Practice 200-201 Security Monitoring questions with full explanations on every answer.
Start practicing
Security Monitoring — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An analyst is monitoring network traffic and observes a large number of TCP SYN packets sent to a single host on various ports with no corresponding SYN-ACK replies. This behavior is most indicative of which type of attack?
2A security engineer is setting up a Snort rule to detect FTP traffic where the source IP is not from the internal network. Which Snort rule header correctly specifies the action, protocol, source, and destination?
3During a security incident, a SOC analyst reviews NetFlow records and notices a single internal host communicating with a remote server on TCP port 443, sending 50 MB of data in 5 minutes, while the usual baseline for that host is 1 MB per hour. Which type of activity is most likely indicated?
4An analyst is examining a firewall log entry: '2023-10-25 14:30:00 ACTION=DENY SRC=10.0.0.5 DST=203.0.113.50 PROTO=TCP SPT=445 DPT=445'. Which statement best describes this event?
5While analyzing a PCAP file in Wireshark, an analyst sees multiple GET requests to /login.php with different usernames in the URL parameters, all from the same source IP: 192.168.1.100 to 10.0.0.1. The HTTP response codes are mostly 200 OK. This pattern suggests which attack?
6A SOC analyst needs to create a SIEM correlation rule to detect a brute force attack against SSH on a server. Which of the following would be the most effective rule logic?
7A security analyst is reviewing Zeek connection logs and sees the following entry: '192.168.1.10:12345 > 10.0.0.1:80 (tcp) duration 0.001 sec, service http, bytes 60, state S0'. Based on the state 'S0', what does this indicate about the connection?
8An analyst receives an IDS alert with signature name 'ET TROJAN Win32.Zeus Checkin' and severity 'high'. The alert shows source IP 192.168.1.50 and destination IP 198.51.100.20 on port 443. Which action should the analyst take FIRST?
9Which Wireshark display filter would an analyst use to view only HTTP packets that contain the word 'password' in the packet payload?
10During an incident response, an analyst extracts a suspicious file and computes its MD5 hash: d41d8cd98f00b204e9800998ecf8427e. Upon checking a threat intelligence feed, this hash is known as a malicious indicator. What does this hash represent?
11An analyst is reviewing a web server log and sees the following entry: '192.168.1.1 - - [25/Oct/2023:10:15:30 -0400] "GET /admin/index.php?cmd=id HTTP/1.1" 200 1532 "-" "Mozilla/5.0"'. What potential attack does this log entry suggest?
12A SOC analyst is tuning IDS signatures and notices that a particular signature triggers frequently on legitimate traffic from a specific internal application. The signature has a high false positive rate. What is the best action to take?
13A security analyst is investigating a potential data exfiltration incident. Which TWO of the following are common indicators that data exfiltration may be occurring over DNS? (Choose two.)
14A SOC analyst is reviewing a large number of alerts from a SIEM. Which THREE of the following are effective steps to prioritize and investigate alerts in a high-volume environment? (Choose three.)
15Which TWO of the following are examples of Indicators of Compromise (IoCs) used in network security monitoring? (Choose two.)
16During a security monitoring review, an analyst notices an unusual amount of traffic on port 445. Which protocol is most likely associated with this port?
17A security analyst is investigating a potential brute force attack. Which SIEM correlation rule would best detect this activity?
18An analyst uses Wireshark to examine network traffic and wants to see only packets that contain the string 'password'. Which type of filter should be applied?
19In a Zeek/Bro log, an analyst observes a connection with 'service' field set to 'dns' and 'query' field containing a long, random-looking subdomain. This could be indicative of which type of activity?
20Which OSI layer is responsible for logical addressing and routing, and is commonly targeted by IP spoofing attacks?
21A security analyst is reviewing firewall logs and notices a rule that denies traffic from source IP 10.0.0.5 to destination port 3389. What service is being blocked?
22During packet analysis, an analyst notices a TCP connection with a large number of SYN packets sent to various ports on a single host but no completed handshakes. This is characteristic of which activity?
23A SOC analyst is analyzing NetFlow data and notices a sudden spike in outbound traffic from a single internal host to an external IP address during non-business hours. The traffic volume is significantly higher than the baseline. Which suspicion is most likely?
24Which log type would an analyst examine to view details about HTTP methods (GET, POST), response codes, and user-agent strings?
25An IDS/IPS alert shows a signature named 'ET POLICY Outgoing HTTP Request with Suspicious User-Agent' with severity high. What is the most likely next step for an analyst?
26During an incident response, an analyst extracts a file from network traffic using Zeek's file analysis feature. The file has a SHA-256 hash that matches a known malware indicator. Which type of IoC is this?
27An analyst needs to establish a normal traffic pattern baseline for the network. Which activity is most appropriate for this purpose?
28An analyst is reviewing DNS logs and sees a high volume of NXDOMAIN responses for a specific domain. Which TWO scenarios could this indicate?
29A security analyst is examining system logs for signs of privilege escalation. Which THREE events are most relevant to detect such activity?
30An analyst is tuning Snort IDS rules and wants to reduce false positives. Which TWO rule options can be adjusted to decrease sensitivity?
31A security analyst is monitoring network traffic and notices a high volume of TCP SYN packets sent to various ports on a single host. Which type of attack is most likely occurring?
32A SIEM correlation rule triggers an alert when more than 10 failed login attempts from the same source IP occur within 60 seconds. Which attack is this rule designed to detect?
33An analyst captures traffic and sees a high number of DNS queries for random subdomains under a single domain, all returning NXDOMAIN. This pattern is typical of which malicious activity?
34Which protocol and port pair is commonly used for secure web traffic?
35In Wireshark, a security analyst wants to display only packets with source IP 10.0.0.1 and destination port 80. Which display filter should be used?
36A firewall log shows a connection from internal IP 192.168.1.100 to external IP 203.0.113.5 on port 443 with action 'deny'. What does this indicate?
37A Zeek connection log shows a high number of connections from a single internal IP to many different external IPs on port 25, with small payload sizes. Which behavior is most likely indicated?
38Which OSI layer is responsible for logical addressing and routing?
39An analyst sees a Snort alert with the message 'ET POLICY Outbound connection to known malicious IP'. What does this indicate?
40Which log source would provide the most detailed information about HTTP requests, including URLs and user agents?
41A NetFlow report shows that host 10.0.0.5 has sent 1 GB of data to external IP 198.51.100.10 over port 443 in the last hour, while other hosts average 100 MB. This anomaly is most indicative of:
42Which of the following is a valid indicator of compromise (IoC)?
43A security analyst is reviewing logs to identify a potential brute force attack. Which TWO log entries would be most suspicious? (Choose TWO.)
44During packet analysis in Wireshark, which THREE findings are indicators of potential malicious activity? (Choose THREE.)
45A security analyst is tuning a SIEM to detect lateral movement. Which THREE log sources would provide the most useful data for this purpose? (Choose THREE.)
46Which OSI layer is associated with protocols such as HTTP, FTP, and SMTP, and is commonly targeted by application-layer attacks?
47A security analyst needs to filter packets in Wireshark to capture only traffic on port 443. Which filter should be used?
48A firewall log shows repeated denied packets from IP 10.0.0.5 to destination 192.168.1.10 on port 22. What is the most likely attack?
49An analyst suspects data exfiltration via DNS. Which log type would provide the most relevant information to confirm this?
50A security analyst observes a NetFlow record showing a single internal IP communicating with many external IPs on port 445 within seconds. This pattern is indicative of:
51In Zeek (Bro), which log file would an analyst examine to identify HTTP methods, URIs, and response codes from web traffic?
52Which port is used by RDP (Remote Desktop Protocol) and is a common target for brute force attacks?
53A SIEM correlation rule triggers when more than 10 failed login attempts from a single source IP occur within 1 minute. This rule is designed to detect:
54An analyst finds a YARA rule that matches a file containing the string 'MZ' at offset 0 and includes 'CreateRemoteThread'. This rule likely identifies:
55In Snort, a rule is written as: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SMB exploit attempt"; flow:to_server; content:"|ff|SMB"; nocase;). What does the 'flow:to_server' option indicate?
56Which protocol and port combination is used by SNMP for receiving traps?
57An analyst uses 'tshark -r capture.pcap -Y "http.request.method == POST"' to display only HTTP POST requests. This is an example of a:
58A security analyst is reviewing web server logs and notices a high number of 404 errors for non-existent URLs. Which TWO of the following tools would best help investigate this anomaly?
59An analyst detects an internal host communicating with an external IP known for malware distribution. Which THREE of the following are valid Indicators of Compromise (IoCs) that should be recorded?
60Which TWO of the following are functions of a SIEM system in security monitoring?
61A security analyst is monitoring network traffic and notices a large number of TCP SYN packets being sent to a single host on various ports. Which type of attack is most likely occurring?
62A network analyst notices that a host is sending a large volume of traffic to an external IP address on port 443 during non-business hours. The traffic volume is significantly higher than the established baseline. Which type of data exfiltration technique should be suspected?
63A security analyst is reviewing Snort IDS alerts and sees the following rule triggered: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:'Possible SQL Injection'; content:'UNION'; nocase; sid:1000001;). Which action will Snort take when it detects matching traffic?
64A SOC analyst is investigating a web server log and sees the following entry: 192.168.1.10 - - [15/May/2023:10:15:30 +0000] 'POST /login.php HTTP/1.1' 200 1245 'http://example.com/login.php' 'Mozilla/5.0'. Which observation is most suspicious?
65Which protocol and port combination is commonly used for secure remote administration of network devices?
66A security analyst is using Wireshark to capture traffic from a network segment. They want to see only packets that contain the string 'password' in the payload. Which type of filter should they apply?
67A SIEM correlation rule is configured to alert when there are 10 failed login attempts from the same source IP within 1 minute. An analyst receives an alert for source IP 10.0.0.5. Which type of attack is most likely being detected?
68An organization uses Zeek for network monitoring. An analyst wants to extract files transferred over HTTP from network traffic. Which Zeek script or functionality should they use?
69Which of the following is an example of an Indicator of Compromise (IoC)?
70A network administrator is creating a baseline for normal traffic patterns. Which of the following should be considered typical for a web server during business hours?
71A SOC analyst is reviewing a NetFlow record and sees that a single internal IP has communicated with multiple external IPs on port 445 (SMB) within a short time frame. Which type of activity is most likely indicated?
72Which component of a SIEM is responsible for converting log data from various sources into a standard format?
73A security analyst is investigating a potential data exfiltration incident. Which TWO of the following network behaviors are indicators of data exfiltration?
74A SOC analyst is analyzing logs from multiple sources. Which THREE log types are most useful for detecting a brute force attack against a web application?
75A network analyst is creating a baseline for normal network traffic. Which TWO metrics should be included to establish a baseline?
76An analyst is monitoring network traffic and sees a large number of TCP SYN packets sent to various ports on a single host from the same source IP. Which type of attack is most likely occurring?
77During a security investigation, an analyst examines a PCAP file in Wireshark. The analyst wants to see only traffic between two specific IP addresses (192.168.1.10 and 10.0.0.5). Which display filter should be applied?
78A security analyst is reviewing firewall logs and notices a high number of denied outbound connections from an internal workstation to various external IP addresses on port 445 (SMB). What is the most likely explanation for this activity?
79A NetFlow analysis shows that a single internal IP sent 10 GB of data to an external IP within one hour, whereas the baseline for that host is typically 100 MB per day. Which type of activity does this indicate?
80An analyst is configuring a Snort rule to detect a known exploit targeting Apache web servers. The exploit sends a malicious HTTP POST request with a long User-Agent string. Which Snort rule header and options are most appropriate?
81Which log type would an analyst examine to see failed login attempts to a Windows server?
82A SIEM correlation rule is designed to detect a brute-force attack. The rule triggers when an event includes 10 or more failed logins from the same source IP within 1 minute. An analyst sees an alert for 12 failed logins from IP 10.0.0.1 in 2 minutes. Why did the rule not trigger?
83An analyst is investigating a potential data exfiltration via DNS. In Zeek DNS logs, the analyst sees many queries for subdomains like 'a1b2c3.malicious.com', 'd4e5f6.malicious.com' etc. from an internal host. Which technique is likely being used?
84In Wireshark, an analyst follows a TCP stream and sees plaintext usernames and passwords. Which protocol is likely in use?
85An analyst is reviewing IDS alerts and sees an alert with signature name 'ET POLICY Suspicious inbound to MySQL port 3306'. The source IP is external and destination is an internal database server. What is the best immediate action?
86A security analyst is using Zeek to monitor network traffic. The analyst wants to extract all files transferred over HTTP. Which Zeek script or package accomplishes this?
87Which protocol is used by SNMP to send traps from network devices to the management station?
88An analyst is investigating a potential compromise using Indicators of Compromise (IoCs). Which TWO of the following are valid types of IoCs?
89A SOC analyst is tuning a SIEM correlation rule to detect port scanning. The rule should generate an alert when a single source IP connects to many different destination ports on multiple hosts within a short time. Which THREE conditions should be included in the rule?
90A security analyst is creating a network baseline for normal traffic patterns. Which TWO metrics should be included to detect anomalies?
91A security analyst is reviewing a Wireshark capture and notices a large number of TCP SYN packets sent to multiple ports on a single host from the same source IP. Which type of network activity is most likely being observed?
92A security analyst is using NetFlow data to investigate a potential data exfiltration incident. Which NetFlow metric is most useful for identifying large volumes of data being transferred to an external IP address?
93During a security assessment, a SOC analyst notices an IDS/IPS alert with a severity of 'High' for a signature named 'ET TROJAN Win32.Vobfus Checkin'. The alert shows source IP 10.0.0.5 and destination IP 203.0.113.50 on port 443. What is the most likely interpretation of this alert?
94A security analyst is investigating an alert from a Windows system log that shows multiple failed logon attempts for the same user account within a short period, followed by a successful logon. Which type of attack does this pattern suggest?
95A SOC analyst observes a spike in DNS queries for long, random-looking subdomains under a single domain from an internal host. The responses are NXDOMAIN. Which type of activity is most likely indicated?
96A security analyst is examining web server logs and finds an entry with method 'POST', URL '/login.php', response code '200', and user-agent 'Mozilla/5.0'. The log shows 100 similar entries from the same IP within 5 seconds. What is the most likely activity?
97A network baseline shows that a server typically sends 1-2 MB of data per hour to external IPs. Suddenly, the server sends 50 MB of data to an IP in a foreign country within 10 minutes. The traffic is encrypted. Which monitoring tool would best confirm data exfiltration?
98A security analyst is using a SIEM to create a correlation rule that triggers when more than 10 failed logins are detected from the same source IP within 1 minute. This rule is designed to detect which type of attack?
99A SOC analyst reviews a firewall log with the following entry: action=deny, source IP=192.168.1.100, destination IP=10.0.0.1, destination port=22. The analyst knows that 10.0.0.1 is an SSH server. What does this log entry indicate?
100An analyst receives a YARA rule that includes the string 'MZ' at the beginning of a file. What does this indicator typically help identify?
101In the OSI model, which layer is primarily targeted by a SYN flood attack?
102A security analyst is using Zeek to analyze network traffic. Which Zeek log would be most useful for identifying HTTP requests to a known malicious domain?
103A SOC analyst is investigating a potential data exfiltration incident. Which TWO Indicators of Compromise (IoCs) would be most relevant for tracking the exfiltration of files over the network?
104An analyst suspects a host is communicating with a command-and-control server using DNS tunneling. Which THREE network traffic patterns would support this hypothesis?
105A security analyst is tuning a Snort IDS to reduce false positives. Which TWO Snort rule options should the analyst modify to make the rule more specific?
106A security analyst is reviewing network traffic and notices a high volume of small packets from an internal IP to a single external IP on port 53. Which type of activity is most likely indicated?
107A security analyst is analyzing a PCAP file in Wireshark and wants to isolate all HTTPS traffic. Which display filter should the analyst use?
108A SOC analyst is reviewing firewall logs and sees repeated entries: 'Deny TCP 10.0.0.5:49152 -> 203.0.113.1:22' and 'Deny TCP 10.0.0.5:49153 -> 203.0.113.1:22'. What does this pattern suggest?
109An analyst notices a Zeek (Bro) connection log showing a single HTTP request from internal IP 192.168.1.10 to external IP 203.0.113.5 with a URI of '/files/secret.docx' and a response code of 200. The file size is unusually large (50 MB). What should the analyst suspect?
110Which OSI layer is targeted by a TCP SYN flood attack?
111A SIEM correlation rule triggers when it detects more than 10 failed login attempts from the same source IP within 1 minute. Which type of attack is this rule designed to detect?
112An analyst is examining a YARA rule that contains the condition: 'uint16(0) == 0x5a4d and filesize < 500KB'. What type of file is this rule targeting?
113A SOC analyst is investigating a potential data exfiltration incident. Which TWO indicators from NetFlow/IPFIX analysis would most strongly suggest data exfiltration?
114A security analyst is configuring Snort IDS rules. Which TWO components are mandatory in a Snort rule header?
115Which TWO protocols are commonly used for remote administration and should be monitored for unauthorized access?
116An analyst is reviewing web server logs and sees the following entries: 'GET /admin/login.php HTTP/1.1' returning 404, followed by 'GET /admin/login.html' returning 404, then 'GET /admin/login.asp' returning 200. Which TWO observations are most relevant?
117Which THREE of the following are common Indicators of Compromise (IoCs) used in threat intelligence?
118A security analyst is analyzing system logs and notices multiple failed authentication events followed by a successful login from the same user account, and then a privilege escalation event. Which THREE events should be correlated to detect a potential attack?
119An analyst is using Zeek to monitor network traffic. Which THREE types of logs can Zeek generate to provide visibility into application-layer activity?
120A security analyst is investigating a potential port scan. Which THREE patterns in NetFlow data would indicate a horizontal port scan?
121A security analyst is investigating a potential brute-force attack on an SSH server. Which TWO of the following log sources would provide the most relevant evidence for detecting and confirming this attack? (Choose two.)
122During a security monitoring exercise, an analyst observes a series of NetFlow records showing a single internal host communicating with multiple external IP addresses on port 445 (SMB) within a short time window. The traffic volumes are small but consistent. Which THREE of the following should the analyst consider as possible explanations? (Choose three.)
The Security Monitoring domain covers the key concepts tested in this area of the 200-201 exam blueprint published by Cisco. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all 200-201 domains — no account required.
The Courseiva 200-201 question bank contains 122 questions in the Security Monitoring domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Monitoring domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included