200-201 · topic practice

Network Intrusion Analysis practice questions

Use this page to practise Network Intrusion Analysis questions for this certification. Focus on how the exam tests network intrusion analysis in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Network Intrusion Analysis

What the exam tests

What to know about Network Intrusion Analysis

Network Intrusion Analysis questions on this certification test your ability to deploy and manage network intrusion analysis concepts in scenario-based situations.

Core Network Intrusion Analysis concepts and how they apply in real-world cloud scenarios.

How to deploy network intrusion analysis correctly and verify the outcome.

Troubleshooting network intrusion analysis issues by interpreting error output and system state.

Cloud best practices and Network Intrusion Analysis design trade-offs tested by this certification.

Watch out for

Common Network Intrusion Analysis exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Network Intrusion Analysis questions

20 questions · select your answer, then reveal the explanation

A security analyst reviews an alert from the IPS that shows a spike in TCP SYN packets from an external IP to multiple internal hosts on port 443. What is the most likely attack type?

An analyst notices that a host is sending large amounts of data to an external IP address on TCP port 22 during non-business hours. What is the most likely activity?

Question 3mediummultiple choice
Read the full NAT/PAT explanation →

An analyst sees an alert: 'ET POLICY Outgoing HTTP Request with Suspicious User-Agent (Mozilla/5.0 compatible; MSIE 6.0; Windows NT 5.1)'. The source is an internal host that typically uses Windows 10. What should the analyst suspect?

During an investigation, an analyst finds that an internal host has been communicating with a known malicious IP on port 445. Which protocol is most likely involved?

Question 5hardmultiple choice
Read the full DNS explanation →

An analyst reviews NetFlow data and sees a single internal IP communicating with many external IPs on port 53, each with small UDP packets. The internal host is not a DNS server. What is the most likely explanation?

A security analyst detects a large number of TCP RST packets from a single external IP to various internal hosts. The internal hosts are not sending any corresponding packets. What is the most likely cause?

An analyst sees an alert from the IDS: 'ET TROJAN Possible Zeus Variant Outbound Connection'. What action should the analyst take first?

Question 8mediummultiple choice
Read the full DNS explanation →

A host is infected with malware that uses DNS tunneling to exfiltrate data. Which type of analysis would best detect this activity?

An analyst observes that an internal host is sending ICMP echo requests with payloads containing random data to an external IP. The payload size is larger than typical. What is the most likely technique?

Which TWO types of network traffic should be analyzed to detect a data exfiltration attempt via HTTP? (Choose two.)

Which THREE indicators are commonly found in network traffic that suggest a host is part of a botnet? (Choose three.)

Which TWO network behaviors suggest an ARP spoofing attack is occurring? (Choose two.)

Refer to the exhibit. The analyst sees two IDS alerts from the same source. What should the analyst conclude?

Exhibit

Refer to the exhibit.

Event: 1, Signature: GPL TROJAN Zeus Variant Outbound Connection
Timestamp: 2023-09-15 14:23:45
Src IP: 10.0.0.25:49152 -> Dst IP: 198.51.100.10:80
Protocol: TCP
Packet: GET /gate.php HTTP/1.1
Host: malware.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)

Event: 2, Signature: ET POLICY Outgoing HTTP Request with Suspicious User-Agent
Timestamp: 2023-09-15 14:23:46
Src IP: 10.0.0.25:49153 -> Dst IP: 198.51.100.10:80
Protocol: TCP
Packet: GET /images/logo.png HTTP/1.1
Host: malware.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0)

Refer to the exhibit. A firewall log shows denied TCP traffic from an internal host to an external IP on consecutive ports. What type of activity is indicated?

Exhibit

Refer to the exhibit.

syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12345 dst outside:203.0.113.5/22 by access-group "OUTSIDE" [0x0, 0x0]
syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12346 dst outside:203.0.113.5/23 by access-group "OUTSIDE" [0x0, 0x0]
syslog: %ASA-4-106023: Deny tcp src inside:10.0.0.10/12347 dst outside:203.0.113.5/25 by access-group "OUTSIDE" [0x0, 0x0]

Refer to the exhibit. An analyst sees repeated ICMP echo requests from a host to the broadcast address. What is this an example of?

Exhibit

Refer to the exhibit.

Event: 1
Timestamp: 2023-10-01 08:00:00
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)

Event: 2
Timestamp: 2023-10-01 08:00:01
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)

Event: 3
Timestamp: 2023-10-01 08:00:02
Src IP: 10.0.0.1 -> Dst IP: 10.0.0.255
Protocol: ICMP
Type: 8 (Echo Request)
Question 16hardmultiple choice
Read the full DNS explanation →

You are a security analyst for a financial institution. Over the past hour, the intrusion detection system has generated multiple alerts for outbound traffic from a single internal host (10.0.0.50) to various external IP addresses on port 443. The alerts indicate that the host is making HTTPS connections to IPs that are associated with known command and control servers. Additionally, the host has been observed making DNS queries for domains that are algorithmically generated (e.g., rgj3k2.example.com, fh7d8s.example.net). The host is a Windows 10 workstation used by an employee in the accounting department. The employee reports that they have not noticed any unusual behavior, but they did click on a link in a phishing email yesterday. The network administrator confirms that the host's firewall rules allow outbound HTTPS traffic. You have access to endpoint logs, network flow data, and packet captures. Which course of action should you take FIRST?

You are a security analyst for a medium-sized enterprise. You notice that the network monitoring system has flagged an unusual amount of traffic between two internal hosts: 192.168.1.10 (a file server) and 192.168.1.20 (a workstation in the sales department). The traffic is occurring on port 445 (SMB) and is happening outside of normal business hours. The volume of data transferred is significantly higher than typical usage. The file server logs show that the sales workstation has been accessing a large number of files in quick succession. The sales employee reports that they have been working late, but they cannot explain the high volume of file access. You have access to the file server logs, network flow data, and the workstation's event logs. The workstation has antivirus software installed that is up to date. What should you do FIRST?

A security analyst observes a sudden spike in outbound traffic from a critical server to an external IP address on TCP port 443. The server is a web application server that normally only receives inbound connections. Which type of intrusion is most likely occurring?

An analyst needs to determine if a host is infected with malware that is attempting to contact a known malicious domain. Which log source is most appropriate for this analysis?

Which TWO of the following are indicators of a network intrusion? (Choose two.)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Network Intrusion Analysis sessions

Start a Network Intrusion Analysis only practice session

Every question in these sessions is drawn from the Network Intrusion Analysis domain — nothing else.

Related practice questions

Related 200-201 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 200-201 exam test about Network Intrusion Analysis?
Network Intrusion Analysis questions on this certification test your ability to deploy and manage network intrusion analysis concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Network Intrusion Analysis questions in a focused session?
Yes — the session launcher on this page draws every question from the Network Intrusion Analysis domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 200-201 topics?
Use the topic links above to move to related areas, or go back to the 200-201 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 200-201 exam covers. They are not copied from any real exam or dump site.