Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Monitoring practice sets

200-201 Security Monitoring • Complete Question Bank

200-201 Security Monitoring — All Questions With Answers

Complete 200-201 Security Monitoring question bank — all 0 questions with answers and detailed explanations.

122
Questions
Free
No signup
Certifications/200-201/Practice Test/Security Monitoring/All Questions
Question 1easymultiple choice
Read the full Security Monitoring explanation →

An analyst is monitoring network traffic and observes a large number of TCP SYN packets sent to a single host on various ports with no corresponding SYN-ACK replies. This behavior is most indicative of which type of attack?

Question 2mediummultiple choice
Read the full Security Monitoring explanation →

A security engineer is setting up a Snort rule to detect FTP traffic where the source IP is not from the internal network. Which Snort rule header correctly specifies the action, protocol, source, and destination?

Question 3hardmultiple choice
Read the full network assurance explanation →

During a security incident, a SOC analyst reviews NetFlow records and notices a single internal host communicating with a remote server on TCP port 443, sending 50 MB of data in 5 minutes, while the usual baseline for that host is 1 MB per hour. Which type of activity is most likely indicated?

Question 4mediummultiple choice
Read the full Security Monitoring explanation →

An analyst is examining a firewall log entry: '2023-10-25 14:30:00 ACTION=DENY SRC=10.0.0.5 DST=203.0.113.50 PROTO=TCP SPT=445 DPT=445'. Which statement best describes this event?

Question 5mediummultiple choice
Read the full Security Monitoring explanation →

While analyzing a PCAP file in Wireshark, an analyst sees multiple GET requests to /login.php with different usernames in the URL parameters, all from the same source IP: 192.168.1.100 to 10.0.0.1. The HTTP response codes are mostly 200 OK. This pattern suggests which attack?

Question 6easymultiple choice
Read the full Security Monitoring explanation →

A SOC analyst needs to create a SIEM correlation rule to detect a brute force attack against SSH on a server. Which of the following would be the most effective rule logic?

Question 7hardmultiple choice
Read the full Security Monitoring explanation →

A security analyst is reviewing Zeek connection logs and sees the following entry: '192.168.1.10:12345 > 10.0.0.1:80 (tcp) duration 0.001 sec, service http, bytes 60, state S0'. Based on the state 'S0', what does this indicate about the connection?

Question 8mediummultiple choice
Read the full Security Monitoring explanation →

An analyst receives an IDS alert with signature name 'ET TROJAN Win32.Zeus Checkin' and severity 'high'. The alert shows source IP 192.168.1.50 and destination IP 198.51.100.20 on port 443. Which action should the analyst take FIRST?

Question 9easymultiple choice
Read the full Security Monitoring explanation →

Which Wireshark display filter would an analyst use to view only HTTP packets that contain the word 'password' in the packet payload?

Question 10hardmultiple choice
Read the full Security Monitoring explanation →

During an incident response, an analyst extracts a suspicious file and computes its MD5 hash: d41d8cd98f00b204e9800998ecf8427e. Upon checking a threat intelligence feed, this hash is known as a malicious indicator. What does this hash represent?

Question 11mediummultiple choice
Read the full Security Monitoring explanation →

An analyst is reviewing a web server log and sees the following entry: '192.168.1.1 - - [25/Oct/2023:10:15:30 -0400] "GET /admin/index.php?cmd=id HTTP/1.1" 200 1532 "-" "Mozilla/5.0"'. What potential attack does this log entry suggest?

Question 12mediummultiple choice
Read the full Security Monitoring explanation →

A SOC analyst is tuning IDS signatures and notices that a particular signature triggers frequently on legitimate traffic from a specific internal application. The signature has a high false positive rate. What is the best action to take?

Question 13mediummulti select
Read the full DNS explanation →

A security analyst is investigating a potential data exfiltration incident. Which TWO of the following are common indicators that data exfiltration may be occurring over DNS? (Choose two.)

Question 14hardmulti select
Read the full Security Monitoring explanation →

A SOC analyst is reviewing a large number of alerts from a SIEM. Which THREE of the following are effective steps to prioritize and investigate alerts in a high-volume environment? (Choose three.)

Question 15easymulti select
Read the full Security Monitoring explanation →

Which TWO of the following are examples of Indicators of Compromise (IoCs) used in network security monitoring? (Choose two.)

Question 16easymultiple choice
Read the full Security Monitoring explanation →

During a security monitoring review, an analyst notices an unusual amount of traffic on port 445. Which protocol is most likely associated with this port?

Question 17mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is investigating a potential brute force attack. Which SIEM correlation rule would best detect this activity?

Question 18mediummultiple choice
Read the full Security Monitoring explanation →

An analyst uses Wireshark to examine network traffic and wants to see only packets that contain the string 'password'. Which type of filter should be applied?

Question 19hardmultiple choice
Read the full DNS explanation →

In a Zeek/Bro log, an analyst observes a connection with 'service' field set to 'dns' and 'query' field containing a long, random-looking subdomain. This could be indicative of which type of activity?

Question 20easymultiple choice
Review the full routing breakdown →

Which OSI layer is responsible for logical addressing and routing, and is commonly targeted by IP spoofing attacks?

Question 21mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is reviewing firewall logs and notices a rule that denies traffic from source IP 10.0.0.5 to destination port 3389. What service is being blocked?

Question 22mediummultiple choice
Read the full Security Monitoring explanation →

During packet analysis, an analyst notices a TCP connection with a large number of SYN packets sent to various ports on a single host but no completed handshakes. This is characteristic of which activity?

Question 23hardmultiple choice
Read the full network assurance explanation →

A SOC analyst is analyzing NetFlow data and notices a sudden spike in outbound traffic from a single internal host to an external IP address during non-business hours. The traffic volume is significantly higher than the baseline. Which suspicion is most likely?

Question 24easymultiple choice
Read the full Security Monitoring explanation →

Which log type would an analyst examine to view details about HTTP methods (GET, POST), response codes, and user-agent strings?

Question 25mediummultiple choice
Read the full Security Monitoring explanation →

An IDS/IPS alert shows a signature named 'ET POLICY Outgoing HTTP Request with Suspicious User-Agent' with severity high. What is the most likely next step for an analyst?

Question 26hardmultiple choice
Read the full Security Monitoring explanation →

During an incident response, an analyst extracts a file from network traffic using Zeek's file analysis feature. The file has a SHA-256 hash that matches a known malware indicator. Which type of IoC is this?

Question 27easymultiple choice
Read the full Security Monitoring explanation →

An analyst needs to establish a normal traffic pattern baseline for the network. Which activity is most appropriate for this purpose?

Question 28mediummulti select
Read the full DNS explanation →

An analyst is reviewing DNS logs and sees a high volume of NXDOMAIN responses for a specific domain. Which TWO scenarios could this indicate?

Question 29mediummulti select
Read the full Security Monitoring explanation →

A security analyst is examining system logs for signs of privilege escalation. Which THREE events are most relevant to detect such activity?

Question 30hardmulti select
Read the full Security Monitoring explanation →

An analyst is tuning Snort IDS rules and wants to reduce false positives. Which TWO rule options can be adjusted to decrease sensitivity?

Question 31easymultiple choice
Read the full Security Monitoring explanation →

A security analyst is monitoring network traffic and notices a high volume of TCP SYN packets sent to various ports on a single host. Which type of attack is most likely occurring?

Question 32mediummultiple choice
Read the full Security Monitoring explanation →

A SIEM correlation rule triggers an alert when more than 10 failed login attempts from the same source IP occur within 60 seconds. Which attack is this rule designed to detect?

Question 33hardmultiple choice
Read the full DNS explanation →

An analyst captures traffic and sees a high number of DNS queries for random subdomains under a single domain, all returning NXDOMAIN. This pattern is typical of which malicious activity?

Question 34easymultiple choice
Read the full Security Monitoring explanation →

Which protocol and port pair is commonly used for secure web traffic?

Question 35mediummultiple choice
Read the full Security Monitoring explanation →

In Wireshark, a security analyst wants to display only packets with source IP 10.0.0.1 and destination port 80. Which display filter should be used?

Question 36mediummultiple choice
Read the full Security Monitoring explanation →

A firewall log shows a connection from internal IP 192.168.1.100 to external IP 203.0.113.5 on port 443 with action 'deny'. What does this indicate?

Question 37hardmultiple choice
Read the full Security Monitoring explanation →

A Zeek connection log shows a high number of connections from a single internal IP to many different external IPs on port 25, with small payload sizes. Which behavior is most likely indicated?

Question 38easymultiple choice
Review the full routing breakdown →

Which OSI layer is responsible for logical addressing and routing?

Question 39mediummultiple choice
Read the full Security Monitoring explanation →

An analyst sees a Snort alert with the message 'ET POLICY Outbound connection to known malicious IP'. What does this indicate?

Question 40mediummultiple choice
Read the full Security Monitoring explanation →

Which log source would provide the most detailed information about HTTP requests, including URLs and user agents?

Question 41hardmultiple choice
Read the full network assurance explanation →

A NetFlow report shows that host 10.0.0.5 has sent 1 GB of data to external IP 198.51.100.10 over port 443 in the last hour, while other hosts average 100 MB. This anomaly is most indicative of:

Question 42easymultiple choice
Read the full Security Monitoring explanation →

Which of the following is a valid indicator of compromise (IoC)?

Question 43mediummulti select
Read the full Security Monitoring explanation →

A security analyst is reviewing logs to identify a potential brute force attack. Which TWO log entries would be most suspicious? (Choose TWO.)

Question 44hardmulti select
Read the full Security Monitoring explanation →

During packet analysis in Wireshark, which THREE findings are indicators of potential malicious activity? (Choose THREE.)

Question 45mediummulti select
Read the full Security Monitoring explanation →

A security analyst is tuning a SIEM to detect lateral movement. Which THREE log sources would provide the most useful data for this purpose? (Choose THREE.)

Question 46easymultiple choice
Read the full Security Monitoring explanation →

Which OSI layer is associated with protocols such as HTTP, FTP, and SMTP, and is commonly targeted by application-layer attacks?

Question 47easymultiple choice
Read the full Security Monitoring explanation →

A security analyst needs to filter packets in Wireshark to capture only traffic on port 443. Which filter should be used?

Question 48mediummultiple choice
Read the full Security Monitoring explanation →

A firewall log shows repeated denied packets from IP 10.0.0.5 to destination 192.168.1.10 on port 22. What is the most likely attack?

Question 49mediummultiple choice
Read the full DNS explanation →

An analyst suspects data exfiltration via DNS. Which log type would provide the most relevant information to confirm this?

Question 50mediummultiple choice
Read the full network assurance explanation →

A security analyst observes a NetFlow record showing a single internal IP communicating with many external IPs on port 445 within seconds. This pattern is indicative of:

Question 51hardmultiple choice
Read the full Security Monitoring explanation →

In Zeek (Bro), which log file would an analyst examine to identify HTTP methods, URIs, and response codes from web traffic?

Question 52easymultiple choice
Read the full Security Monitoring explanation →

Which port is used by RDP (Remote Desktop Protocol) and is a common target for brute force attacks?

Question 53mediummultiple choice
Read the full Security Monitoring explanation →

A SIEM correlation rule triggers when more than 10 failed login attempts from a single source IP occur within 1 minute. This rule is designed to detect:

Question 54mediummultiple choice
Read the full Security Monitoring explanation →

An analyst finds a YARA rule that matches a file containing the string 'MZ' at offset 0 and includes 'CreateRemoteThread'. This rule likely identifies:

Question 55hardmultiple choice
Read the full Security Monitoring explanation →

In Snort, a rule is written as: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SMB exploit attempt"; flow:to_server; content:"|ff|SMB"; nocase;). What does the 'flow:to_server' option indicate?

Question 56easymultiple choice
Read the full network assurance explanation →

Which protocol and port combination is used by SNMP for receiving traps?

Question 57hardmultiple choice
Read the full Security Monitoring explanation →

An analyst uses 'tshark -r capture.pcap -Y "http.request.method == POST"' to display only HTTP POST requests. This is an example of a:

Question 58mediummulti select
Read the full Security Monitoring explanation →

A security analyst is reviewing web server logs and notices a high number of 404 errors for non-existent URLs. Which TWO of the following tools would best help investigate this anomaly?

Question 59hardmulti select
Read the full Security Monitoring explanation →

An analyst detects an internal host communicating with an external IP known for malware distribution. Which THREE of the following are valid Indicators of Compromise (IoCs) that should be recorded?

Question 60easymulti select
Read the full Security Monitoring explanation →

Which TWO of the following are functions of a SIEM system in security monitoring?

Question 61easymultiple choice
Read the full Security Monitoring explanation →

A security analyst is monitoring network traffic and notices a large number of TCP SYN packets being sent to a single host on various ports. Which type of attack is most likely occurring?

Question 62mediummultiple choice
Read the full Security Monitoring explanation →

A network analyst notices that a host is sending a large volume of traffic to an external IP address on port 443 during non-business hours. The traffic volume is significantly higher than the established baseline. Which type of data exfiltration technique should be suspected?

Question 63hardmultiple choice
Read the full Security Monitoring explanation →

A security analyst is reviewing Snort IDS alerts and sees the following rule triggered: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:'Possible SQL Injection'; content:'UNION'; nocase; sid:1000001;). Which action will Snort take when it detects matching traffic?

Question 64mediummultiple choice
Read the full Security Monitoring explanation →

A SOC analyst is investigating a web server log and sees the following entry: 192.168.1.10 - - [15/May/2023:10:15:30 +0000] 'POST /login.php HTTP/1.1' 200 1245 'http://example.com/login.php' 'Mozilla/5.0'. Which observation is most suspicious?

Question 65easymultiple choice
Read the full Security Monitoring explanation →

Which protocol and port combination is commonly used for secure remote administration of network devices?

Question 66mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is using Wireshark to capture traffic from a network segment. They want to see only packets that contain the string 'password' in the payload. Which type of filter should they apply?

Question 67mediummultiple choice
Read the full Security Monitoring explanation →

A SIEM correlation rule is configured to alert when there are 10 failed login attempts from the same source IP within 1 minute. An analyst receives an alert for source IP 10.0.0.5. Which type of attack is most likely being detected?

Question 68hardmultiple choice
Read the full Security Monitoring explanation →

An organization uses Zeek for network monitoring. An analyst wants to extract files transferred over HTTP from network traffic. Which Zeek script or functionality should they use?

Question 69easymultiple choice
Read the full Security Monitoring explanation →

Which of the following is an example of an Indicator of Compromise (IoC)?

Question 70mediummultiple choice
Read the full Security Monitoring explanation →

A network administrator is creating a baseline for normal traffic patterns. Which of the following should be considered typical for a web server during business hours?

Question 71hardmultiple choice
Read the full network assurance explanation →

A SOC analyst is reviewing a NetFlow record and sees that a single internal IP has communicated with multiple external IPs on port 445 (SMB) within a short time frame. Which type of activity is most likely indicated?

Question 72mediummultiple choice
Read the full Security Monitoring explanation →

Which component of a SIEM is responsible for converting log data from various sources into a standard format?

Question 73mediummulti select
Read the full Security Monitoring explanation →

A security analyst is investigating a potential data exfiltration incident. Which TWO of the following network behaviors are indicators of data exfiltration?

Question 74hardmulti select
Read the full Security Monitoring explanation →

A SOC analyst is analyzing logs from multiple sources. Which THREE log types are most useful for detecting a brute force attack against a web application?

Question 75easymulti select
Read the full Security Monitoring explanation →

A network analyst is creating a baseline for normal network traffic. Which TWO metrics should be included to establish a baseline?

Question 76easymultiple choice
Read the full Security Monitoring explanation →

An analyst is monitoring network traffic and sees a large number of TCP SYN packets sent to various ports on a single host from the same source IP. Which type of attack is most likely occurring?

Question 77easymultiple choice
Read the full Security Monitoring explanation →

During a security investigation, an analyst examines a PCAP file in Wireshark. The analyst wants to see only traffic between two specific IP addresses (192.168.1.10 and 10.0.0.5). Which display filter should be applied?

Question 78mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is reviewing firewall logs and notices a high number of denied outbound connections from an internal workstation to various external IP addresses on port 445 (SMB). What is the most likely explanation for this activity?

Question 79mediummultiple choice
Read the full network assurance explanation →

A NetFlow analysis shows that a single internal IP sent 10 GB of data to an external IP within one hour, whereas the baseline for that host is typically 100 MB per day. Which type of activity does this indicate?

Question 80hardmultiple choice
Read the full Security Monitoring explanation →

An analyst is configuring a Snort rule to detect a known exploit targeting Apache web servers. The exploit sends a malicious HTTP POST request with a long User-Agent string. Which Snort rule header and options are most appropriate?

Question 81easymultiple choice
Read the full Security Monitoring explanation →

Which log type would an analyst examine to see failed login attempts to a Windows server?

Question 82mediummultiple choice
Read the full Security Monitoring explanation →

A SIEM correlation rule is designed to detect a brute-force attack. The rule triggers when an event includes 10 or more failed logins from the same source IP within 1 minute. An analyst sees an alert for 12 failed logins from IP 10.0.0.1 in 2 minutes. Why did the rule not trigger?

Question 83hardmultiple choice
Read the full DNS explanation →

An analyst is investigating a potential data exfiltration via DNS. In Zeek DNS logs, the analyst sees many queries for subdomains like 'a1b2c3.malicious.com', 'd4e5f6.malicious.com' etc. from an internal host. Which technique is likely being used?

Question 84mediummultiple choice
Read the full Security Monitoring explanation →

In Wireshark, an analyst follows a TCP stream and sees plaintext usernames and passwords. Which protocol is likely in use?

Question 85mediummultiple choice
Read the full Security Monitoring explanation →

An analyst is reviewing IDS alerts and sees an alert with signature name 'ET POLICY Suspicious inbound to MySQL port 3306'. The source IP is external and destination is an internal database server. What is the best immediate action?

Question 86hardmultiple choice
Read the full Security Monitoring explanation →

A security analyst is using Zeek to monitor network traffic. The analyst wants to extract all files transferred over HTTP. Which Zeek script or package accomplishes this?

Question 87easymultiple choice
Read the full network assurance explanation →

Which protocol is used by SNMP to send traps from network devices to the management station?

Question 88mediummulti select
Read the full Security Monitoring explanation →

An analyst is investigating a potential compromise using Indicators of Compromise (IoCs). Which TWO of the following are valid types of IoCs?

Question 89hardmulti select
Read the full Security Monitoring explanation →

A SOC analyst is tuning a SIEM correlation rule to detect port scanning. The rule should generate an alert when a single source IP connects to many different destination ports on multiple hosts within a short time. Which THREE conditions should be included in the rule?

Question 90easymulti select
Read the full Security Monitoring explanation →

A security analyst is creating a network baseline for normal traffic patterns. Which TWO metrics should be included to detect anomalies?

Question 91easymultiple choice
Read the full Security Monitoring explanation →

A security analyst is reviewing a Wireshark capture and notices a large number of TCP SYN packets sent to multiple ports on a single host from the same source IP. Which type of network activity is most likely being observed?

Question 92mediummultiple choice
Read the full network assurance explanation →

A security analyst is using NetFlow data to investigate a potential data exfiltration incident. Which NetFlow metric is most useful for identifying large volumes of data being transferred to an external IP address?

Question 93hardmultiple choice
Read the full Security Monitoring explanation →

During a security assessment, a SOC analyst notices an IDS/IPS alert with a severity of 'High' for a signature named 'ET TROJAN Win32.Vobfus Checkin'. The alert shows source IP 10.0.0.5 and destination IP 203.0.113.50 on port 443. What is the most likely interpretation of this alert?

Question 94easymultiple choice
Read the full Security Monitoring explanation →

A security analyst is investigating an alert from a Windows system log that shows multiple failed logon attempts for the same user account within a short period, followed by a successful logon. Which type of attack does this pattern suggest?

Question 95mediummultiple choice
Read the full DNS explanation →

A SOC analyst observes a spike in DNS queries for long, random-looking subdomains under a single domain from an internal host. The responses are NXDOMAIN. Which type of activity is most likely indicated?

Question 96mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is examining web server logs and finds an entry with method 'POST', URL '/login.php', response code '200', and user-agent 'Mozilla/5.0'. The log shows 100 similar entries from the same IP within 5 seconds. What is the most likely activity?

Question 97hardmultiple choice
Read the full Security Monitoring explanation →

A network baseline shows that a server typically sends 1-2 MB of data per hour to external IPs. Suddenly, the server sends 50 MB of data to an IP in a foreign country within 10 minutes. The traffic is encrypted. Which monitoring tool would best confirm data exfiltration?

Question 98easymultiple choice
Read the full Security Monitoring explanation →

A security analyst is using a SIEM to create a correlation rule that triggers when more than 10 failed logins are detected from the same source IP within 1 minute. This rule is designed to detect which type of attack?

Question 99mediummultiple choice
Read the full Security Monitoring explanation →

A SOC analyst reviews a firewall log with the following entry: action=deny, source IP=192.168.1.100, destination IP=10.0.0.1, destination port=22. The analyst knows that 10.0.0.1 is an SSH server. What does this log entry indicate?

Question 100hardmultiple choice
Read the full Security Monitoring explanation →

An analyst receives a YARA rule that includes the string 'MZ' at the beginning of a file. What does this indicator typically help identify?

Question 101easymultiple choice
Read the full Security Monitoring explanation →

In the OSI model, which layer is primarily targeted by a SYN flood attack?

Question 102mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is using Zeek to analyze network traffic. Which Zeek log would be most useful for identifying HTTP requests to a known malicious domain?

Question 103mediummulti select
Read the full Security Monitoring explanation →

A SOC analyst is investigating a potential data exfiltration incident. Which TWO Indicators of Compromise (IoCs) would be most relevant for tracking the exfiltration of files over the network?

Question 104hardmulti select
Read the full DNS explanation →

An analyst suspects a host is communicating with a command-and-control server using DNS tunneling. Which THREE network traffic patterns would support this hypothesis?

Question 105mediummulti select
Read the full Security Monitoring explanation →

A security analyst is tuning a Snort IDS to reduce false positives. Which TWO Snort rule options should the analyst modify to make the rule more specific?

Question 106easymultiple choice
Read the full Security Monitoring explanation →

A security analyst is reviewing network traffic and notices a high volume of small packets from an internal IP to a single external IP on port 53. Which type of activity is most likely indicated?

Question 107mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is analyzing a PCAP file in Wireshark and wants to isolate all HTTPS traffic. Which display filter should the analyst use?

Question 108mediummultiple choice
Read the full Security Monitoring explanation →

A SOC analyst is reviewing firewall logs and sees repeated entries: 'Deny TCP 10.0.0.5:49152 -> 203.0.113.1:22' and 'Deny TCP 10.0.0.5:49153 -> 203.0.113.1:22'. What does this pattern suggest?

Question 109hardmultiple choice
Read the full Security Monitoring explanation →

An analyst notices a Zeek (Bro) connection log showing a single HTTP request from internal IP 192.168.1.10 to external IP 203.0.113.5 with a URI of '/files/secret.docx' and a response code of 200. The file size is unusually large (50 MB). What should the analyst suspect?

Question 110easymultiple choice
Read the full Security Monitoring explanation →

Which OSI layer is targeted by a TCP SYN flood attack?

Question 111mediummultiple choice
Read the full Security Monitoring explanation →

A SIEM correlation rule triggers when it detects more than 10 failed login attempts from the same source IP within 1 minute. Which type of attack is this rule designed to detect?

Question 112hardmultiple choice
Read the full Security Monitoring explanation →

An analyst is examining a YARA rule that contains the condition: 'uint16(0) == 0x5a4d and filesize < 500KB'. What type of file is this rule targeting?

Question 113mediummulti select
Read the full network assurance explanation →

A SOC analyst is investigating a potential data exfiltration incident. Which TWO indicators from NetFlow/IPFIX analysis would most strongly suggest data exfiltration?

Question 114mediummulti select
Read the full Security Monitoring explanation →

A security analyst is configuring Snort IDS rules. Which TWO components are mandatory in a Snort rule header?

Question 115easymulti select
Read the full Security Monitoring explanation →

Which TWO protocols are commonly used for remote administration and should be monitored for unauthorized access?

Question 116hardmulti select
Read the full Security Monitoring explanation →

An analyst is reviewing web server logs and sees the following entries: 'GET /admin/login.php HTTP/1.1' returning 404, followed by 'GET /admin/login.html' returning 404, then 'GET /admin/login.asp' returning 200. Which TWO observations are most relevant?

Question 117easymulti select
Read the full Security Monitoring explanation →

Which THREE of the following are common Indicators of Compromise (IoCs) used in threat intelligence?

Question 118mediummulti select
Read the full Security Monitoring explanation →

A security analyst is analyzing system logs and notices multiple failed authentication events followed by a successful login from the same user account, and then a privilege escalation event. Which THREE events should be correlated to detect a potential attack?

Question 119hardmulti select
Read the full Security Monitoring explanation →

An analyst is using Zeek to monitor network traffic. Which THREE types of logs can Zeek generate to provide visibility into application-layer activity?

Question 120mediummulti select
Read the full network assurance explanation →

A security analyst is investigating a potential port scan. Which THREE patterns in NetFlow data would indicate a horizontal port scan?

Question 121mediummulti select
Read the full Security Monitoring explanation →

A security analyst is investigating a potential brute-force attack on an SSH server. Which TWO of the following log sources would provide the most relevant evidence for detecting and confirming this attack? (Choose two.)

Question 122mediummulti select
Read the full network assurance explanation →

During a security monitoring exercise, an analyst observes a series of NetFlow records showing a single internal host communicating with multiple external IP addresses on port 445 (SMB) within a short time window. The traffic volumes are small but consistent. Which THREE of the following should the analyst consider as possible explanations? (Choose three.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

200-201 Practice Test 1 — 25 Questions→200-201 Practice Test 2 — 25 Questions→200-201 Practice Test 3 — 25 Questions→200-201 Practice Test 4 — 25 Questions→200-201 Practice Test 5 — 25 Questions→200-201 Practice Exam 1 — 20 Questions→200-201 Practice Exam 2 — 20 Questions→200-201 Practice Exam 3 — 20 Questions→200-201 Practice Exam 4 — 20 Questions→Free 200-201 Practice Test 1 — 30 Questions→Free 200-201 Practice Test 2 — 30 Questions→Free 200-201 Practice Test 3 — 30 Questions→200-201 Practice Questions 1 — 50 Questions→200-201 Practice Questions 2 — 50 Questions→200-201 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security MonitoringNetwork Intrusion AnalysisSecurity Policies and ProceduresHost-Based AnalysisSecurity Concepts

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Monitoring setsAll Security Monitoring questions200-201 Practice Hub