Back to Cisco CyberOps Associate 200-201 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Cisco CyberOps Associate 200-201 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
200-201
exam code
Cisco
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related 200-201 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

Refer to the exhibit. A network analyst sees repeated denied attempts from host 10.0.0.2 to 10.0.0.1 on port 23. Based on the log, what type of activity is most likely occurring?

Exhibit

Refer to the exhibit.

Mar  1 10:15:22 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49152) -> 10.0.0.1(23), 1 packet
Mar  1 10:15:23 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49153) -> 10.0.0.1(23), 1 packet
Mar  1 10:15:24 host1 syslog: [CISCO] %SEC-6-IPACCESSLOGP: list inbound denied tcp 10.0.0.2(49154) -> 10.0.0.1(23), 1 packet
Question 2hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?

Exhibit

Refer to the exhibit.
```
Router# show ip access-lists
Extended IP access list BLOCK_MALICIOUS
    10 deny tcp any host 203.0.113.5 eq 443
    20 permit ip any any (2623 matches)
```
Question 3easymultiple choice
Full question →

Refer to the exhibit. An EDR alert shows this JSON event. What is the most significant indicator of a potential malware infection?

Exhibit

Refer to the exhibit.
```
{
  "event": "Process Creation",
  "timestamp": "2024-08-01T10:00:00Z",
  "hostname": "DESKTOP-ABC123",
  "user": "jsmith",
  "process": "C:\\Users\\jsmith\\Downloads\\invoice.exe",
  "parent_process": "C:\\Windows\\explorer.exe"
}
```
Question 4mediummultiple choice
Full question →

Refer to the exhibit. The analyst sees two IDS alerts from the same source. What should the analyst conclude?

Exhibit

Refer to the exhibit.

Event: 1, Signature: GPL TROJAN Zeus Variant Outbound Connection
Timestamp: 2023-09-15 14:23:45
Src IP: 10.0.0.25:49152 -> Dst IP: 198.51.100.10:80
Protocol: TCP
Packet: GET /gate.php HTTP/1.1
Host: malware.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)

Event: 2, Signature: ET POLICY Outgoing HTTP Request with Suspicious User-Agent
Timestamp: 2023-09-15 14:23:46
Src IP: 10.0.0.25:49153 -> Dst IP: 198.51.100.10:80
Protocol: TCP
Packet: GET /images/logo.png HTTP/1.1
Host: malware.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)
Question 5hardmulti select
Full question →

A security analyst is reviewing the firewall log exhibit. The analyst suspects that this traffic might be part of a command-and-control (C2) communication based on the packet size and the timing of similar events. Which TWO additional pieces of evidence would most strongly support the suspicion of C2 traffic?

Exhibit

Refer to the exhibit.

```
Event: Firewall log entry
Time: 2023-10-05 14:23:45
Source IP: 192.168.1.50
Destination IP: 203.0.113.5
Source Port: 49152
Destination Port: 443
Protocol: TCP
Action: ALLOW
Bytes: 1452
Flags: ACK
```
Question 6hardmultiple choice
Full question →

Based on the exhibit, what is the most likely type of attack being observed?

Exhibit

Refer to the exhibit.

Event: 02/15/2023 14:32:10
Src IP: 10.10.10.50
Dst IP: 203.0.113.5
Protocol: TCP
Flags: SYN
Length: 60 bytes

(Repeated 100 times in the last 2 seconds)
Question 7hardmultiple choice
Full question →

Refer to the exhibit. A security analyst is analyzing a Windows host that is communicating with an external server at 192.168.1.50. Based on the output, which process is likely malicious?

Exhibit

Refer to the exhibit.

C:\Users\Admin> tasklist /svc
Image Name                     PID Services
========================= ======== ============================================
svchost.exe                    1236 BrokerInfrastructure, DcomLaunch, PlugPlay
svchost.exe                    1420 RpcSs, LanmanWorkstation, Dhcp, NlaSvc
svchost.exe                    1508 WpnService, WpnUserService
notepad.exe                    2344 N/A
cmd.exe                        2568 N/A
powershell.exe                 2792 N/A

C:\Users\Admin> netstat -anob | findstr 192.168.1.50
  TCP    192.168.1.100:49152    192.168.1.50:443    ESTABLISHED     2792
  TCP    192.168.1.100:49153    192.168.1.50:80     ESTABLISHED     1420
Question 8mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews the ACL configuration applied outbound on the external interface. Which statement is true about traffic from the 192.168.1.0/24 network to the internet?

Exhibit

Refer to the exhibit.

Extended ACL 101:
10 permit tcp 192.168.1.0 0.0.0.255 any eq 80
20 permit tcp 192.168.1.0 0.0.0.255 any eq 443
30 deny tcp any any eq 22
40 permit ip any any

Interface GigabitEthernet0/0:
 ip access-group 101 out
Question 9mediummultiple choice
Full question →

Refer to the exhibit. A network analyst sees these firewall logs. What is the most likely interpretation?

Exhibit

Refer to the exhibit.
```
Mar  1 12:34:56.789: %ASA-5-111008: User 'admin' executed the 'configure terminal' command.
Mar  1 12:35:01.123: %ASA-4-106023: Deny tcp src outside:192.0.2.10/12345 dst inside:10.0.0.1/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
Mar  1 12:35:05.456: %ASA-4-106023: Deny tcp src outside:192.0.2.10/12346 dst inside:10.0.0.2/443 by access-group "OUTSIDE_IN" [0x0, 0x0]
```
Question 10hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews this ACL on a firewall between a DMZ (10.0.1.0/24) and internal network (10.0.2.0/24). What is the effect of this ACL?

Exhibit

Refer to the exhibit.
```
! Access-list for DMZ to Inside
access-list DMZ_TO_INSIDE extended permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 eq 3306
access-list DMZ_TO_INSIDE extended deny ip any any
```
Question 11easymultiple choice
Full question →

Refer to the exhibit. A Windows security log shows several events with Event ID 4625 (failed logon). What type of attack is indicated?

Exhibit

Refer to the exhibit.
```
Event Log:
Time: 10:00:01, Source: 192.168.1.100, Event ID: 4625, Account: Administrator
Time: 10:00:03, Source: 192.168.1.100, Event ID: 4625, Account: Admin
Time: 10:00:05, Source: 192.168.1.100, Event ID: 4625, Account: root
```
Question 12mediummultiple choice
Read the full network assurance explanation →

Refer to the exhibit. An analyst sees this syslog message from a Cisco ASA. What does this log entry indicate?

Exhibit

Refer to the exhibit.
```
Mar  1 12:34:56 192.168.1.100 %ASA-4-106023: Deny tcp src outside:10.0.0.1/54321 dst inside:192.168.1.100/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
```
Question 13easymultiple choice
Full question →

Refer to the exhibit. An analyst sees repeated ICMP echo requests from a host to the broadcast address. What is this an example of?

Exhibit

Refer to the exhibit.

Event: 1
Timestamp: 2023-10-01 08:00:00
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)

Event: 2
Timestamp: 2023-10-01 08:00:01
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)

Event: 3
Timestamp: 2023-10-01 08:00:02
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)
Question 14hardmultiple choice
Full question →

Refer to the exhibit. A firewall log shows denied TCP traffic from an internal host to an external IP on consecutive ports. What type of activity is indicated?

Exhibit

Refer to the exhibit.

syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12345 dst outside:203.0.113.5/22 by access-group "OUTSIDE" [0x0, 0x0]
syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12346 dst outside:203.0.113.5/23 by access-group "OUTSIDE" [0x0, 0x0]
syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12347 dst outside:203.0.113.5/25 by access-group "OUTSIDE" [0x0, 0x0]
Question 15easymultiple choice
Study the full AAA explanation →

Refer to the exhibit. A network administrator is configuring TACACS+ on a switch. Based on the configuration snippet, what is the expected behavior if the TACACS+ server becomes unreachable?

Exhibit

Refer to the exhibit.
```
switch# show running-config | include aaa
 aaa new-model
 aaa authentication login default local
 aaa authorization exec default local
 aaa accounting exec default start-stop group tacacs+
```

These 200-201 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-201 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.