Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›200-201›Objectives›Security Monitoring
Objective 2.0

Security Monitoring

200-201 Practice Questions

Monitoring questions test your ability to match the right signal type to the right tool. Metrics for dashboards, logs for forensics, traces for distributed systems — keep this mapping in mind for every scenario.

Full Practice Test →All Objectives

What this objective tests

200-201 Security Monitoring — Key Topics

Monitoring and logging questions test metrics, logs, and traces as the three pillars of observability, and how to choose the right tool for each signal type.

  • Metrics (time-series data), logs (events), and traces (distributed request flow) — and which tools handle each.
  • Alert types: threshold-based, anomaly-based, and composite — and when each is appropriate.
  • Log levels: DEBUG, INFO, WARN, ERROR, CRITICAL — and what should be logged at each level.
  • Retention policies, aggregation, and the cost trade-off of storing high-cardinality data.

Common exam traps

Where candidates lose marks on Security Monitoring

  • ⚠Choosing a logging solution for real-time metric alerting — logs work for metrics but introduce latency.
  • ⚠Setting all log levels to DEBUG in production — high-volume debug logging degrades performance.
  • ⚠Treating an alert silence as a resolution — silencing without root-cause investigation leaves the issue active.
  • ⚠Forgetting that distributed tracing requires instrumentation in every service in the call chain.

200-201 Security Monitoring — Practice Questions

30 questions from this objective

Question 2easymultiple choice
Full question →

An analyst notices repeated failed SSH attempts from an external IP to a server. The analyst wants to quickly see all SSH-related events from that IP in the last hour. Which approach is most efficient?

Question 3mediummultiple choice
Full question →

A security team implements a network-based IPS. During testing, they find that legitimate traffic is frequently blocked. Which tuning approach should they prioritize?

Question 4hardmultiple choice
Full question →

An analyst is investigating a host that is beaconing to a known malicious domain every 60 seconds. The host also shows outbound connections to multiple IPs on port 443. To confirm the beaconing, which data source is most useful?

Question 5easymultiple choice
Full question →

A SOC analyst receives an alert for 'Malware Detected' from an endpoint sensor. The analyst checks the endpoint and sees a file named 'invoice.exe' in the Downloads folder. What should the analyst do first?

Question 6mediummultiple choice
Full question →

A company uses a SIEM with correlation rules. They notice that a rule designed to detect brute-force attacks is not triggering even though failed logins are occurring. Which is the most likely cause?

Question 7mediummultiple choice
Full question →

During an incident, an analyst needs to determine if a specific user account 'jsmith' was used from a remote IP during a breach window. Which log sources should the analyst check first?

Question 8hardmultiple choice
Full question →

An organization uses a SIEM that ingests logs from multiple sources. The analysts are overwhelmed with alerts, many of which are false positives. Which strategy best reduces alert fatigue without increasing risk?

Question 9easymultiple choice
Full question →

An analyst is reviewing a suspicious email reported by a user. The email contains an attachment 'invoice.pdf' and urges the user to open it. Which indicator is most likely to confirm it is a phishing attempt?

Question 10mediummultiple choice
Full question →

A network engineer configures a SPAN port to send traffic from a critical server to an IDS. After configuration, the IDS sees no traffic. What is the most likely issue?

Question 11hardmultiple choice
Read the full DNS explanation →

An analyst observes a sudden spike in DNS queries from an internal host to a random subdomain of a legitimate domain (e.g., randomstring.google.com). This behavior is consistent with which technique?

Question 12easymultiple choice
Read the full wireless explanation →

A company wants to monitor for unauthorized wireless access points. Which technique should they implement?

Question 13mediummulti select
Full question →

Which TWO are common indicators of a compromised host? (Choose two.)

Question 14mediummulti select
Full question →

Which THREE are essential components of a security monitoring strategy? (Choose three.)

Question 15hardmulti select
Full question →

Which TWO are best practices for managing SIEM alerts to reduce false positives? (Choose two.)

Question 16hardmulti select
Full question →

Which THREE are typical sources of log data used in security monitoring? (Choose three.)

Question 17hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?

Exhibit

Refer to the exhibit.
```
Router# show ip access-lists
Extended IP access list BLOCK_MALICIOUS
    10 deny tcp any host 203.0.113.5 eq 443
    20 permit ip any any (2623 matches)
```
Question 18mediummultiple choice
Read the full network assurance explanation →

Refer to the exhibit. An analyst sees this syslog message from a Cisco ASA. What does this log entry indicate?

Exhibit

Refer to the exhibit.
```
Mar  1 12:34:56 192.168.1.100 %ASA-4-106023: Deny tcp src outside:10.0.0.1/54321 dst inside:192.168.1.100/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
```
Question 19easymultiple choice
Full question →

Refer to the exhibit. An EDR alert shows this JSON event. What is the most significant indicator of a potential malware infection?

Exhibit

Refer to the exhibit.
```
{
  "event": "Process Creation",
  "timestamp": "2024-08-01T10:00:00Z",
  "hostname": "DESKTOP-ABC123",
  "user": "jsmith",
  "process": "C:\\Users\\jsmith\\Downloads\\invoice.exe",
  "parent_process": "C:\\Windows\\explorer.exe"
}
```
Question 20hardmultiple choice
Read the full NAT/PAT explanation →

You are a SOC analyst at a mid-sized company. The company uses a SIEM that ingests logs from firewalls, IDS, and endpoints. Over the past week, you've noticed a gradual increase in outbound traffic from several internal hosts to IP addresses in a foreign country during non-business hours. The traffic is primarily on port 443. The IDS has not generated any alerts. The firewall logs show the connections are established. You check the endpoints and find no unusual processes running. However, the outbound connections persist. What is the most likely explanation and the best next step?

Question 21mediummultiple choice
Read the full DNS explanation →

You are a security administrator for a company with 500 employees. The company uses a SIEM with basic correlation rules. Recently, the HR department reported that several employees received phishing emails with a link to a fake login page. The emails bypassed the spam filter. You want to detect if any employees clicked the link. You have access to web proxy logs, DNS logs, and endpoint antivirus logs. The phishing link is 'http://malicious-login.com/verify'. Which action should you take first to identify affected users?

Question 22mediummultiple choice
Full question →

A security analyst is reviewing logs from multiple network devices and notices that a large number of ICMP echo requests with a payload size of 65507 bytes are being sent to a single server from various external IP addresses. The server is becoming unresponsive. Which type of attack is most likely occurring?

Question 23mediummultiple choice
Full question →

A security analyst observes repeated failed login attempts to an internal web server from multiple external IP addresses. The analyst creates a correlation rule that triggers an alert if more than 10 failed logins occur from a single source IP within 5 minutes. After deploying the rule, the analyst finds that the rule generates false positives from legitimate users who mistype passwords. Which action should the analyst take to reduce false positives while maintaining detection effectiveness?

Question 24hardmultiple choice
Full question →

A SOC analyst is tuning an IPS rule that detects SQL injection attempts. The rule currently generates a high number of alerts, most of which are false positives caused by legitimate web application traffic containing SQL-like keywords. The analyst wants to reduce false positives without missing actual attacks. Which approach is most effective?

Question 25mediummulti select
Read the full NAT/PAT explanation →

A network security monitoring analyst is analyzing firewall logs and sees the following traffic: Source IP 10.1.1.50 to Destination IP 203.0.113.5 on port 443, protocol TCP, with a large amount of data transferred in both directions during business hours. The analyst suspects data exfiltration. Which TWO additional indicators would most strongly support this suspicion? (Choose two.)

Question 26easymultiple choice
Read the full VPN explanation →

You are a security analyst at a mid-sized company. The company uses a SIEM to collect logs from firewalls, IDS, and servers. Recently, the SIEM generated an alert for a potential brute-force attack against the company's VPN server. The alert is based on a correlation rule that triggers when more than 30 failed authentication attempts from a single source IP occur within 10 minutes. You investigate and see that the source IP is 203.0.113.50, which is a known IP address of a partner company that uses the VPN for remote access. The failed attempts are all from the same username 'john.doe'. You also notice that the attempts are happening every 5 seconds, exactly 6 attempts per minute. The partner company has a policy that locks accounts after 3 failed attempts. Based on this scenario, what is the most likely cause of the alert?

Question 27mediummultiple choice
Read the full DNS explanation →

A security analyst is investigating an alert that indicates a host is sending a large number of DNS queries to an external domain. The analyst wants to determine if the traffic is malicious and if it is using a DNS tunnel. Which type of analysis should the analyst perform to confirm the presence of a DNS tunnel?

Question 28hardmulti select
Full question →

A security analyst is reviewing the firewall log exhibit. The analyst suspects that this traffic might be part of a command-and-control (C2) communication based on the packet size and the timing of similar events. Which TWO additional pieces of evidence would most strongly support the suspicion of C2 traffic?

Exhibit

Refer to the exhibit.

```
Event: Firewall log entry
Time: 2023-10-05 14:23:45
Source IP: 192.168.1.50
Destination IP: 203.0.113.5
Source Port: 49152
Destination Port: 443
Protocol: TCP
Action: ALLOW
Bytes: 1452
Flags: ACK
```
Question 29easymultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at a medium-sized company. The company uses a SIEM that collects logs from firewalls, IDS/IPS, and endpoint detection and response (EDR) agents. You receive an alert that a user's workstation (IP 10.0.1.25) has been making outbound connections to an IP address (198.51.100.10) on port 4444 (commonly used by malware). The alert includes a SIEM correlation rule that triggered when three or more connections to that IP occurred within 5 minutes. You check the EDR logs and see that the workstation is running a process named 'svchost.exe' that is connecting to that IP. The process path is C:\Windows\system32\svchost.exe, which is legitimate. However, you notice that the process has a digital signature from 'Microsoft Corporation', but the signature date is from 2021. The workstation's operating system is Windows 10 22H2, fully patched as of last month. The user reports that they have been experiencing slow performance and occasional pop-ups. Which action should you take FIRST to investigate this potential compromise?

Question 30mediumdrag order
Full question →

Drag and drop the steps for the TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 31mediumdrag order
Full question →

Drag and drop the steps to analyze a packet capture for suspicious activity into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

More Security Monitoring questions available in the full practice test.

Continue Practising →
←

Previous objective

Security Concepts

Next objective

Host-Based Analysis

→

All 200-201 Objectives

  • 1.Security Concepts
  • 2.Security Monitoring
  • 3.Host-Based Analysis
  • 4.Network Intrusion Analysis