloud-based console. The owner receives an email from Cisco that the AMP connector on a specific endpoint has gone offline. The endpoint is a Windows 10 laptop used for remote work. The owner checks the AMP console and sees the endpoint's last check-in was three days ago. The owner contacts the remote user, who says the laptop is running normally and they can access the internet. What should the owner do to resolve the issue?

Question 78mediummulti select
Read the full Endpoint Protection and Detection explanation →

Which THREE of the following are recommended best practices for configuring Cisco AMP for Endpoints to minimize false positives while maintaining strong detection?

Question 79hardmultiple choice
Read the full Endpoint Protection and Detection explanation →

Based on the exhibit, what is the most likely reason that traffic matching the AMP_block access-list is not being blocked?

Exhibit

Refer to the exhibit.
```
hostname FTD
!
policy-map global_policy
 class class-default
  inspect ftp
  inspect dns
  inspect http
  inspect icmp
!
access-list AMP_block extended deny ip any any rule-id 1000
access-list AMP_block remark AMP Quarantine
!```
Question 80easymultiple choice
Read the full Endpoint Protection and Detection explanation →

A company with 5000 endpoints uses Cisco Secure Endpoint (AMP) and Cisco ISE. Users report that legitimate software installations are being quarantined, causing delays. The security team receives many alerts for file executions. The AMP policy is set to "High Security" with "Block Unknown" enabled. Network traffic is monitored by Cisco Stealthwatch. The team wants to reduce operational overhead while maintaining security. What should they do?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

350-701 Practice Test 1 — 10 Questions→350-701 Practice Test 2 — 10 Questions→350-701 Practice Test 3 — 10 Questions→350-701 Practice Test 4 — 10 Questions→350-701 Practice Test 5 — 10 Questions→350-701 Practice Exam 1 — 20 Questions→350-701 Practice Exam 2 — 20 Questions→350-701 Practice Exam 3 — 20 Questions→350-701 Practice Exam 4 — 20 Questions→Free 350-701 Practice Test 1 — 30 Questions→Free 350-701 Practice Test 2 — 30 Questions→Free 350-701 Practice Test 3 — 30 Questions→350-701 Practice Questions 1 — 50 Questions→350-701 Practice Questions 2 — 50 Questions→350-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Endpoint Protection and DetectionSecure Network Access, Visibility and EnforcementSecurity ConceptsNetwork SecurityCloud SecurityContent Security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Endpoint Protection and Detection setsAll Endpoint Protection and Detection questions350-701 Practice Hub