Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications200-201DomainsSecurity Monitoring
200-201Free — No Signup

Security Monitoring

Practice 200-201 Security Monitoring questions with full explanations on every answer.

122questions

Start practicing

Security Monitoring — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

200-201 Domains

Security MonitoringNetwork Intrusion AnalysisSecurity Policies and ProceduresHost-Based AnalysisSecurity Concepts

Practice Security Monitoring questions

10Q20Q30Q50Q

All 200-201 Security Monitoring questions (122)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An analyst is monitoring network traffic and observes a large number of TCP SYN packets sent to a single host on various ports with no corresponding SYN-ACK replies. This behavior is most indicative of which type of attack?

2

A security engineer is setting up a Snort rule to detect FTP traffic where the source IP is not from the internal network. Which Snort rule header correctly specifies the action, protocol, source, and destination?

3

During a security incident, a SOC analyst reviews NetFlow records and notices a single internal host communicating with a remote server on TCP port 443, sending 50 MB of data in 5 minutes, while the usual baseline for that host is 1 MB per hour. Which type of activity is most likely indicated?

4

An analyst is examining a firewall log entry: '2023-10-25 14:30:00 ACTION=DENY SRC=10.0.0.5 DST=203.0.113.50 PROTO=TCP SPT=445 DPT=445'. Which statement best describes this event?

5

While analyzing a PCAP file in Wireshark, an analyst sees multiple GET requests to /login.php with different usernames in the URL parameters, all from the same source IP: 192.168.1.100 to 10.0.0.1. The HTTP response codes are mostly 200 OK. This pattern suggests which attack?

6

A SOC analyst needs to create a SIEM correlation rule to detect a brute force attack against SSH on a server. Which of the following would be the most effective rule logic?

7

A security analyst is reviewing Zeek connection logs and sees the following entry: '192.168.1.10:12345 > 10.0.0.1:80 (tcp) duration 0.001 sec, service http, bytes 60, state S0'. Based on the state 'S0', what does this indicate about the connection?

8

An analyst receives an IDS alert with signature name 'ET TROJAN Win32.Zeus Checkin' and severity 'high'. The alert shows source IP 192.168.1.50 and destination IP 198.51.100.20 on port 443. Which action should the analyst take FIRST?

9

Which Wireshark display filter would an analyst use to view only HTTP packets that contain the word 'password' in the packet payload?

10

During an incident response, an analyst extracts a suspicious file and computes its MD5 hash: d41d8cd98f00b204e9800998ecf8427e. Upon checking a threat intelligence feed, this hash is known as a malicious indicator. What does this hash represent?

11

An analyst is reviewing a web server log and sees the following entry: '192.168.1.1 - - [25/Oct/2023:10:15:30 -0400] "GET /admin/index.php?cmd=id HTTP/1.1" 200 1532 "-" "Mozilla/5.0"'. What potential attack does this log entry suggest?

12

A SOC analyst is tuning IDS signatures and notices that a particular signature triggers frequently on legitimate traffic from a specific internal application. The signature has a high false positive rate. What is the best action to take?

13

A security analyst is investigating a potential data exfiltration incident. Which TWO of the following are common indicators that data exfiltration may be occurring over DNS? (Choose two.)

14

A SOC analyst is reviewing a large number of alerts from a SIEM. Which THREE of the following are effective steps to prioritize and investigate alerts in a high-volume environment? (Choose three.)

15

Which TWO of the following are examples of Indicators of Compromise (IoCs) used in network security monitoring? (Choose two.)

16

During a security monitoring review, an analyst notices an unusual amount of traffic on port 445. Which protocol is most likely associated with this port?

17

A security analyst is investigating a potential brute force attack. Which SIEM correlation rule would best detect this activity?

18

An analyst uses Wireshark to examine network traffic and wants to see only packets that contain the string 'password'. Which type of filter should be applied?

19

In a Zeek/Bro log, an analyst observes a connection with 'service' field set to 'dns' and 'query' field containing a long, random-looking subdomain. This could be indicative of which type of activity?

20

Which OSI layer is responsible for logical addressing and routing, and is commonly targeted by IP spoofing attacks?

21

A security analyst is reviewing firewall logs and notices a rule that denies traffic from source IP 10.0.0.5 to destination port 3389. What service is being blocked?

22

During packet analysis, an analyst notices a TCP connection with a large number of SYN packets sent to various ports on a single host but no completed handshakes. This is characteristic of which activity?

23

A SOC analyst is analyzing NetFlow data and notices a sudden spike in outbound traffic from a single internal host to an external IP address during non-business hours. The traffic volume is significantly higher than the baseline. Which suspicion is most likely?

24

Which log type would an analyst examine to view details about HTTP methods (GET, POST), response codes, and user-agent strings?

25

An IDS/IPS alert shows a signature named 'ET POLICY Outgoing HTTP Request with Suspicious User-Agent' with severity high. What is the most likely next step for an analyst?

26

During an incident response, an analyst extracts a file from network traffic using Zeek's file analysis feature. The file has a SHA-256 hash that matches a known malware indicator. Which type of IoC is this?

27

An analyst needs to establish a normal traffic pattern baseline for the network. Which activity is most appropriate for this purpose?

28

An analyst is reviewing DNS logs and sees a high volume of NXDOMAIN responses for a specific domain. Which TWO scenarios could this indicate?

29

A security analyst is examining system logs for signs of privilege escalation. Which THREE events are most relevant to detect such activity?

30

An analyst is tuning Snort IDS rules and wants to reduce false positives. Which TWO rule options can be adjusted to decrease sensitivity?

31

A security analyst is monitoring network traffic and notices a high volume of TCP SYN packets sent to various ports on a single host. Which type of attack is most likely occurring?

32

A SIEM correlation rule triggers an alert when more than 10 failed login attempts from the same source IP occur within 60 seconds. Which attack is this rule designed to detect?

33

An analyst captures traffic and sees a high number of DNS queries for random subdomains under a single domain, all returning NXDOMAIN. This pattern is typical of which malicious activity?

34

Which protocol and port pair is commonly used for secure web traffic?

35

In Wireshark, a security analyst wants to display only packets with source IP 10.0.0.1 and destination port 80. Which display filter should be used?

36

A firewall log shows a connection from internal IP 192.168.1.100 to external IP 203.0.113.5 on port 443 with action 'deny'. What does this indicate?

37

A Zeek connection log shows a high number of connections from a single internal IP to many different external IPs on port 25, with small payload sizes. Which behavior is most likely indicated?

38

Which OSI layer is responsible for logical addressing and routing?

39

An analyst sees a Snort alert with the message 'ET POLICY Outbound connection to known malicious IP'. What does this indicate?

40

Which log source would provide the most detailed information about HTTP requests, including URLs and user agents?

41

A NetFlow report shows that host 10.0.0.5 has sent 1 GB of data to external IP 198.51.100.10 over port 443 in the last hour, while other hosts average 100 MB. This anomaly is most indicative of:

42

Which of the following is a valid indicator of compromise (IoC)?

43

A security analyst is reviewing logs to identify a potential brute force attack. Which TWO log entries would be most suspicious? (Choose TWO.)

44

During packet analysis in Wireshark, which THREE findings are indicators of potential malicious activity? (Choose THREE.)

45

A security analyst is tuning a SIEM to detect lateral movement. Which THREE log sources would provide the most useful data for this purpose? (Choose THREE.)

46

Which OSI layer is associated with protocols such as HTTP, FTP, and SMTP, and is commonly targeted by application-layer attacks?

47

A security analyst needs to filter packets in Wireshark to capture only traffic on port 443. Which filter should be used?

48

A firewall log shows repeated denied packets from IP 10.0.0.5 to destination 192.168.1.10 on port 22. What is the most likely attack?

49

An analyst suspects data exfiltration via DNS. Which log type would provide the most relevant information to confirm this?

50

A security analyst observes a NetFlow record showing a single internal IP communicating with many external IPs on port 445 within seconds. This pattern is indicative of:

51

In Zeek (Bro), which log file would an analyst examine to identify HTTP methods, URIs, and response codes from web traffic?

52

Which port is used by RDP (Remote Desktop Protocol) and is a common target for brute force attacks?

53

A SIEM correlation rule triggers when more than 10 failed login attempts from a single source IP occur within 1 minute. This rule is designed to detect:

54

An analyst finds a YARA rule that matches a file containing the string 'MZ' at offset 0 and includes 'CreateRemoteThread'. This rule likely identifies:

55

In Snort, a rule is written as: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SMB exploit attempt"; flow:to_server; content:"|ff|SMB"; nocase;). What does the 'flow:to_server' option indicate?

56

Which protocol and port combination is used by SNMP for receiving traps?

57

An analyst uses 'tshark -r capture.pcap -Y "http.request.method == POST"' to display only HTTP POST requests. This is an example of a:

58

A security analyst is reviewing web server logs and notices a high number of 404 errors for non-existent URLs. Which TWO of the following tools would best help investigate this anomaly?

59

An analyst detects an internal host communicating with an external IP known for malware distribution. Which THREE of the following are valid Indicators of Compromise (IoCs) that should be recorded?

60

Which TWO of the following are functions of a SIEM system in security monitoring?

61

A security analyst is monitoring network traffic and notices a large number of TCP SYN packets being sent to a single host on various ports. Which type of attack is most likely occurring?

62

A network analyst notices that a host is sending a large volume of traffic to an external IP address on port 443 during non-business hours. The traffic volume is significantly higher than the established baseline. Which type of data exfiltration technique should be suspected?

63

A security analyst is reviewing Snort IDS alerts and sees the following rule triggered: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:'Possible SQL Injection'; content:'UNION'; nocase; sid:1000001;). Which action will Snort take when it detects matching traffic?

64

A SOC analyst is investigating a web server log and sees the following entry: 192.168.1.10 - - [15/May/2023:10:15:30 +0000] 'POST /login.php HTTP/1.1' 200 1245 'http://example.com/login.php' 'Mozilla/5.0'. Which observation is most suspicious?

65

Which protocol and port combination is commonly used for secure remote administration of network devices?

66

A security analyst is using Wireshark to capture traffic from a network segment. They want to see only packets that contain the string 'password' in the payload. Which type of filter should they apply?

67

A SIEM correlation rule is configured to alert when there are 10 failed login attempts from the same source IP within 1 minute. An analyst receives an alert for source IP 10.0.0.5. Which type of attack is most likely being detected?

68

An organization uses Zeek for network monitoring. An analyst wants to extract files transferred over HTTP from network traffic. Which Zeek script or functionality should they use?

69

Which of the following is an example of an Indicator of Compromise (IoC)?

70

A network administrator is creating a baseline for normal traffic patterns. Which of the following should be considered typical for a web server during business hours?

71

A SOC analyst is reviewing a NetFlow record and sees that a single internal IP has communicated with multiple external IPs on port 445 (SMB) within a short time frame. Which type of activity is most likely indicated?

72

Which component of a SIEM is responsible for converting log data from various sources into a standard format?

73

A security analyst is investigating a potential data exfiltration incident. Which TWO of the following network behaviors are indicators of data exfiltration?

74

A SOC analyst is analyzing logs from multiple sources. Which THREE log types are most useful for detecting a brute force attack against a web application?

75

A network analyst is creating a baseline for normal network traffic. Which TWO metrics should be included to establish a baseline?

76

An analyst is monitoring network traffic and sees a large number of TCP SYN packets sent to various ports on a single host from the same source IP. Which type of attack is most likely occurring?

77

During a security investigation, an analyst examines a PCAP file in Wireshark. The analyst wants to see only traffic between two specific IP addresses (192.168.1.10 and 10.0.0.5). Which display filter should be applied?

78

A security analyst is reviewing firewall logs and notices a high number of denied outbound connections from an internal workstation to various external IP addresses on port 445 (SMB). What is the most likely explanation for this activity?

79

A NetFlow analysis shows that a single internal IP sent 10 GB of data to an external IP within one hour, whereas the baseline for that host is typically 100 MB per day. Which type of activity does this indicate?

80

An analyst is configuring a Snort rule to detect a known exploit targeting Apache web servers. The exploit sends a malicious HTTP POST request with a long User-Agent string. Which Snort rule header and options are most appropriate?

81

Which log type would an analyst examine to see failed login attempts to a Windows server?

82

A SIEM correlation rule is designed to detect a brute-force attack. The rule triggers when an event includes 10 or more failed logins from the same source IP within 1 minute. An analyst sees an alert for 12 failed logins from IP 10.0.0.1 in 2 minutes. Why did the rule not trigger?

83

An analyst is investigating a potential data exfiltration via DNS. In Zeek DNS logs, the analyst sees many queries for subdomains like 'a1b2c3.malicious.com', 'd4e5f6.malicious.com' etc. from an internal host. Which technique is likely being used?

84

In Wireshark, an analyst follows a TCP stream and sees plaintext usernames and passwords. Which protocol is likely in use?

85

An analyst is reviewing IDS alerts and sees an alert with signature name 'ET POLICY Suspicious inbound to MySQL port 3306'. The source IP is external and destination is an internal database server. What is the best immediate action?

86

A security analyst is using Zeek to monitor network traffic. The analyst wants to extract all files transferred over HTTP. Which Zeek script or package accomplishes this?

87

Which protocol is used by SNMP to send traps from network devices to the management station?

88

An analyst is investigating a potential compromise using Indicators of Compromise (IoCs). Which TWO of the following are valid types of IoCs?

89

A SOC analyst is tuning a SIEM correlation rule to detect port scanning. The rule should generate an alert when a single source IP connects to many different destination ports on multiple hosts within a short time. Which THREE conditions should be included in the rule?

90

A security analyst is creating a network baseline for normal traffic patterns. Which TWO metrics should be included to detect anomalies?

91

A security analyst is reviewing a Wireshark capture and notices a large number of TCP SYN packets sent to multiple ports on a single host from the same source IP. Which type of network activity is most likely being observed?

92

A security analyst is using NetFlow data to investigate a potential data exfiltration incident. Which NetFlow metric is most useful for identifying large volumes of data being transferred to an external IP address?

93

During a security assessment, a SOC analyst notices an IDS/IPS alert with a severity of 'High' for a signature named 'ET TROJAN Win32.Vobfus Checkin'. The alert shows source IP 10.0.0.5 and destination IP 203.0.113.50 on port 443. What is the most likely interpretation of this alert?

94

A security analyst is investigating an alert from a Windows system log that shows multiple failed logon attempts for the same user account within a short period, followed by a successful logon. Which type of attack does this pattern suggest?

95

A SOC analyst observes a spike in DNS queries for long, random-looking subdomains under a single domain from an internal host. The responses are NXDOMAIN. Which type of activity is most likely indicated?

96

A security analyst is examining web server logs and finds an entry with method 'POST', URL '/login.php', response code '200', and user-agent 'Mozilla/5.0'. The log shows 100 similar entries from the same IP within 5 seconds. What is the most likely activity?

97

A network baseline shows that a server typically sends 1-2 MB of data per hour to external IPs. Suddenly, the server sends 50 MB of data to an IP in a foreign country within 10 minutes. The traffic is encrypted. Which monitoring tool would best confirm data exfiltration?

98

A security analyst is using a SIEM to create a correlation rule that triggers when more than 10 failed logins are detected from the same source IP within 1 minute. This rule is designed to detect which type of attack?

99

A SOC analyst reviews a firewall log with the following entry: action=deny, source IP=192.168.1.100, destination IP=10.0.0.1, destination port=22. The analyst knows that 10.0.0.1 is an SSH server. What does this log entry indicate?

100

An analyst receives a YARA rule that includes the string 'MZ' at the beginning of a file. What does this indicator typically help identify?

101

In the OSI model, which layer is primarily targeted by a SYN flood attack?

102

A security analyst is using Zeek to analyze network traffic. Which Zeek log would be most useful for identifying HTTP requests to a known malicious domain?

103

A SOC analyst is investigating a potential data exfiltration incident. Which TWO Indicators of Compromise (IoCs) would be most relevant for tracking the exfiltration of files over the network?

104

An analyst suspects a host is communicating with a command-and-control server using DNS tunneling. Which THREE network traffic patterns would support this hypothesis?

105

A security analyst is tuning a Snort IDS to reduce false positives. Which TWO Snort rule options should the analyst modify to make the rule more specific?

106

A security analyst is reviewing network traffic and notices a high volume of small packets from an internal IP to a single external IP on port 53. Which type of activity is most likely indicated?

107

A security analyst is analyzing a PCAP file in Wireshark and wants to isolate all HTTPS traffic. Which display filter should the analyst use?

108

A SOC analyst is reviewing firewall logs and sees repeated entries: 'Deny TCP 10.0.0.5:49152 -> 203.0.113.1:22' and 'Deny TCP 10.0.0.5:49153 -> 203.0.113.1:22'. What does this pattern suggest?

109

An analyst notices a Zeek (Bro) connection log showing a single HTTP request from internal IP 192.168.1.10 to external IP 203.0.113.5 with a URI of '/files/secret.docx' and a response code of 200. The file size is unusually large (50 MB). What should the analyst suspect?

110

Which OSI layer is targeted by a TCP SYN flood attack?

111

A SIEM correlation rule triggers when it detects more than 10 failed login attempts from the same source IP within 1 minute. Which type of attack is this rule designed to detect?

112

An analyst is examining a YARA rule that contains the condition: 'uint16(0) == 0x5a4d and filesize < 500KB'. What type of file is this rule targeting?

113

A SOC analyst is investigating a potential data exfiltration incident. Which TWO indicators from NetFlow/IPFIX analysis would most strongly suggest data exfiltration?

114

A security analyst is configuring Snort IDS rules. Which TWO components are mandatory in a Snort rule header?

115

Which TWO protocols are commonly used for remote administration and should be monitored for unauthorized access?

116

An analyst is reviewing web server logs and sees the following entries: 'GET /admin/login.php HTTP/1.1' returning 404, followed by 'GET /admin/login.html' returning 404, then 'GET /admin/login.asp' returning 200. Which TWO observations are most relevant?

117

Which THREE of the following are common Indicators of Compromise (IoCs) used in threat intelligence?

118

A security analyst is analyzing system logs and notices multiple failed authentication events followed by a successful login from the same user account, and then a privilege escalation event. Which THREE events should be correlated to detect a potential attack?

119

An analyst is using Zeek to monitor network traffic. Which THREE types of logs can Zeek generate to provide visibility into application-layer activity?

120

A security analyst is investigating a potential port scan. Which THREE patterns in NetFlow data would indicate a horizontal port scan?

121

A security analyst is investigating a potential brute-force attack on an SSH server. Which TWO of the following log sources would provide the most relevant evidence for detecting and confirming this attack? (Choose two.)

122

During a security monitoring exercise, an analyst observes a series of NetFlow records showing a single internal host communicating with multiple external IP addresses on port 445 (SMB) within a short time window. The traffic volumes are small but consistent. Which THREE of the following should the analyst consider as possible explanations? (Choose three.)

Practice all 122 Security Monitoring questions

Other 200-201 exam domains

Network Intrusion AnalysisSecurity Policies and ProceduresHost-Based AnalysisSecurity Concepts

Frequently asked questions

What does the Security Monitoring domain cover on the 200-201 exam?

The Security Monitoring domain covers the key concepts tested in this area of the 200-201 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 200-201 domains — no account required.

How many Security Monitoring questions are in the 200-201 question bank?

The Courseiva 200-201 question bank contains 122 questions in the Security Monitoring domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Monitoring for 200-201?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Monitoring questions for 200-201?

Yes — the session launcher on this page draws questions exclusively from the Security Monitoring domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your 200-201 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

200-301SY0-701CS0-003CEH