Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›200-201›Objectives›Network Intrusion Analysis
Objective 4.0

Network Intrusion Analysis

200-201 Practice Questions

Use this page to practise Network Intrusion Analysis questions for this certification. Focus on how the exam tests network intrusion analysis in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

200-201 Network Intrusion Analysis — Key Topics

Network Intrusion Analysis questions on this certification test your ability to deploy and manage network intrusion analysis concepts in scenario-based situations.

  • Core Network Intrusion Analysis concepts and how they apply in real-world cloud scenarios.
  • How to deploy network intrusion analysis correctly and verify the outcome.
  • Troubleshooting network intrusion analysis issues by interpreting error output and system state.
  • Cloud best practices and Network Intrusion Analysis design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Network Intrusion Analysis

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

200-201 Network Intrusion Analysis — Practice Questions

30 questions from this objective

Question 2easymultiple choice
Full question →

A security analyst reviews an alert from the IPS that shows a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443. What is the most likely attack type?

Question 3easymultiple choice
Full question →

An analyst notices that a host is sending large amounts of data to an external IP address on TCP port 22 during non-business hours. What is the most likely activity?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

An analyst sees an alert: 'ET POLICY Outgoing HTTP Request with Suspicious User-Agent (Mozilla/5.0 compatible; MSIE 6.0; Windows NT 5.1)'. The source is an internal host that typically uses Windows 10. What should the analyst suspect?

Question 5mediummultiple choice
Full question →

During an investigation, an analyst finds that an internal host has been communicating with a known malicious IP on port 445. Which protocol is most likely involved?

Question 6hardmultiple choice
Read the full DNS explanation →

An analyst reviews NetFlow data and sees a single internal IP communicating with many external IPs on port 53, each with small UDP packets. The internal host is not a DNS server. What is the most likely explanation?

Question 7hardmultiple choice
Full question →

A security analyst detects a large number of TCP RST packets from a single external IP to various internal hosts. The internal hosts are not sending any corresponding packets. What is the most likely cause?

Question 8easymultiple choice
Full question →

An analyst sees an alert from the IDS: 'ET TROJAN Possible Zeus Variant Outbound Connection'. What action should the analyst take first?

Question 9mediummultiple choice
Read the full DNS explanation →

A host is infected with malware that uses DNS tunneling to exfiltrate data. Which type of analysis would best detect this activity?

Question 10hardmultiple choice
Full question →

An analyst observes that an internal host is sending ICMP echo requests with payloads containing random data to an external IP. The payload size is larger than typical. What is the most likely technique?

Question 11easymulti select
Full question →

Which TWO types of network traffic should be analyzed to detect a data exfiltration attempt via HTTP? (Choose two.)

Question 12mediummulti select
Full question →

Which THREE indicators are commonly found in network traffic that suggest a host is part of a botnet? (Choose three.)

Question 13hardmulti select
Full question →

Which TWO network behaviors suggest an ARP spoofing attack is occurring? (Choose two.)

Question 14mediummultiple choice
Full question →

Refer to the exhibit. The analyst sees two IDS alerts from the same source. What should the analyst conclude?

Exhibit

Refer to the exhibit.

Event: 1, Signature: GPL TROJAN Zeus Variant Outbound Connection
Timestamp: 2023-09-15 14:23:45
Src IP: 10.0.0.25:49152 -> Dst IP: 198.51.100.10:80
Protocol: TCP
Packet: GET /gate.php HTTP/1.1
Host: malware.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)

Event: 2, Signature: ET POLICY Outgoing HTTP Request with Suspicious User-Agent
Timestamp: 2023-09-15 14:23:46
Src IP: 10.0.0.25:49153 -> Dst IP: 198.51.100.10:80
Protocol: TCP
Packet: GET /images/logo.png HTTP/1.1
Host: malware.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)
Question 15hardmultiple choice
Full question →

Refer to the exhibit. A firewall log shows denied TCP traffic from an internal host to an external IP on consecutive ports. What type of activity is indicated?

Exhibit

Refer to the exhibit.

syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12345 dst outside:203.0.113.5/22 by access-group "OUTSIDE" [0x0, 0x0]
syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12346 dst outside:203.0.113.5/23 by access-group "OUTSIDE" [0x0, 0x0]
syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12347 dst outside:203.0.113.5/25 by access-group "OUTSIDE" [0x0, 0x0]
Question 16easymultiple choice
Full question →

Refer to the exhibit. An analyst sees repeated ICMP echo requests from a host to the broadcast address. What is this an example of?

Exhibit

Refer to the exhibit.

Event: 1
Timestamp: 2023-10-01 08:00:00
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)

Event: 2
Timestamp: 2023-10-01 08:00:01
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)

Event: 3
Timestamp: 2023-10-01 08:00:02
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)
Question 17hardmultiple choice
Read the full DNS explanation →

You are a security analyst for a financial institution. Over the past hour, the intrusion detection system has generated multiple alerts for outbound traffic from a single internal host (10.0.0.50) to various external IP addresses on port 443. The alerts indicate that the host is making HTTPS connections to IPs that are associated with known command and control servers. Additionally, the host has been observed making DNS queries for domains that are algorithmically generated (e.g., rgj3k2.example.com, fh7d8s.example.net). The host is a Windows 10 workstation used by an employee in the accounting department. The employee reports that they have not noticed any unusual behavior, but they did click on a link in a phishing email yesterday. The network administrator confirms that the host's firewall rules allow outbound HTTPS traffic. You have access to endpoint logs, network flow data, and packet captures. Which course of action should you take FIRST?

Question 18mediummultiple choice
Full question →

You are a security analyst for a medium-sized enterprise. You notice that the network monitoring system has flagged an unusual amount of traffic between two internal hosts: 192.168.1.10 (a file server) and 192.168.1.20 (a workstation in the sales department). The traffic is occurring on port 445 (SMB) and is happening outside of normal business hours. The volume of data transferred is significantly higher than typical usage. The file server logs show that the sales workstation has been accessing a large number of files in quick succession. The sales employee reports that they have been working late, but they cannot explain the high volume of file access. You have access to the file server logs, network flow data, and the workstation's event logs. The workstation has antivirus software installed that is up to date. What should you do FIRST?

Question 19hardmultiple choice
Full question →

A security analyst observes a sudden spike in outbound traffic from a critical server to an external IP address on TCP port 443. The server is a web application server that normally only receives inbound connections. Which type of intrusion is most likely occurring?

Question 20easymultiple choice
Full question →

An analyst needs to determine if a host is infected with malware that is attempting to contact a known malicious domain. Which log source is most appropriate for this analysis?

Question 21mediummulti select
Full question →

Which TWO of the following are indicators of a network intrusion? (Choose two.)

Question 22mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews the ACL configuration applied outbound on the external interface. Which statement is true about traffic from the 192.168.1.0/24 network to the internet?

Exhibit

Refer to the exhibit.

Extended ACL 101:
10 permit tcp 192.168.1.0 0.0.0.255 any eq 80
20 permit tcp 192.168.1.0 0.0.0.255 any eq 443
30 deny tcp any any eq 22
40 permit ip any any

Interface GigabitEthernet0/0:
 ip access-group 101 out
Question 23hardmultiple choice
Full question →

You are a security analyst for a medium-sized enterprise. The network includes a DMZ with a web server (10.0.1.10) and a database server (10.0.2.10) in the internal network. Users access the web server via HTTPS from the internet. The web server queries the database server on TCP 3306. Recently, users reported that the web application sometimes returns database errors. You review firewall logs and see the following:

- Allowed inbound HTTPS to 10.0.1.10 from various external IPs. - Denied outbound from 10.0.1.10 to 10.0.2.10 on port 3306. - Allowed outbound from 10.0.1.10 to external IPs on port 443.

You also notice that the web server's outbound traffic to the database server is being blocked. The firewall has a default deny rule. Which action should you take to restore normal operation while maintaining security?

Question 24mediummulti select
Full question →

Which TWO actions are appropriate when analyzing network traffic to identify a potential data exfiltration attempt?

Question 25hardmultiple choice
Full question →

Based on the exhibit, what is the most likely type of attack being observed?

Exhibit

Refer to the exhibit.

Event: 02/15/2023 14:32:10
Src IP: 10.10.10.50
Dst IP: 203.0.113.5
Protocol: TCP
Flags: SYN
Length: 60 bytes

(Repeated 100 times in the last 2 seconds)
Question 26easymultiple choice
Read the full DNS explanation →

You are a security analyst at a medium-sized company. A user reports that their workstation is running slowly and the network is sluggish. You check the firewall logs and see a large number of outgoing connections from the user's workstation to an external IP address (198.51.100.23) on port 4444. The connections are short-lived and occur every few seconds. The workstation has standard corporate antivirus installed, which is up-to-date and shows no threats. You have also noticed that the workstation is making DNS queries to an unusual domain (malicious.example.com) that resolves to the same external IP. What is the most appropriate immediate action?

Question 27mediumdrag order
Open the full VLAN trunking answer →

Drag and drop the steps to configure a VLAN on a Cisco switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 28mediumdrag order
Full question →

Drag and drop the steps to implement a disaster recovery plan for a critical server into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 29mediummatching
Full question →

Match each Linux command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Search text using patterns

Capture and analyze network packets

Display network connections and statistics

Configure firewall rules

Change file permissions

Question 30mediummatching
Full question →

Match each analysis type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Examining file without executing it

Running file in a sandbox to observe behavior

Matching patterns against known threats

Detecting deviations from baseline behavior

Using rules to detect unknown threats

Question 31easymultiple choice
Full question →

A security analyst observes a high volume of ICMP echo replies from multiple internal hosts to a single external IP address. Which type of network activity is most likely indicated?

More Network Intrusion Analysis questions available in the full practice test.

Continue Practising →
←

Previous objective

Host-Based Analysis

All 200-201 Objectives

  • 1.Security Concepts
  • 2.Security Monitoring
  • 3.Host-Based Analysis
  • 4.Network Intrusion Analysis