200-201 · topic practice

Security Monitoring practice questions

Practise Cisco CyberOps Associate 200-201 Security Monitoring practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Monitoring

What the exam tests

What to know about Security Monitoring

Security Monitoring questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Monitoring exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Monitoring questions

20 questions · select your answer, then reveal the explanation

An analyst is monitoring network traffic and observes a large number of TCP SYN packets sent to a single host on various ports with no corresponding SYN-ACK replies. This behavior is most indicative of which type of attack?

A security engineer is setting up a Snort rule to detect FTP traffic where the source IP is not from the internal network. Which Snort rule header correctly specifies the action, protocol, source, and destination?

During a security incident, a SOC analyst reviews NetFlow records and notices a single internal host communicating with a remote server on TCP port 443, sending 50 MB of data in 5 minutes, while the usual baseline for that host is 1 MB per hour. Which type of activity is most likely indicated?

An analyst is examining a firewall log entry: '2023-10-25 14:30:00 ACTION=DENY SRC=10.0.0.5 DST=203.0.113.50 PROTO=TCP SPT=445 DPT=445'. Which statement best describes this event?

While analyzing a PCAP file in Wireshark, an analyst sees multiple GET requests to /login.php with different usernames in the URL parameters, all from the same source IP: 192.168.1.100 to 10.0.0.1. The HTTP response codes are mostly 200 OK. This pattern suggests which attack?

A SOC analyst needs to create a SIEM correlation rule to detect a brute force attack against SSH on a server. Which of the following would be the most effective rule logic?

A security analyst is reviewing Zeek connection logs and sees the following entry: '192.168.1.10:12345 > 10.0.0.1:80 (tcp) duration 0.001 sec, service http, bytes 60, state S0'. Based on the state 'S0', what does this indicate about the connection?

An analyst receives an IDS alert with signature name 'ET TROJAN Win32.Zeus Checkin' and severity 'high'. The alert shows source IP 192.168.1.50 and destination IP 198.51.100.20 on port 443. Which action should the analyst take FIRST?

Which Wireshark display filter would an analyst use to view only HTTP packets that contain the word 'password' in the packet payload?

During an incident response, an analyst extracts a suspicious file and computes its MD5 hash: d41d8cd98f00b204e9800998ecf8427e. Upon checking a threat intelligence feed, this hash is known as a malicious indicator. What does this hash represent?

An analyst is reviewing a web server log and sees the following entry: '192.168.1.1 - - [25/Oct/2023:10:15:30 -0400] "GET /admin/index.php?cmd=id HTTP/1.1" 200 1532 "-" "Mozilla/5.0"'. What potential attack does this log entry suggest?

A SOC analyst is tuning IDS signatures and notices that a particular signature triggers frequently on legitimate traffic from a specific internal application. The signature has a high false positive rate. What is the best action to take?

Question 13mediummulti select
Read the full DNS explanation →

A security analyst is investigating a potential data exfiltration incident. Which TWO of the following are common indicators that data exfiltration may be occurring over DNS? (Choose two.)

A SOC analyst is reviewing a large number of alerts from a SIEM. Which THREE of the following are effective steps to prioritize and investigate alerts in a high-volume environment? (Choose three.)

Which TWO of the following are examples of Indicators of Compromise (IoCs) used in network security monitoring? (Choose two.)

During a security monitoring review, an analyst notices an unusual amount of traffic on port 445. Which protocol is most likely associated with this port?

A security analyst is investigating a potential brute force attack. Which SIEM correlation rule would best detect this activity?

An analyst uses Wireshark to examine network traffic and wants to see only packets that contain the string 'password'. Which type of filter should be applied?

Question 19hardmultiple choice
Read the full DNS explanation →

In a Zeek/Bro log, an analyst observes a connection with 'service' field set to 'dns' and 'query' field containing a long, random-looking subdomain. This could be indicative of which type of activity?

Question 20easymultiple choice
Review the full routing breakdown →

Which OSI layer is responsible for logical addressing and routing, and is commonly targeted by IP spoofing attacks?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Monitoring sessions

Start a Security Monitoring only practice session

Every question in these sessions is drawn from the Security Monitoring domain — nothing else.

Related practice questions

Related 200-201 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 200-201 exam test about Security Monitoring?
Security Monitoring questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Monitoring questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Monitoring domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 200-201 topics?
Use the topic links above to move to related areas, or go back to the 200-201 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 200-201 exam covers. They are not copied from any real exam or dump site.