Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Monitoring practice sets

200-201 Security Monitoring • Complete Question Bank

200-201 Security Monitoring — All Questions With Answers

Complete 200-201 Security Monitoring question bank — all 0 questions with answers and detailed explanations.

121
Questions
Free
No signup
Certifications/200-201/Practice Test/Security Monitoring/All Questions
Question 1easymultiple choice
Read the full Security Monitoring explanation →

An analyst notices repeated failed SSH attempts from an external IP to a server. The analyst wants to quickly see all SSH-related events from that IP in the last hour. Which approach is most efficient?

Question 2mediummultiple choice
Read the full Security Monitoring explanation →

A security team implements a network-based IPS. During testing, they find that legitimate traffic is frequently blocked. Which tuning approach should they prioritize?

Question 3hardmultiple choice
Read the full Security Monitoring explanation →

An analyst is investigating a host that is beaconing to a known malicious domain every 60 seconds. The host also shows outbound connections to multiple IPs on port 443. To confirm the beaconing, which data source is most useful?

Question 4easymultiple choice
Read the full Security Monitoring explanation →

A SOC analyst receives an alert for 'Malware Detected' from an endpoint sensor. The analyst checks the endpoint and sees a file named 'invoice.exe' in the Downloads folder. What should the analyst do first?

Question 5mediummultiple choice
Read the full Security Monitoring explanation →

A company uses a SIEM with correlation rules. They notice that a rule designed to detect brute-force attacks is not triggering even though failed logins are occurring. Which is the most likely cause?

Question 6mediummultiple choice
Read the full Security Monitoring explanation →

During an incident, an analyst needs to determine if a specific user account 'jsmith' was used from a remote IP during a breach window. Which log sources should the analyst check first?

Question 7hardmultiple choice
Read the full Security Monitoring explanation →

An organization uses a SIEM that ingests logs from multiple sources. The analysts are overwhelmed with alerts, many of which are false positives. Which strategy best reduces alert fatigue without increasing risk?

Question 8easymultiple choice
Read the full Security Monitoring explanation →

An analyst is reviewing a suspicious email reported by a user. The email contains an attachment 'invoice.pdf' and urges the user to open it. Which indicator is most likely to confirm it is a phishing attempt?

Question 9mediummultiple choice
Read the full Security Monitoring explanation →

A network engineer configures a SPAN port to send traffic from a critical server to an IDS. After configuration, the IDS sees no traffic. What is the most likely issue?

Question 10hardmultiple choice
Read the full DNS explanation →

An analyst observes a sudden spike in DNS queries from an internal host to a random subdomain of a legitimate domain (e.g., randomstring.google.com). This behavior is consistent with which technique?

Question 11easymultiple choice
Read the full wireless explanation →

A company wants to monitor for unauthorized wireless access points. Which technique should they implement?

Question 12mediummulti select
Read the full Security Monitoring explanation →

Which TWO are common indicators of a compromised host? (Choose two.)

Question 13mediummulti select
Read the full Security Monitoring explanation →

Which THREE are essential components of a security monitoring strategy? (Choose three.)

Question 14hardmulti select
Read the full Security Monitoring explanation →

Which TWO are best practices for managing SIEM alerts to reduce false positives? (Choose two.)

Question 15hardmulti select
Read the full Security Monitoring explanation →

Which THREE are typical sources of log data used in security monitoring? (Choose three.)

Question 16hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?

Exhibit

Refer to the exhibit.
```
Router# show ip access-lists
Extended IP access list BLOCK_MALICIOUS
    10 deny tcp any host 203.0.113.5 eq 443
    20 permit ip any any (2623 matches)
```
Question 17mediummultiple choice
Read the full network assurance explanation →

Refer to the exhibit. An analyst sees this syslog message from a Cisco ASA. What does this log entry indicate?

Exhibit

Refer to the exhibit.
```
Mar  1 12:34:56 192.168.1.100 %ASA-4-106023: Deny tcp src outside:10.0.0.1/54321 dst inside:192.168.1.100/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
```
Question 18easymultiple choice
Read the full Security Monitoring explanation →

Refer to the exhibit. An EDR alert shows this JSON event. What is the most significant indicator of a potential malware infection?

Exhibit

Refer to the exhibit.
```
{
  "event": "Process Creation",
  "timestamp": "2024-08-01T10:00:00Z",
  "hostname": "DESKTOP-ABC123",
  "user": "jsmith",
  "process": "C:\\Users\\jsmith\\Downloads\\invoice.exe",
  "parent_process": "C:\\Windows\\explorer.exe"
}
```
Question 19hardmultiple choice
Read the full NAT/PAT explanation →

You are a SOC analyst at a mid-sized company. The company uses a SIEM that ingests logs from firewalls, IDS, and endpoints. Over the past week, you've noticed a gradual increase in outbound traffic from several internal hosts to IP addresses in a foreign country during non-business hours. The traffic is primarily on port 443. The IDS has not generated any alerts. The firewall logs show the connections are established. You check the endpoints and find no unusual processes running. However, the outbound connections persist. What is the most likely explanation and the best next step?

Question 20mediummultiple choice
Read the full DNS explanation →

You are a security administrator for a company with 500 employees. The company uses a SIEM with basic correlation rules. Recently, the HR department reported that several employees received phishing emails with a link to a fake login page. The emails bypassed the spam filter. You want to detect if any employees clicked the link. You have access to web proxy logs, DNS logs, and endpoint antivirus logs. The phishing link is 'http://malicious-login.com/verify'. Which action should you take first to identify affected users?

Question 21mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is reviewing logs from multiple network devices and notices that a large number of ICMP echo requests with a payload size of 65507 bytes are being sent to a single server from various external IP addresses. The server is becoming unresponsive. Which type of attack is most likely occurring?

Question 22mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst observes repeated failed login attempts to an internal web server from multiple external IP addresses. The analyst creates a correlation rule that triggers an alert if more than 10 failed logins occur from a single source IP within 5 minutes. After deploying the rule, the analyst finds that the rule generates false positives from legitimate users who mistype passwords. Which action should the analyst take to reduce false positives while maintaining detection effectiveness?

Question 23hardmultiple choice
Read the full Security Monitoring explanation →

A SOC analyst is tuning an IPS rule that detects SQL injection attempts. The rule currently generates a high number of alerts, most of which are false positives caused by legitimate web application traffic containing SQL-like keywords. The analyst wants to reduce false positives without missing actual attacks. Which approach is most effective?

Question 24mediummulti select
Read the full NAT/PAT explanation →

A network security monitoring analyst is analyzing firewall logs and sees the following traffic: Source IP 10.1.1.50 to Destination IP 203.0.113.5 on port 443, protocol TCP, with a large amount of data transferred in both directions during business hours. The analyst suspects data exfiltration. Which TWO additional indicators would most strongly support this suspicion? (Choose two.)

Question 25easymultiple choice
Read the full VPN explanation →

You are a security analyst at a mid-sized company. The company uses a SIEM to collect logs from firewalls, IDS, and servers. Recently, the SIEM generated an alert for a potential brute-force attack against the company's VPN server. The alert is based on a correlation rule that triggers when more than 30 failed authentication attempts from a single source IP occur within 10 minutes. You investigate and see that the source IP is 203.0.113.50, which is a known IP address of a partner company that uses the VPN for remote access. The failed attempts are all from the same username 'john.doe'. You also notice that the attempts are happening every 5 seconds, exactly 6 attempts per minute. The partner company has a policy that locks accounts after 3 failed attempts. Based on this scenario, what is the most likely cause of the alert?

Question 26mediummultiple choice
Read the full DNS explanation →

A security analyst is investigating an alert that indicates a host is sending a large number of DNS queries to an external domain. The analyst wants to determine if the traffic is malicious and if it is using a DNS tunnel. Which type of analysis should the analyst perform to confirm the presence of a DNS tunnel?

Question 27hardmulti select
Read the full Security Monitoring explanation →

A security analyst is reviewing the firewall log exhibit. The analyst suspects that this traffic might be part of a command-and-control (C2) communication based on the packet size and the timing of similar events. Which TWO additional pieces of evidence would most strongly support the suspicion of C2 traffic?

Exhibit

Refer to the exhibit.

```
Event: Firewall log entry
Time: 2023-10-05 14:23:45
Source IP: 192.168.1.50
Destination IP: 203.0.113.5
Source Port: 49152
Destination Port: 443
Protocol: TCP
Action: ALLOW
Bytes: 1452
Flags: ACK
```
Question 28easymultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at a medium-sized company. The company uses a SIEM that collects logs from firewalls, IDS/IPS, and endpoint detection and response (EDR) agents. You receive an alert that a user's workstation (IP 10.0.1.25) has been making outbound connections to an IP address (198.51.100.10) on port 4444 (commonly used by malware). The alert includes a SIEM correlation rule that triggered when three or more connections to that IP occurred within 5 minutes. You check the EDR logs and see that the workstation is running a process named 'svchost.exe' that is connecting to that IP. The process path is C:\Windows\system32\svchost.exe, which is legitimate. However, you notice that the process has a digital signature from 'Microsoft Corporation', but the signature date is from 2021. The workstation's operating system is Windows 10 22H2, fully patched as of last month. The user reports that they have been experiencing slow performance and occasional pop-ups. Which action should you take FIRST to investigate this potential compromise?

Question 29mediumdrag order
Read the full Security Monitoring explanation →

Drag and drop the steps for the TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediumdrag order
Read the full Security Monitoring explanation →

Drag and drop the steps to analyze a packet capture for suspicious activity into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 31mediummatching
Read the full Security Monitoring explanation →

Match each Cisco CyberOps concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Security Operations Center

Confidentiality, Integrity, Availability

Indicator of Compromise

Tactics, Techniques, and Procedures

Adversary, Capability, Infrastructure, Victim

Question 32mediummatching
Read the full Security Monitoring explanation →

Match each network device to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic based on security rules

Detects suspicious activity and alerts

Detects and blocks malicious traffic inline

Forwards packets between networks

Forwards frames within a LAN

Question 33easymultiple choice
Read the full Security Monitoring explanation →

A security analyst notices repeated failed login attempts from a single IP address against multiple user accounts. What is the best immediate action to take?

Question 34easymultiple choice
Read the full Security Monitoring explanation →

A company uses Cisco Stealthwatch to monitor network traffic. Which type of data does Stealthwatch primarily rely on for visibility?

Question 35mediummultiple choice
Read the full Security Monitoring explanation →

During a security incident, an analyst needs to preserve network evidence for forensic analysis. Which action should be taken first?

Question 36easymultiple choice
Read the full Security Monitoring explanation →

A security monitoring tool generates an alert for a user accessing a sensitive file at an unusual hour. What is the most appropriate next step?

Question 37hardmultiple choice
Read the full DNS explanation →

A SOC analyst is tuning a correlation rule that detects DNS tunneling. The rule currently generates 500 alerts per day, but only 5% are true positives. Which tuning approach would best reduce false positives while maintaining detection efficacy?

Question 38mediummultiple choice
Read the full network assurance explanation →

An analyst needs to configure syslog to forward logs from multiple network devices to a central SIEM. Which syslog severity level should be used to ensure security-relevant events are sent while minimizing bandwidth usage?

Question 39hardmultiple choice
Read the full Security Monitoring explanation →

A company uses Cisco Firepower NGFW with intrusion prevention. An analyst notices that many legitimate HTTPS connections are being blocked by an IPS rule. What is the best approach to reduce false positives?

Question 40easymultiple choice
Read the full Security Monitoring explanation →

Which data source provides the most detailed information about the application layer payload in network traffic?

Question 41hardmultiple choice
Read the full Security Monitoring explanation →

A SOC team is evaluating a SIEM rule that triggers on 'more than 10 failed login attempts from a single source within 5 minutes.' The rule is generating too many alerts from a legitimate external monitoring service. How should the rule be modified?

Question 42mediummulti select
Read the full Security Monitoring explanation →

Which TWO of the following are indicators of a potential data exfiltration attempt?

Question 43mediummulti select
Read the full network assurance explanation →

Which TWO of the following are best practices for configuring syslog to ensure reliable security event logging?

Question 44hardmulti select
Read the full Security Monitoring explanation →

Which THREE of the following are valid techniques to detect a compromised host using network monitoring?

Question 45mediummultiple choice
Read the full network assurance explanation →

Refer to the exhibit. An analyst sees these syslog messages from the Cisco ASA. What is the most likely cause?

Exhibit

Refer to the exhibit.

<syslog>
Mar  1 12:34:56 192.168.1.1 %ASA-4-106023: Deny tcp src inside:10.0.0.10/54321 dst outside:203.0.113.5/80 by access-group "OUTSIDE" [0x0, 0x0]
Mar  1 12:34:57 192.168.1.1 %ASA-4-106023: Deny tcp src inside:10.0.0.10/54322 dst outside:203.0.113.5/80 by access-group "OUTSIDE" [0x0, 0x0]
Mar  1 12:34:58 192.168.1.1 %ASA-4-106023: Deny tcp src inside:10.0.0.10/54323 dst outside:203.0.113.5/80 by access-group "OUTSIDE" [0x0, 0x0]
</syslog>
Question 46mediummultiple choice
Read the full DNS explanation →

Refer to the exhibit. An administrator sees many alerts for DNS tunneling. The current DNS inspection policy is shown. What change would most likely help detect DNS tunneling?

Exhibit

Refer to the exhibit.

! Cisco ASDM configuration
policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
    dns-guard
!
Question 47hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An analyst sees these log messages on a Cisco router. The source IP 10.0.0.2 is an internal server. What is the most likely explanation?

Exhibit

Refer to the exhibit.

! Output from show logging on Cisco IOS router
Mar  1 10:00:00: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.2(12345) -> 192.168.1.1(80), 1 packet
Mar  1 10:00:01: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.2(12346) -> 192.168.1.1(80), 1 packet
Mar  1 10:00:02: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.2(12347) -> 192.168.1.1(80), 1 packet
Mar  1 10:00:03: %SEC-6-IPACCESSLOGP: list INBOUND denied tcp 10.0.0.2(12348) -> 192.168.1.1(80), 1 packet
Question 48mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is reviewing logs from a Cisco Firepower Management Center and notices that many legitimate SSL connections are being blocked by the intrusion policy. Which configuration change should the analyst make to reduce false positives without compromising security?

Question 49easymultiple choice
Open the full VLAN trunking answer →

A network administrator has configured a SPAN port to send traffic to an intrusion detection system (IDS). However, the IDS is not seeing traffic from a specific VLAN. What is the most likely cause?

Question 50hardmultiple choice
Read the full network assurance explanation →

A security analyst is reviewing NetFlow records and notices a host sending data to an external IP at regular intervals during non-business hours. Which flow characteristic is most indicative of data exfiltration?

Question 51easymultiple choice
Read the full network assurance explanation →

A Cisco ASA firewall is configured to send syslog messages to a SIEM. Which logging level includes 'informational' messages?

Question 52mediummultiple choice
Read the full Security Monitoring explanation →

A Cisco Firepower sensor is generating an alert for a known benign application. The analyst has verified it is a false positive. What is the first step to suppress this alert?

Question 53mediummultiple choice
Read the full Security Monitoring explanation →

A Linux server is configured with auditd to monitor file access. Which audit rule will detect any attempt to read the /etc/shadow file?

Question 54hardmultiple choice
Read the full Security Monitoring explanation →

A SIEM correlation rule triggers when a user account is created and then added to a privileged group within 10 minutes. Which activity does this rule detect?

Question 55easymultiple choice
Read the full Security Monitoring explanation →

A network administrator is using Cisco ISE to monitor endpoint authentication. Which report provides details on failed authentication attempts and the reasons?

Question 56hardmultiple choice
Read the full Security Monitoring explanation →

An organization must retain security logs for at least one year due to regulatory compliance. However, their SIEM storage is limited. Which strategy best balances compliance and storage?

Question 57easymultiple choice
Read the full Security Monitoring explanation →

Based on the exhibit, which type of traffic is being denied?

Exhibit

Refer to the exhibit.
Mar 1 12:34:56.789: %ASA-4-106023: Deny udp src inside:10.1.1.10/12345 dst outside:203.0.113.5/53 by access-group "OUTSIDE_IN" [0x0, 0x0]
Question 58mediummultiple choice
Read the full Security Monitoring explanation →

Based on the exhibit, which traffic is permitted?

Exhibit

Refer to the exhibit.
access-list INTERNET extended permit tcp any host 198.51.100.10 eq 443
access-list INTERNET extended deny ip any any
Question 59hardmultiple choice
Read the full Security Monitoring explanation →

Based on the exhibit, what condition triggers an alert?

Exhibit

Refer to the exhibit.
{
  "policy": "DNS Anomaly Detection",
  "rule": {
    "protocol": "udp",
    "port": 53,
    "threshold": 1000,
    "window": 60,
    "action": "alert"
  }
}
Question 60easymulti select
Read the full Security Monitoring explanation →

Which two are best practices for deploying network-based intrusion detection systems? (Choose two.)

Question 61mediummulti select
Read the full Security Monitoring explanation →

Which three data sources are commonly used in a SIEM for threat hunting? (Choose three.)

Question 62hardmulti select
Read the full NAT/PAT explanation →

Which two actions should an analyst take when a security monitoring tool generates a high number of false positives for a specific signature? (Choose two.)

Question 63easymultiple choice
Read the full network assurance explanation →

A security analyst notices a sudden spike in NetFlow data from a single workstation to multiple external IP addresses on port 443. What is the most likely explanation for this traffic pattern?

Question 64mediummultiple choice
Read the full Security Monitoring explanation →

A SOC analyst receives an alert from the SIEM indicating a high number of failed login attempts on a domain controller from a single IP address over the last 10 minutes. The source IP is a known internal workstation. What should be the analyst's FIRST action?

Question 65hardmultiple choice
Read the full network assurance explanation →

A company uses syslog for logging from all network devices. The SOC notices that logs from a critical router are not appearing in the SIEM for the past hour, but other devices are sending logs normally. Which step should the analyst take FIRST to troubleshoot?

Question 66easymultiple choice
Read the full Security Monitoring explanation →

An organization wants to ensure that security logs are tamper-proof and available for forensic analysis. Which logging best practice should be implemented?

Question 67mediummultiple choice
Read the full NAT/PAT explanation →

An IDS detected the following signature match: "ET TROJAN Zeus variant outbound connection to C2 server". The destination IP is flagged as a known malicious host. What should the analyst do FIRST?

Question 68hardmultiple choice
Read the full Security Monitoring explanation →

An organization is implementing monitoring for encrypted traffic without decrypting it. Which approach would be most effective for detecting malicious activity?

Question 69easymultiple choice
Read the full network assurance explanation →

Which Cisco tool provides network-wide visibility and can detect anomalies using NetFlow and behavioral analysis?

Question 70mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is reviewing baseline network traffic and notices that the normal HTTP traffic volume has increased by 300% over the past hour. The increase is from a single client IP to a single external web server. What does this indicate?

Question 71hardmultiple choice
Read the full Security Monitoring explanation →

During an incident response, the SOC needs to determine the scope of a compromise by identifying all hosts that communicated with a known malicious IP in the last 30 days. Which data source would best support this analysis?

Question 72easymulti select
Read the full Security Monitoring explanation →

Which TWO of the following are commonly used protocols for network security monitoring? (Select 2)

Question 73mediummulti select
Read the full Security Monitoring explanation →

Which THREE of the following are best practices for implementing security logging and monitoring? (Select 3)

Question 74hardmulti select
Read the full Security Monitoring explanation →

Which TWO of the following are characteristics of behavioral-based anomaly detection in network monitoring? (Select 2)

Question 75easymultiple choice
Read the full VPN explanation →

A security analyst notices repeated failed login attempts from a single IP address to the company's VPN gateway. Which action should the analyst take first?

Question 76mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst is reviewing alerts from a network-based intrusion detection system (NIDS). An alert indicates a potential SQL injection attempt, but the destination server is a web application that accepts SQL queries as part of its normal function. What should the analyst do?

Question 77hardmultiple choice
Read the full Security Monitoring explanation →

A company uses a SIEM that collects logs from firewalls, servers, and endpoints. The SIEM is generating a high volume of low-priority events, causing analysts to miss critical alerts. Which approach would best improve the signal-to-noise ratio?

Question 78easymultiple choice
Read the full Security Monitoring explanation →

An analyst is monitoring network traffic and sees a sudden spike in outbound data transfer from an internal server to an external IP that is known to be malicious. What is the most likely scenario?

Question 79mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is investigating an alert from a host-based intrusion detection system (HIDS) that detected a file modification in the system32 directory. Which log source should the analyst check first to understand the process that made the change?

Question 80hardmultiple choice
Read the full Security Monitoring explanation →

During a security incident, a SOC analyst finds that the SIEM is not receiving logs from a critical firewall due to a network issue. The analyst needs to ensure that no alerts are missed during the outage. What should the analyst do?

Question 81easymultiple choice
Read the full Security Monitoring explanation →

Which of the following is a common indicator of a brute-force attack on an SSH server?

Question 82mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst is reviewing logs from a web proxy and sees that a user's machine is making frequent connections to a domain that is registered recently and has a low reputation score. What is the best action?

Question 83hardmultiple choice
Read the full Security Monitoring explanation →

A SOC team is implementing a security monitoring solution for a cloud-based infrastructure. Which of the following is the most important consideration for effective monitoring?

Question 84easymulti select
Read the full Security Monitoring explanation →

Which TWO of the following are common sources of security events used in security monitoring?

Question 85mediummulti select
Read the full Security Monitoring explanation →

Which TWO of the following are best practices when configuring a SIEM for security monitoring?

Question 86hardmulti select
Read the full Security Monitoring explanation →

Which THREE of the following are indicators that a network may be compromised by a botnet?

Question 87easymultiple choice
Read the full Security Monitoring explanation →

Refer to the exhibit. What type of activity does this log represent?

Exhibit

Sep 10 12:34:56: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(1234) -> 192.168.1.1(22), 1 packet
Sep 10 12:34:57: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(1235) -> 192.168.1.1(22), 1 packet
Sep 10 12:34:58: %SEC-6-IPACCESSLOGP: list 100 denied tcp 10.0.0.1(1236) -> 192.168.1.1(22), 1 packet
Question 88mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. An analyst observes that the router's ACL is allowing all traffic to the web server at 192.168.1.100 on ports 80 and 443, but blocking all other TCP ports below 1024. However, the web server is also running an SSH service on port 22. What will happen to SSH traffic from the outside?

Exhibit

access-list 100 permit tcp any host 192.168.1.100 eq www
access-list 100 permit tcp any host 192.168.1.100 eq 443
access-list 100 deny tcp any host 192.168.1.100 range 1 1023
access-list 100 permit ip any any
Question 89hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An analyst sees repeated denied TCP connections from the same source to the same destination web server. Which of the following actions should the analyst take first?

Exhibit

%ASA-4-106023: Deny tcp src outside:10.0.0.1/12345 dst inside:192.168.1.10/80 by access-group "outside" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:10.0.0.1/12346 dst inside:192.168.1.10/80 by access-group "outside" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:10.0.0.1/12347 dst inside:192.168.1.10/80 by access-group "outside" [0x0, 0x0]
Question 90mediummultiple choice
Read the full Security Monitoring explanation →

A security analyst notices repeated failed login attempts to a critical server from a single external IP address over the past 30 minutes. The SIEM has a correlation rule that triggers an alert when the threshold of 10 failed attempts in 5 minutes is exceeded. However, no alert was generated. What is the most likely cause?

Question 91hardmultiple choice
Read the full Security Monitoring explanation →

During a security incident, a network engineer captures traffic with tcpdump and saves it to a pcap file. The analyst needs to extract all HTTP POST requests containing a specific string in the URI. Which command should be used?

Question 92easymultiple choice
Read the full DNS explanation →

A SOC analyst receives an alert from the SIEM indicating a high number of outbound DNS queries from an internal host to a domain known for malicious activity. The analyst reviews the logs and finds that the host is a DNS server. What should be the analyst's first action?

Question 93hardmultiple choice
Read the full NAT/PAT explanation →

An organization uses Cisco Stealthwatch for network traffic analysis. The analyst observes a sudden increase in traffic from a workstation to multiple external IPs on port 443. The traffic pattern shows consistent packet sizes of 1500 bytes, and the destination IPs are spread across different geographic regions. Which type of activity is most likely indicated?

Question 94mediummultiple choice
Read the full network assurance explanation →

A security analyst is configuring a new SIEM platform. The organization has multiple log sources, including Windows Event Logs, Linux syslog, and firewall logs. The analyst wants to ensure that logs are not lost if the SIEM becomes unavailable. Which approach best addresses this requirement?

Question 95easymultiple choice
Read the full NAT/PAT explanation →

An analyst is monitoring network traffic and notices a host sending ICMP echo requests to multiple hosts in the same subnet with a pattern of incrementing TTL values. What is the most likely purpose of this activity?

Question 96mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Cisco Firepower NGFW with intrusion prevention. The security team notices that some legitimate traffic is being blocked by the IPS, causing application outages. The analyst reviews the IPS signature events and finds false positives. What is the best approach to handle this without reducing security posture?

Question 97hardmultiple choice
Read the full Security Monitoring explanation →

An organization uses Cisco AMP for Endpoints. A file with a low prevalence score is executed on multiple endpoints, and AMP identifies it as malicious after behavioral analysis. The analyst needs to ensure that all endpoints are protected from this file. Which action should be taken?

Question 98easymultiple choice
Read the full Security Monitoring explanation →

A SOC analyst is reviewing a firewall log and sees a large number of outbound connections from an internal server to a known command-and-control (C2) domain. The connections are on port 443, and the packets have irregular timing. What should the analyst do first?

Question 99mediummulti select
Read the full Security Monitoring explanation →

Which TWO of the following are valid sources of security monitoring data in a Cisco security architecture?

Question 100hardmulti select
Read the full Security Monitoring explanation →

Which TWO of the following are best practices when configuring a SIEM correlation rule to detect lateral movement?

Question 101easymulti select
Read the full Security Monitoring explanation →

Which THREE of the following are common indicators of compromise (IOCs) that a security monitoring system might trigger on?

Question 102hardmultiple choice
Read the full DNS explanation →

Your organization uses a SIEM solution (Cisco Secure Network Analytics and Cisco Secure Cloud Analytics) for monitoring. You are the lead analyst and receive multiple alerts: (1) A host on the internal network is making thousands of outbound connections to a known malicious IP on port 80 in a short time. (2) At the same time, there is a spike in DNS queries from the same host to a domain that is registered very recently. (3) The firewall logs show that the host is communicating with internal servers on high ports (e.g., 4444, 5555). The host is a Windows 10 workstation used by the finance department. The user reports it has been slow recently. You have access to Cisco AMP for Endpoints, Cisco Firepower NGFW, and Cisco Stealthwatch. The environment has 500 endpoints, and the network uses 802.1X authentication. What should be your first course of action?

Question 103easymultiple choice
Read the full Security Monitoring explanation →

A security analyst is monitoring network traffic and notices a sudden increase in outbound connections from a single workstation to multiple IP addresses on port 443 at regular intervals. The workstation is used for standard office applications. Which action should the analyst take first?

Question 104mediummultiple choice
Read the full DNS explanation →

A company uses Snort for intrusion detection. The analyst receives an alert for 'ET POLICY Outgoing DNS Query to Possible Malicious Domain'. The destination IP is 203.0.113.5. The analyst checks the DNS query and finds it is for 'update.software.com', which is a legitimate update server. However, the Snort rule triggered because the domain was recently added to a threat intelligence feed. What is the most likely cause of this false positive?

Question 105hardmultiple choice
Read the full NAT/PAT explanation →

A Security Operations Center (SOC) uses Security Information and Event Management (SIEM) with event correlation. Analysts notice that alerts for a specific malware signature have decreased sharply after a new firewall rule was deployed. However, endpoint scans still show infections on several hosts. What is the most likely explanation for the decrease in SIEM alerts?

Question 106easymultiple choice
Read the full Security Monitoring explanation →

A SOC analyst is reviewing a security alert generated by the SIEM. The alert indicates a successful login from an unusual geographic location for a user who typically logs in from the corporate office. The analyst verifies that the user is currently on vacation and should not be accessing the network. What should the analyst do next?

Question 107mediummultiple choice
Read the full Security Monitoring explanation →

An organization uses both network-based intrusion detection (NIDS) and host-based intrusion detection (HIDS). A HIDS alert reports that a critical server's registry key was modified. The NIDS shows no corresponding network activity. The change occurred during a scheduled maintenance window. What is the best course of action for the analyst?

Question 108easymulti select
Read the full network assurance explanation →

Which TWO of the following are best practices for configuring syslog in a secure monitoring environment? (Choose two.)

Question 109mediummulti select
Read the full Security Monitoring explanation →

Which THREE of the following are key elements of a security monitoring and analysis strategy? (Choose three.)

Question 110hardmulti select
Read the full Security Monitoring explanation →

Which TWO of the following are valid reasons to use a proxy server for security monitoring? (Choose two.)

Question 111easymultiple choice
Read the full VPN explanation →

You are a SOC analyst at a medium-sized enterprise. The company uses a SIEM that collects logs from firewalls, endpoints, and Active Directory. At 2:00 AM, the SIEM generates a high-priority alert: 'Multiple Failed Logins for Administrator Account from Remote IP 198.51.100.20'. The analyst on the night shift reviews the alert and sees that there were 50 failed attempts in 10 minutes, followed by a successful login at 2:12 AM. The successful login originated from the same IP. The account is a domain administrator. The analyst checks the firewall logs and sees that the IP is from a known VPN provider. The analyst also checks the endpoint logs and sees that no unusual activity has occurred after the login. The company has a policy that remote administration is allowed only from a specific jump server with IP 203.0.113.10. The analyst suspects a brute-force attack succeeded. What should the analyst do first?

Question 112mediummultiple choice
Read the full NAT/PAT explanation →

You are a cybersecurity analyst in a SOC. The company uses a combination of Snort NIDS and Windows Event Log monitoring. At 3:00 PM, you receive a critical alert: 'ET TROJAN Observed Malicious SSL Certificate (Fake Google)'. The alert shows that a workstation (IP 10.0.1.45) initiated an SSL connection to IP 192.0.2.10 on port 443. The certificate presented by the server is self-signed and claims to be 'google.com'. The destination IP is not in any known Google IP range. You check the firewall logs and see that the outbound connection was allowed. The workstation's host logs show that the user is a marketing employee who frequently accesses webmail. The user reports no unusual behavior. You also check the company's web proxy logs and see that the user accessed 'http://www.google.com' earlier today, but the SSL connection is to a different IP. What should be your next step?

Question 113hardmultiple choice
Read the full Security Monitoring explanation →

You are a senior analyst in a SOC that monitors a large financial institution. The SIEM correlates events from firewalls, IDS, endpoints, and database servers. Over the past week, you have noticed multiple low-priority alerts from the IDS indicating 'ET SCAN NMAP -sS' scans from internal IP 10.0.0.50, which is a print server. The alerts occur at random times during business hours. The number of alerts has increased from 5 per day to 20 per day. The print server runs a standard OS and printer management software. No other alerts are triggered from that host. The firewall logs show outbound connections from the print server to IPs on the internet on port 443, which is abnormal for a print server. You check the printer management software and see no recent updates. The user of the print server, the IT administrator, reports no issues. What is your best course of action?

Question 114easymultiple choice
Read the full DNS explanation →

You are a SOC analyst for a school district. The district uses a Cisco Firepower NGFW for traffic inspection and a SIEM for log aggregation. A teacher reports that her workstation is slow and unresponsive. You check the SIEM and see that the workstation (IP 10.1.2.10) has been generating thousands of DNS queries to a domain 'badstuff.example.com' over the past hour. The firewall logs show that the workstation also made many outbound connections to IP 203.0.113.50 on port 80. The DNS queries are for various random subdomains of 'badstuff.example.com'. The school's web filter has no policy for this domain. The user is not technical and cannot explain the behavior. What is the most likely cause and the appropriate first action?

Question 115mediummultiple choice
Read the full VPN explanation →

You are a security analyst at a healthcare organization. The organization uses Cisco Stealthwatch for network visibility and a SIEM for event correlation. You receive an alert that a medical records database server (IP 10.0.3.20) is communicating with an external IP (198.51.100.100) on port 22 (SSH) at 2:00 AM. The database server should have no outbound SSH connections; only remote administration is allowed from a management subnet via VPN. You check Stealthwatch and see that the connection duration is 30 minutes and the volume of data transferred is 500 MB. The database server logs show no local account logins at that time. The firewall logs show that the connection was initiated from the database server. The incident response team has been alerted. What is the most likely scenario and your immediate action?

Question 116hardmultiple choice
Read the full NAT/PAT explanation →

You are a SOC analyst for a financial services firm. The firm uses a combination of Cisco Firepower IPS, Windows Event Log collection, and a custom SIEM. At 10:00 AM, the SIEM generates an alert: 'Event ID 4625: Multiple failed logins for user 'jdoe' from IP 10.0.0.100'. The alert fires 10 times within 5 minutes. The source IP is a file server. You check the file server's logs and see that it is running a scheduled script that attempts to map a network drive using jdoe's credentials. The script is legitimate and has been running for months. However, the script's credentials may have expired or changed. The user jdoe is currently on leave. The file server administrator confirms that the script is part of a backup process. What is the best course of action?

Question 117mediummultiple choice
Read the full VPN explanation →

You are an analyst in a SOC that monitors a retail company with multiple branch offices. The company uses VPN connections between branches. The SIEM reports that a branch office router (IP 10.99.0.1) has been sending large amounts of data to an external IP 185.220.101.10 on port 123 (NTP) during off-hours. The NTP traffic is abnormal because the branch uses a local time server. The amount of data sent is 2 GB over 8 hours. The router logs show normal administrative traffic. The branch manager reports no issues. You check threat intelligence and find that 185.220.101.10 is a known malicious IP associated with data exfiltration. What should be your immediate response?

Question 118mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst is monitoring network traffic using Cisco Stealthwatch. An alert is generated indicating a large volume of data being transferred from a critical server to an external IP address during off-hours. The analyst observes that the data transfer is using encrypted HTTPS traffic to a cloud storage provider. The server is known to host sensitive customer data. The analyst reviews the server's outbound firewall rules and finds that HTTPS traffic to any destination is allowed. The analyst checks the server's recent login logs and sees an authentication from a user account that is typically used by a contractor who only works during business hours. The contractor's account has not been disabled after the contract ended last week. What should the analyst do first?

Question 119easymulti select
Read the full Security Monitoring explanation →

Which TWO are common sources of security event data in a Security Information and Event Management (SIEM) system?

Question 120mediummultiple choice
Read the full network assurance explanation →

Based on the Cisco ASA syslog message, what does this event indicate?

Exhibit

Refer to the exhibit.
%ASA-4-106023: Deny udp src outside:10.0.0.1/53 dst inside:192.168.1.100/12345 by access-group "OUTSIDE_IN" [0x0, 0x0]
Question 121hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst for a medium-sized enterprise is monitoring the network using Cisco Stealthwatch. They notice a sudden spike in traffic originating from an internal host (IP 10.10.10.50) communicating with multiple external IP addresses on port 445 (SMB). The host is a Windows server that typically serves web applications on ports 80 and 443. The analyst checks the host's firewall logs and finds that Windows Firewall is disabled. The host's antivirus is up to date and no alerts were triggered. The traffic pattern shows multiple connection attempts to /24 subnets across the internet, each with a single packet per destination. Based on this behavior, what is the most likely issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

200-201 Practice Test 1 — 10 Questions→200-201 Practice Test 2 — 10 Questions→200-201 Practice Test 3 — 10 Questions→200-201 Practice Test 4 — 10 Questions→200-201 Practice Test 5 — 10 Questions→200-201 Practice Exam 1 — 20 Questions→200-201 Practice Exam 2 — 20 Questions→200-201 Practice Exam 3 — 20 Questions→200-201 Practice Exam 4 — 20 Questions→Free 200-201 Practice Test 1 — 30 Questions→Free 200-201 Practice Test 2 — 30 Questions→Free 200-201 Practice Test 3 — 30 Questions→200-201 Practice Questions 1 — 50 Questions→200-201 Practice Questions 2 — 50 Questions→200-201 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security Policies and ProceduresSecurity ConceptsSecurity MonitoringHost-Based AnalysisNetwork Intrusion Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Monitoring setsAll Security Monitoring questions200-201 Practice Hub