Back to Cisco CyberOps Associate 200-201 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Cisco CyberOps Associate 200-201 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

13
scenario questions
200-201
exam code
Cisco
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related 200-201 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediumdrag order
Full question →

Drag and drop the steps to investigate a security incident using a SIEM into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 2mediummultiple choice
Full question →

Based on the exhibit, what action should the analyst take to further investigate this alert?

Exhibit

Refer to the exhibit.

[**] [1:2000002:3] ET MALWARE Possible Malicious Download [**]
[Priority: 2]
12/10/2023-10:45:23.456789 192.168.1.10:45678 -> 203.0.113.5:80
TCP TTL:64 TOS:0x0 ID:12345 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x12345678  Ack: 0x9ABCDEF0  Win: 0x2000  TcpLen: 20
[Xref => http://malware.example.com/samples/abc123]
Question 3hardmultiple choice
Full question →

During an incident, a first responder pulls the network cable of a compromised server. Later, the incident response team is unable to collect volatile data such as running processes. Which policy or procedure was violated?

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

MedSecure is a healthcare organization with a security policy that requires all security incidents to be handled following the NIST framework. A system administrator discovers that an unauthorized user has accessed a database containing patient records. The administrator immediately disconnects the server from the network. The security analyst is called to investigate. The analyst finds that the server was not part of the centralized logging system, and the only logs available are the database audit logs. The security policy mandates preservation of evidence and chain of custody. The analyst needs to collect the database audit logs. Which action should the analyst take to ensure proper evidence collection?

Question 5mediummultiple choice
Full question →

A company's incident response policy defines four phases: Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post-Incident Activity. During an active ransomware outbreak, the IR team is unable to contain the spread because the containment plan did not account for the malware's use of PowerShell for lateral movement. Which phase had a deficiency?

Question 6hardmulti select
Full question →

An analyst is examining the Windows Registry on a host suspected of persistence via a malicious service. Which two registry keys are most relevant to investigate?

Question 7hardmultiple choice
Full question →

An analyst uses Wireshark to investigate a suspicious download. The TCP stream shows a GET request for a .exe file from an external IP, followed by a 200 OK response. The response contains the file but the last packet in the stream has a FIN flag set from the server. The client sends an ACK but then immediately sends a RST. What does this behavior suggest?

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A network analyst is troubleshooting a false positive alert from an IPS that blocks traffic to a legitimate database server. The alert signature is triggered by the pattern 'OR 1=1'. The analyst determines that the traffic is from a web application that uses dynamic SQL queries. Which action best reduces false positives while maintaining security?

A company uses syslog for logging from all network devices. The SOC notices that logs from a critical router are not appearing in the SIEM for the past hour, but other devices are sending logs normally. Which step should the analyst take FIRST to troubleshoot?

Question 10mediummultiple choice
Read the full network assurance explanation →

Refer to the exhibit. This syslog message is generated from a Cisco firewall. According to the security policy, all traffic from the 10.10.10.0/24 network to the internal 192.168.1.0/24 network must be denied except for HTTP traffic from specific IPs. Which of the following should be investigated?

Exhibit

Refer to the exhibit.
%SEC-6-IPACCESSLOGP: list OUTSIDE denied tcp 10.10.10.5(80) -> 192.168.1.10(49152) 1 packet
Question 11easymultiple choice
Full question →

An organization's security policy mandates that all external media (USB drives, external hard drives) must be scanned for malware before use. An employee inserts a USB drive to transfer a presentation for a meeting. The employee runs the antivirus scan, but it fails to complete because the USB drive has a hardware write-protect switch. The employee is in a hurry. What should the employee do?

Question 12hardmultiple choice
Read the full wireless explanation →

A financial services company has a security policy that all remote access must be through VPN with two-factor authentication. An employee on a business trip uses a hotel Wi-Fi to connect to the corporate network but claims the VPN client was not working, so they used RDP directly over the internet to access their desktop. The employee's manager approved this as a temporary measure. The security team discovers this during a log review. The policy has no provision for temporary exceptions. What should be the security team's first action?

Question 13easymultiple choice
Read the full VPN explanation →

You are a security analyst at a mid-sized company. The company uses a SIEM to collect logs from firewalls, IDS, and servers. Recently, the SIEM generated an alert for a potential brute-force attack against the company's VPN server. The alert is based on a correlation rule that triggers when more than 30 failed authentication attempts from a single source IP occur within 10 minutes. You investigate and see that the source IP is 203.0.113.50, which is a known IP address of a partner company that uses the VPN for remote access. The failed attempts are all from the same username 'john.doe'. You also notice that the attempts are happening every 5 seconds, exactly 6 attempts per minute. The partner company has a policy that locks accounts after 3 failed attempts. Based on this scenario, what is the most likely cause of the alert?

These 200-201 practice questions are part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style 200-201 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.