CCNA Security Monitoring Questions

75 of 121 questions · Page 1/2 · Security Monitoring topic · Answers revealed

1
Multi-Selecteasy

Which TWO of the following are best practices for configuring syslog in a secure monitoring environment? (Choose two.)

Select 2 answers
A.Use UDP as the transport protocol to ensure reliable delivery
B.Set log files to overwrite daily
C.Configure a maximum log file size to prevent disk exhaustion
D.Change the default syslog port to avoid detection by attackers
E.Send syslog messages to a centralized log server over a dedicated management network
AnswersC, E

Limiting log size prevents denial of service due to full disk.

Why this answer

Configuring a maximum log file size prevents syslog messages from filling up the disk, which could cause the system to crash or become unresponsive. This is a critical best practice in secure monitoring to ensure logging continues without exhausting storage resources.

Exam trap

Cisco often tests the misconception that changing default ports or using UDP provides security, when in fact these practices do not address real threats like interception or data loss.

2
MCQhard

You are a senior analyst in a SOC that monitors a large financial institution. The SIEM correlates events from firewalls, IDS, endpoints, and database servers. Over the past week, you have noticed multiple low-priority alerts from the IDS indicating 'ET SCAN NMAP -sS' scans from internal IP 10.0.0.50, which is a print server. The alerts occur at random times during business hours. The number of alerts has increased from 5 per day to 20 per day. The print server runs a standard OS and printer management software. No other alerts are triggered from that host. The firewall logs show outbound connections from the print server to IPs on the internet on port 443, which is abnormal for a print server. You check the printer management software and see no recent updates. The user of the print server, the IT administrator, reports no issues. What is your best course of action?

A.Increase the alert threshold to reduce noise and continue monitoring
B.Disable the printer service on the server and monitor for recurrence
C.Dismiss the alerts as false positives because print servers often perform network discovery
D.Isolate the print server from the network and conduct a forensic investigation
AnswerD

Isolation prevents further malicious activity, and forensic analysis can confirm compromise and identify the attack vector.

Why this answer

The print server at 10.0.0.50 is exhibiting multiple indicators of compromise: it is performing NMAP SYN scans (ET SCAN NMAP -sS) from an internal IP, and firewall logs show abnormal outbound HTTPS connections to internet IPs on port 443. These behaviors are inconsistent with a standard print server's role and suggest the host may be compromised, possibly acting as a pivot point for reconnaissance or command-and-control communication. Isolating the host and conducting a forensic investigation is the appropriate incident response step to contain the threat and determine the root cause before it can cause further damage.

Exam trap

Cisco often tests the candidate's ability to recognize that a combination of seemingly low-severity alerts (NMAP scans) and abnormal outbound traffic on a non-web server indicates a compromise, rather than dismissing them as false positives or tuning them out.

How to eliminate wrong answers

Option A is wrong because increasing the alert threshold would ignore potentially malicious activity, allowing a compromised host to continue scanning and exfiltrating data. Option B is wrong because disabling the printer service does not address the underlying compromise; the attacker could still use other services or persistence mechanisms on the server. Option C is wrong because print servers do not normally perform NMAP SYN scans or make outbound HTTPS connections to arbitrary internet IPs; dismissing these as false positives ignores clear signs of anomalous behavior.

3
Multi-Selecthard

Which TWO of the following are valid reasons to use a proxy server for security monitoring? (Choose two.)

Select 2 answers
A.To reduce network latency for monitored traffic
B.To provide a complete log of all network traffic for forensics
C.To inspect encrypted traffic by acting as a man-in-the-middle with SSL decryption
D.To enforce outbound access policies and block connections to known malicious destinations
E.To replace the need for endpoint anti-malware software
AnswersC, D

SSL decryption allows the proxy to see inside HTTPS traffic for malicious content.

Why this answer

Options A and C are correct. A proxy can decrypt SSL traffic for inspection (with proper consent) and filter outbound traffic to block malware C2. Option B is incorrect because proxies generally increase latency.

Option D is incorrect because anti-malware scanning is typically done on endpoints or at the gateway, not solely as a proxy function. Option E is incorrect because while proxies can log, they are not the only tool; specialized monitoring tools may be more effective.

4
MCQhard

You are a SOC analyst at a mid-sized company. The company uses a SIEM that ingests logs from firewalls, IDS, and endpoints. Over the past week, you've noticed a gradual increase in outbound traffic from several internal hosts to IP addresses in a foreign country during non-business hours. The traffic is primarily on port 443. The IDS has not generated any alerts. The firewall logs show the connections are established. You check the endpoints and find no unusual processes running. However, the outbound connections persist. What is the most likely explanation and the best next step?

A.Enable SSL decryption on the firewall to inspect the traffic content.
B.Assume the hosts are compromised and reimage them.
C.Ignore the traffic since the IDS and endpoints show no signs of compromise.
D.Immediately isolate all affected hosts from the network.
AnswerA

Provides visibility into encrypted traffic to confirm data exfiltration.

Why this answer

The gradual increase in outbound traffic on port 443 (HTTPS) to foreign IPs during non-business hours, without IDS alerts or suspicious processes, strongly suggests data exfiltration over encrypted channels. Since the traffic is encrypted, the IDS cannot inspect the payload, and endpoint checks may miss stealthy malware that uses legitimate processes (e.g., svchost.exe) for beaconing. Enabling SSL decryption on the firewall allows the SOC to decrypt and inspect the HTTPS traffic, revealing the actual content and confirming or ruling out exfiltration.

Exam trap

Cisco often tests the misconception that a lack of IDS alerts and endpoint anomalies means the network is clean, but the trap here is that encrypted traffic (port 443) can hide malicious activity from signature-based detection, requiring proactive decryption to uncover the threat.

How to eliminate wrong answers

Option B is wrong because reimaging hosts without first confirming compromise is premature and disruptive; the traffic could be legitimate (e.g., cloud backups) and reimaging would destroy forensic evidence. Option C is wrong because ignoring traffic solely because IDS and endpoints show no signs of compromise is a dangerous assumption—encrypted traffic can bypass IDS signatures, and malware can hide from endpoint scans (e.g., fileless or living-off-the-land techniques). Option D is wrong because immediately isolating all affected hosts is an overreaction without evidence of compromise; it would disrupt business operations and may not be necessary if the traffic is benign, and it prevents further investigation.

5
MCQeasy

You are a security analyst at a medium-sized company. The company uses a SIEM that collects logs from firewalls, IDS/IPS, and endpoint detection and response (EDR) agents. You receive an alert that a user's workstation (IP 10.0.1.25) has been making outbound connections to an IP address (198.51.100.10) on port 4444 (commonly used by malware). The alert includes a SIEM correlation rule that triggered when three or more connections to that IP occurred within 5 minutes. You check the EDR logs and see that the workstation is running a process named 'svchost.exe' that is connecting to that IP. The process path is C:\Windows\system32\svchost.exe, which is legitimate. However, you notice that the process has a digital signature from 'Microsoft Corporation', but the signature date is from 2021. The workstation's operating system is Windows 10 22H2, fully patched as of last month. The user reports that they have been experiencing slow performance and occasional pop-ups. Which action should you take FIRST to investigate this potential compromise?

A.Perform a full system reimage of the workstation to ensure the malware is removed.
B.Use the EDR to list all DLLs loaded by svchost.exe and look for any suspicious DLLs that are not from Microsoft.
C.Immediately block the outbound connection to 198.51.100.10 at the firewall and isolate the workstation from the network.
D.Verify the digital signature of svchost.exe with Microsoft to ensure it has not been revoked.
AnswerB

This can detect DLL sideloading or injection, which is a common technique.

Why this answer

Option B is correct because the presence of a legitimate svchost.exe with a valid Microsoft signature does not rule out DLL sideloading or injection. By listing all DLLs loaded by the process, you can identify suspicious non-Microsoft DLLs that may be executing malicious code within the trusted svchost.exe context, which is a common technique used by malware to evade detection.

Exam trap

Cisco often tests the misconception that a valid digital signature on a process executable guarantees the process is clean, when in reality attackers frequently use signed Microsoft binaries as hosts for malicious code via injection or sideloading.

How to eliminate wrong answers

Option A is wrong because performing a full system reimage is a drastic, irreversible step that destroys forensic evidence and should only be taken after confirming compromise and preserving data. Option C is wrong because immediately blocking the connection and isolating the workstation may disrupt the investigation and alert the attacker; the first step should be to gather more evidence via EDR before taking containment actions. Option D is wrong because verifying the digital signature of svchost.exe is unnecessary—the signature is already valid and from Microsoft, but malware can still abuse a legitimate signed binary through DLL hijacking or process hollowing.

6
MCQhard

A SOC analyst is tuning an IPS rule that detects SQL injection attempts. The rule currently generates a high number of alerts, most of which are false positives caused by legitimate web application traffic containing SQL-like keywords. The analyst wants to reduce false positives without missing actual attacks. Which approach is most effective?

A.Implement a whitelist of known good SQL queries from the application.
B.Reduce the rule's sensitivity to only match exact attack patterns.
C.Disable the rule and rely on web application firewall logs.
D.Exclude all HTTP GET requests from inspection.
AnswerA

Whitelisting legitimate queries reduces false positives while keeping detection for other traffic.

Why this answer

Option A is correct because implementing a whitelist of known good SQL queries from the application allows the IPS to ignore benign traffic that matches SQL-like patterns, reducing false positives while still alerting on any SQL injection attempt that deviates from the whitelist. This approach leverages application-specific knowledge to distinguish legitimate queries from malicious ones, maintaining detection coverage for actual attacks.

Exam trap

The trap here is that candidates may think reducing sensitivity (Option B) is the best way to reduce false positives, but Cisco tests the understanding that whitelisting is a more precise method that preserves detection of varied attack patterns while eliminating noise from known benign traffic.

How to eliminate wrong answers

Option B is wrong because reducing the rule's sensitivity to only match exact attack patterns would likely cause the IPS to miss polymorphic or obfuscated SQL injection attempts that do not exactly match the predefined patterns, increasing false negatives. Option C is wrong because disabling the IPS rule and relying solely on web application firewall (WAF) logs removes the network-layer detection capability of the IPS, creating a security gap where SQL injection traffic that bypasses the WAF (e.g., due to misconfiguration or encoding differences) would go undetected. Option D is wrong because excluding all HTTP GET requests from inspection would allow SQL injection attacks delivered via GET parameters (a common vector) to pass through without any alerting, completely undermining the rule's purpose.

7
MCQeasy

Refer to the exhibit. What type of activity does this log represent?

A.Man-in-the-middle attack.
B.Denial-of-service (DoS) attack.
C.Brute force SSH attack.
D.Port scan.
AnswerC

Repeated connections to port 22 from one source suggest SSH brute-force.

Why this answer

The log shows repeated SSH connection attempts with 'Failed password' messages from the same source IP (10.10.0.5) to the same destination IP (10.10.0.3) for user 'admin'. This pattern of multiple failed authentication attempts in a short time window is characteristic of a brute force SSH attack, where an attacker systematically tries different passwords to gain unauthorized access.

Exam trap

Cisco often tests the distinction between a brute force attack (repeated authentication attempts) and a port scan (probing multiple ports), so the trap here is that candidates see multiple connection attempts and mistakenly think it is a port scan rather than recognizing the SSH-specific 'Failed password' messages.

How to eliminate wrong answers

Option A is wrong because a man-in-the-middle attack would involve intercepting or altering communications between two parties, not repeated failed login attempts. Option B is wrong because a denial-of-service attack aims to overwhelm a service with traffic to make it unavailable, whereas this log shows targeted authentication failures without evidence of resource exhaustion. Option D is wrong because a port scan typically involves sending packets to multiple ports to discover open services, not repeated login attempts to a single service (SSH on port 22).

8
MCQeasy

An analyst is monitoring network traffic and notices a host sending ICMP echo requests to multiple hosts in the same subnet with a pattern of incrementing TTL values. What is the most likely purpose of this activity?

A.DNS resolution attempt.
B.Ping sweep to identify active hosts.
C.Denial of service attack against a specific host.
D.Traceroute to map the network topology.
AnswerD

Incrementing TTL is typical of traceroute.

Why this answer

The pattern of incrementing TTL values in ICMP echo requests is the hallmark of a traceroute operation. Traceroute works by sending packets with TTL=1, then TTL=2, etc., so each successive router along the path decrements the TTL to 0 and sends back an ICMP Time Exceeded message, revealing the hop-by-hop path. The target host responds with an ICMP Echo Reply when the TTL is high enough to reach it, confirming the final hop.

Exam trap

Cisco often tests the distinction between a ping sweep (fixed TTL, multiple destinations) and a traceroute (incrementing TTL, single destination), so the trap here is confusing the pattern of incrementing TTLs with a simple liveness scan.

How to eliminate wrong answers

Option A is wrong because DNS resolution uses queries to a DNS server (typically UDP port 53), not ICMP echo requests with incrementing TTLs. Option B is wrong because a ping sweep sends ICMP echo requests with a fixed TTL (usually 128 or 64) to multiple hosts to check liveness, not incrementing TTL values. Option C is wrong because a denial of service attack against a specific host would flood that single target with traffic, not send incrementing TTL probes to multiple hosts in the subnet.

9
MCQhard

A SOC analyst is tuning a correlation rule that detects DNS tunneling. The rule currently generates 500 alerts per day, but only 5% are true positives. Which tuning approach would best reduce false positives while maintaining detection efficacy?

A.Lower the entropy threshold for domain names from 3.5 to 2.0.
B.Disable the rule and rely on manual review of DNS logs.
C.Increase the observation time window from 1 hour to 24 hours.
D.Add a condition that the number of unique domains queried per source IP exceeds 10 per minute.
AnswerD

This threshold helps differentiate tunneling from normal DNS behavior.

Why this answer

Option B is correct because adding a threshold for domain query rate per IP reduces noise from normal high-volume DNS activity. Option A is wrong because increasing the time window may increase false positives. Option C is wrong because decreasing entropy threshold may cause more false positives.

Option D is wrong because disabling the rule loses detection.

10
MCQmedium

A security analyst is investigating an alert that indicates a host is sending a large number of DNS queries to an external domain. The analyst wants to determine if the traffic is malicious and if it is using a DNS tunnel. Which type of analysis should the analyst perform to confirm the presence of a DNS tunnel?

A.Analyze the payload size and query frequency of the DNS packets to detect anomalous patterns.
B.Check the volume of DNS traffic from the host to identify any increase over baseline.
C.Examine the source IP addresses of the DNS queries to see if they originate from multiple hosts.
D.Review the firewall logs to identify any blocked DNS queries to the external domain.
AnswerA

DNS tunneling typically uses large payloads and unusual query patterns.

Why this answer

Option A is correct because DNS tunneling typically involves encoding data within DNS queries or responses, resulting in abnormally large payload sizes and unusual query frequencies. By analyzing these specific packet attributes, an analyst can detect the anomalous patterns characteristic of a DNS tunnel, such as high query rates to a single domain or payloads exceeding standard DNS message sizes (e.g., >512 bytes for UDP). This direct inspection of DNS packet content is the most reliable method to confirm tunneling activity.

Exam trap

Cisco often tests the distinction between detecting a general anomaly (e.g., high traffic volume) and confirming a specific technique (e.g., DNS tunneling), where candidates mistakenly choose a broad indicator like traffic volume (Option B) instead of the packet-level analysis that directly reveals the tunneling mechanism.

How to eliminate wrong answers

Option B is wrong because simply checking the volume of DNS traffic against a baseline may indicate an anomaly but does not specifically confirm a DNS tunnel; legitimate applications (e.g., frequent updates) can also cause increased volume. Option C is wrong because examining source IP addresses to see if queries originate from multiple hosts is more relevant to identifying a distributed attack (e.g., DDoS) or a compromised network segment, not a single-host DNS tunnel. Option D is wrong because reviewing firewall logs for blocked queries only shows which queries were denied, not whether a tunnel exists; a DNS tunnel often uses allowed queries (e.g., to an external domain) and may not be blocked at all.

11
MCQhard

An analyst observes a sudden spike in DNS queries from an internal host to a random subdomain of a legitimate domain (e.g., randomstring.google.com). This behavior is consistent with which technique?

A.DNS tunneling for data exfiltration.
B.HTTP beaconing to a C2 server.
C.DNS amplification attack.
D.Port scanning using DNS.
AnswerA

Uses DNS queries to covertly send data.

Why this answer

The sudden spike in DNS queries to random subdomains of a legitimate domain (e.g., randomstring.google.com) is a classic indicator of DNS tunneling. This technique encodes data into DNS query names and exfiltrates it through the DNS protocol, bypassing network security controls that allow DNS traffic.

Exam trap

Cisco often tests the distinction between DNS tunneling (data exfiltration) and DNS amplification (DDoS attack), so candidates may confuse the high volume of queries in tunneling with the reflection/amplification mechanism of a DDoS attack.

How to eliminate wrong answers

Option B is wrong because HTTP beaconing involves periodic HTTP requests to a C2 server, not a burst of DNS queries to random subdomains. Option C is wrong because a DNS amplification attack uses open resolvers to flood a victim with large DNS responses, not queries from an internal host to a legitimate domain. Option D is wrong because port scanning using DNS would involve querying DNS for SRV or other records to map services, not random subdomain queries for data exfiltration.

12
MCQeasy

A network administrator has configured a SPAN port to send traffic to an intrusion detection system (IDS). However, the IDS is not seeing traffic from a specific VLAN. What is the most likely cause?

A.The SPAN source does not include that VLAN.
B.The IDS interface is set to promiscuous mode.
C.The SPAN destination port is in trunk mode.
D.The IDS is in inline mode.
AnswerA

If the VLAN is not in the SPAN source list, its traffic is not monitored.

Why this answer

A SPAN (Switched Port Analyzer) port copies traffic from specified source interfaces or VLANs to a destination port. If the IDS is not seeing traffic from a specific VLAN, the most likely cause is that the SPAN configuration does not include that VLAN as a source. The administrator must explicitly specify the VLAN(s) to monitor using the `monitor session` command with the `vlan` keyword; otherwise, traffic from that VLAN will not be forwarded to the IDS.

Exam trap

Cisco often tests the misconception that SPAN automatically mirrors all VLANs on a trunk port, when in fact the administrator must explicitly specify which VLANs to monitor using the `vlan` keyword in the SPAN configuration.

How to eliminate wrong answers

Option B is wrong because setting the IDS interface to promiscuous mode is a requirement for the IDS to receive all packets on a SPAN destination, not a cause of missing VLAN traffic. Option C is wrong because the SPAN destination port being in trunk mode is irrelevant; SPAN destination ports are typically access ports or configured as trunk only if needed for encapsulation, but trunk mode does not prevent traffic from a specific VLAN from being seen. Option D is wrong because if the IDS were in inline mode, it would be placed directly in the traffic path and would inherently see all VLAN traffic; the problem described is about a SPAN-based (out-of-band) deployment, so inline mode is not applicable.

13
MCQeasy

A network administrator is using Cisco ISE to monitor endpoint authentication. Which report provides details on failed authentication attempts and the reasons?

A.RADIUS Authentication Report
B.Endpoint Profiler Report
C.RADIUS Accounting Report
D.Active Session Report
AnswerA

This report includes details of authentication attempts and failure reasons.

Why this answer

The RADIUS Authentication Report in Cisco ISE specifically logs all authentication attempts, including failures, and provides detailed reasons for each failure (e.g., invalid credentials, user not found, or authorization policy mismatch). This report is the primary tool for troubleshooting failed authentications because it captures the RADIUS Access-Reject messages and the corresponding failure reasons from the ISE policy evaluation.

Exam trap

Cisco often tests the distinction between RADIUS Authentication (which captures failures and reasons) and RADIUS Accounting (which tracks session usage), leading candidates to mistakenly choose the Accounting report when asked about failed authentications.

How to eliminate wrong answers

Option B is wrong because the Endpoint Profiler Report focuses on endpoint classification and profiling (e.g., OS, device type) based on probe data, not on authentication success or failure details. Option C is wrong because the RADIUS Accounting Report tracks session start, stop, and interim updates (e.g., traffic usage, session duration), not authentication failures or their reasons. Option D is wrong because the Active Session Report shows currently active authenticated sessions, not historical failed attempts or the reasons for those failures.

14
MCQeasy

An organization wants to ensure that security logs are tamper-proof and available for forensic analysis. Which logging best practice should be implemented?

A.Retain logs for only 30 days to reduce storage costs
B.Forward logs to a centralized, hardened log server with access controls
C.Encrypt logs before sending them to a remote server
D.Store logs locally on each device with read-only permissions
AnswerB

Centralization and access controls improve security and forensics.

Why this answer

Option D is correct because sending logs to a centralized, hardened log server with restricted access is the best practice. Option A is wrong because storing logs locally makes them vulnerable. Option B is wrong because encryption alone doesn't prevent tampering.

Option C is wrong because short retention periods hinder forensics.

15
MCQeasy

You are a SOC analyst for a school district. The district uses a Cisco Firepower NGFW for traffic inspection and a SIEM for log aggregation. A teacher reports that her workstation is slow and unresponsive. You check the SIEM and see that the workstation (IP 10.1.2.10) has been generating thousands of DNS queries to a domain 'badstuff.example.com' over the past hour. The firewall logs show that the workstation also made many outbound connections to IP 203.0.113.50 on port 80. The DNS queries are for various random subdomains of 'badstuff.example.com'. The school's web filter has no policy for this domain. The user is not technical and cannot explain the behavior. What is the most likely cause and the appropriate first action?

A.Run a full antivirus scan on the workstation
B.Isolate the workstation from the network and add the domain to the block list
C.Update the web filter to block the domain and continue monitoring
D.Ignore the alert because DNS tunneling is not a real threat
AnswerB

Isolation stops the DNS tunneling immediately; blocking the domain prevents future connections.

Why this answer

The workstation is generating thousands of DNS queries for random subdomains of 'badstuff.example.com' and making outbound connections to IP 203.0.113.50 on port 80. This behavior is classic DNS tunneling, where an infected host encodes data in DNS queries to bypass security controls. Isolating the workstation stops the immediate threat and data exfiltration, while adding the domain to the block list prevents further communication from other hosts.

A full antivirus scan is insufficient because DNS tunneling malware often evades signature-based detection and requires network containment first.

Exam trap

Cisco often tests the principle that containment (isolation) is the first priority in an active compromise, not remediation (scanning) or policy updates, and that DNS tunneling is a real exfiltration technique, not a false positive.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan is a reactive step that does not stop ongoing data exfiltration; the malware may be unknown to signature databases, and the immediate priority is network containment. Option C is wrong because updating the web filter to block the domain does not address the already-compromised workstation that is actively tunneling data; the host must be isolated to prevent further damage. Option D is wrong because DNS tunneling is a well-documented exfiltration technique (e.g., using TXT or A record queries) and ignoring it could lead to significant data loss; it is a real threat, especially when combined with outbound HTTP connections to a suspicious IP.

16
MCQmedium

You are an analyst in a SOC that monitors a retail company with multiple branch offices. The company uses VPN connections between branches. The SIEM reports that a branch office router (IP 10.99.0.1) has been sending large amounts of data to an external IP 185.220.101.10 on port 123 (NTP) during off-hours. The NTP traffic is abnormal because the branch uses a local time server. The amount of data sent is 2 GB over 8 hours. The router logs show normal administrative traffic. The branch manager reports no issues. You check threat intelligence and find that 185.220.101.10 is a known malicious IP associated with data exfiltration. What should be your immediate response?

A.Disable NTP service on the branch router
B.Notify the CISO and wait for further instructions
C.Block the external IP 185.220.101.10 on the firewall and initiate incident response for the router
D.Contact the branch manager to confirm if any scheduled backups are running
AnswerC

Blocking the IP stops the exfiltration, and investigating the router determines if it is compromised.

Why this answer

Option C is correct because the branch router is sending 2 GB of NTP traffic to a known malicious IP (185.220.101.10) during off-hours, which is a strong indicator of data exfiltration using NTP (often via tunneling or covert channels). The immediate response should be to block the external IP on the firewall to stop the data flow and initiate incident response to investigate the compromised router, as the traffic is abnormal (branch uses a local time server) and the IP is associated with exfiltration.

Exam trap

Cisco often tests the candidate's ability to prioritize immediate containment (blocking the malicious IP) over administrative or investigative delays, and the trap here is that candidates may choose to disable the service (Option A) without realizing that the exfiltration is already in progress and must be stopped at the network level first.

How to eliminate wrong answers

Option A is wrong because disabling NTP service on the branch router would not stop the ongoing exfiltration (the traffic is already being sent to the malicious IP) and could disrupt legitimate time synchronization if the local time server fails; the priority is to block the external communication. Option B is wrong because notifying the CISO and waiting for further instructions delays the immediate containment action required to stop data exfiltration, violating the SOC's duty to mitigate active threats. Option D is wrong because contacting the branch manager to confirm scheduled backups is irrelevant—backups would not use NTP port 123 to send 2 GB of data to a known malicious IP, and this action wastes time during an active security incident.

17
Multi-Selecteasy

Which two are best practices for deploying network-based intrusion detection systems? (Choose two.)

Select 2 answers
A.Place sensors behind firewalls to reduce false positives.
B.Enable all signatures to maximize detection.
C.Use tap or SPAN ports to ensure traffic visibility.
D.Use inline mode for all sensors to enable blocking.
E.Deploy sensors at network choke points.
AnswersC, E

Passive monitoring avoids impacting network performance.

Why this answer

Options A and B are correct. Deploying sensors at network choke points ensures visibility of all traffic, and using tap or SPAN ports allows passive monitoring without introducing latency or failure points. Option C is not a best practice because placing sensors behind firewalls may miss attacks that never reach the firewall.

Option D is not always appropriate as inline mode can introduce latency and is not required for detection. Option E would generate excessive false positives.

18
MCQmedium

You are a cybersecurity analyst in a SOC. The company uses a combination of Snort NIDS and Windows Event Log monitoring. At 3:00 PM, you receive a critical alert: 'ET TROJAN Observed Malicious SSL Certificate (Fake Google)'. The alert shows that a workstation (IP 10.0.1.45) initiated an SSL connection to IP 192.0.2.10 on port 443. The certificate presented by the server is self-signed and claims to be 'google.com'. The destination IP is not in any known Google IP range. You check the firewall logs and see that the outbound connection was allowed. The workstation's host logs show that the user is a marketing employee who frequently accesses webmail. The user reports no unusual behavior. You also check the company's web proxy logs and see that the user accessed 'http://www.google.com' earlier today, but the SSL connection is to a different IP. What should be your next step?

A.Ignore the alert because the user is unaware of any issue
B.Isolate the workstation from the network and perform a forensic analysis
C.Wait and monitor the workstation for further alerts before taking action
D.Block the destination IP 192.0.2.10 on the firewall
AnswerB

Isolating the workstation prevents further damage, and forensic analysis can determine the root cause and scope of compromise.

Why this answer

The alert indicates a potential man-in-the-middle (MITM) attack or malware using a self-signed SSL certificate impersonating google.com. Isolating the workstation is critical to prevent lateral movement or data exfiltration while preserving evidence for forensic analysis. The combination of Snort NIDS detecting the malicious certificate and the connection to an unknown IP (192.0.2.10) strongly suggests compromise, regardless of user reports.

Exam trap

Cisco often tests the principle that user reports of 'no unusual behavior' are unreliable in incident response, and that immediate containment (isolation) takes precedence over monitoring or partial blocking.

How to eliminate wrong answers

Option A is wrong because ignoring the alert based solely on user denial is a security risk; users are often unaware of silent compromise (e.g., malware or MITM). Option C is wrong because waiting for further alerts could allow the attacker to exfiltrate data or pivot to other hosts; immediate containment is required. Option D is wrong because blocking the destination IP alone does not address the potential compromise of the workstation; the attacker could use other IPs or the malware may already be active locally.

19
MCQhard

A security analyst for a medium-sized enterprise is monitoring the network using Cisco Stealthwatch. They notice a sudden spike in traffic originating from an internal host (IP 10.10.10.50) communicating with multiple external IP addresses on port 445 (SMB). The host is a Windows server that typically serves web applications on ports 80 and 443. The analyst checks the host's firewall logs and finds that Windows Firewall is disabled. The host's antivirus is up to date and no alerts were triggered. The traffic pattern shows multiple connection attempts to /24 subnets across the internet, each with a single packet per destination. Based on this behavior, what is the most likely issue?

A.The host is infected with malware that is performing network reconnaissance.
B.The host is part of a distributed vulnerability scanning initiative.
C.The host is being used for a DDoS amplification attack.
D.The host is legitimately scanning the internet for outdated SMB shares.
AnswerA

The pattern matches malware scanning for SMB vulnerabilities (e.g., EternalBlue).

Why this answer

The traffic pattern—multiple connection attempts to /24 subnets across the internet, each with a single packet per destination—is classic behavior for network reconnaissance, specifically scanning for open SMB ports. The host's Windows Firewall being disabled and the lack of antivirus alerts indicate that the host is likely compromised and running malware that is performing this reconnaissance, as legitimate scanning or DDoS amplification would not exhibit this single-packet-per-destination pattern.

Exam trap

Cisco often tests the distinction between reconnaissance (scanning) and attack (exploitation/DDoS), where candidates may confuse the single-packet scanning pattern with DDoS amplification or legitimate scanning, but the key is the lack of handshake completion and the disabled firewall indicating compromise.

How to eliminate wrong answers

Option B is wrong because a distributed vulnerability scanning initiative would typically be coordinated and authorized, with consistent scanning patterns and proper logging, not originating from a single host with a disabled firewall and no alerts. Option C is wrong because a DDoS amplification attack would involve sending small queries to reflectors that then send large responses to a victim, not the host itself making single-packet connections to multiple destinations on port 445. Option D is wrong because legitimate scanning of the internet for outdated SMB shares would be authorized and would not occur from a web server with a disabled firewall and no antivirus alerts; such activity is almost always malicious.

20
Multi-Selectmedium

Which TWO of the following are best practices when configuring a SIEM for security monitoring?

Select 2 answers
A.Tune rules to reduce false positives.
B.Disable logging for low-security systems.
C.Prioritize alerts based on risk.
D.Use the same log source for all event types.
E.Enable all default correlation rules.
AnswersA, C

Tuning improves alert accuracy and reduces noise.

Why this answer

Tuning SIEM rules to reduce false positives is a best practice because it improves the signal-to-noise ratio, ensuring that security analysts focus on genuine threats rather than being overwhelmed by irrelevant alerts. By adjusting thresholds, whitelisting known benign activity, or refining correlation logic, the SIEM becomes more efficient and reduces alert fatigue, which is critical for effective security monitoring.

Exam trap

Cisco often tests the misconception that more logging or more rules always equals better security, when in fact untuned defaults and excessive logging degrade monitoring effectiveness and increase operational burden.

21
MCQmedium

A security analyst is reviewing logs from multiple network devices and notices that a large number of ICMP echo requests with a payload size of 65507 bytes are being sent to a single server from various external IP addresses. The server is becoming unresponsive. Which type of attack is most likely occurring?

A.Ping of death
B.SYN flood
C.Smurf attack
D.ICMP flood
AnswerD

An ICMP flood sends a high volume of ICMP echo request packets to overwhelm the target's resources, matching the description of many large ping packets from multiple sources.

Why this answer

D is correct because an ICMP flood attack involves overwhelming a target with a high volume of ICMP echo request packets, consuming bandwidth and processing resources. The large payload size (65507 bytes) is a characteristic of a crafted ICMP packet, but the key indicator here is the sheer volume from multiple sources causing the server to become unresponsive, which aligns with a volumetric ICMP flood rather than a single malformed packet.

Exam trap

Cisco often tests the distinction between a Ping of Death (single malformed packet) and an ICMP flood (high volume of normal or large packets), where candidates mistakenly choose 'Ping of Death' because they see the large payload size, but the key is the volume and the fact that 65507 bytes is within the legal limit for a single packet.

How to eliminate wrong answers

Option A is wrong because a Ping of Death attack exploits a single malformed ICMP packet that exceeds the maximum IP packet size (65535 bytes), causing a buffer overflow; the question describes many packets with a payload of 65507 bytes (which is within the total IP packet limit when headers are included), not a single oversized packet. Option B is wrong because a SYN flood targets the TCP three-way handshake by sending numerous SYN packets without completing the handshake, exhausting the server's connection queue; ICMP echo requests are not part of TCP. Option C is wrong because a Smurf attack uses ICMP echo requests sent to a network's broadcast address with a spoofed source IP of the victim, causing all hosts on the network to reply to the victim; the question states the requests are sent directly to a single server from various external IPs, not to a broadcast address.

22
MCQhard

A SOC team is implementing a security monitoring solution for a cloud-based infrastructure. Which of the following is the most important consideration for effective monitoring?

A.Centralized logging from all cloud services and on-premises.
B.Encrypting all logs at rest.
C.Reducing log retention to save cost.
D.Using only native cloud monitoring tools.
AnswerA

Centralized logging enables correlation and consistent analysis across the infrastructure.

Why this answer

Centralized logging is the most important consideration because it provides a single, unified view of security events across all cloud services and on-premises infrastructure. Without aggregation, the SOC cannot correlate events, detect distributed attacks, or perform effective threat hunting. This aligns with the principle of 'visibility first' in security monitoring.

Exam trap

Cisco often tests the misconception that encryption or cost-saving measures are the top priority in monitoring, when in fact the foundational requirement is complete visibility through centralized logging.

How to eliminate wrong answers

Option B is wrong because encrypting logs at rest protects confidentiality but does not address the core requirement of visibility and correlation; encryption is a secondary control, not the primary monitoring consideration. Option C is wrong because reducing log retention to save cost directly undermines forensic analysis and compliance requirements; logs must be retained long enough to support incident investigation and meet regulatory mandates. Option D is wrong because using only native cloud monitoring tools creates silos and blind spots; a hybrid environment requires a centralized solution that aggregates logs from multiple sources, including third-party and on-premises tools.

23
MCQmedium

An organization uses both network-based intrusion detection (NIDS) and host-based intrusion detection (HIDS). A HIDS alert reports that a critical server's registry key was modified. The NIDS shows no corresponding network activity. The change occurred during a scheduled maintenance window. What is the best course of action for the analyst?

A.Ignore the alert because it occurred during maintenance
B.Check the change management system to see if the modification was authorized
C.Escalate the alert as a potential security incident
D.Immediately revert the registry change
AnswerB

Scheduled maintenance windows often involve authorized changes; verifying with change management is the logical first step.

Why this answer

Option B is correct because the registry modification occurred during a scheduled maintenance window, which is a legitimate time for authorized changes. The analyst should first verify the change management system to confirm whether the modification was planned and approved, as this aligns with standard change control processes. The absence of NIDS alerts further suggests the change was likely local and non-malicious, but confirmation via change management is essential before taking any action.

Exam trap

Cisco often tests the concept that maintenance windows do not automatically validate all changes; candidates must remember to verify against change management records rather than assuming safety or immediately escalating.

How to eliminate wrong answers

Option A is wrong because ignoring the alert solely because it occurred during maintenance is a dangerous assumption; maintenance windows can be exploited by attackers, and the alert must be verified against authorized changes. Option C is wrong because escalating immediately as a potential security incident without first checking the change management system could waste resources and cause unnecessary alarm, especially since the NIDS showed no corresponding network activity. Option D is wrong because immediately reverting the registry change could disrupt legitimate maintenance work and potentially cause system instability; the change should only be reverted after confirming it was unauthorized.

24
Multi-Selectmedium

Which THREE of the following are key elements of a security monitoring and analysis strategy? (Choose three.)

Select 3 answers
A.Establishing a feedback loop for continuous improvement
B.Focusing only on network-based monitoring to reduce complexity
C.Regularly tuning detection mechanisms to reduce false positives
D.Automating all incident response decisions to eliminate human error
E.Centralized log management and correlation across multiple sources
AnswersA, C, E

Continuous improvement adapts the monitoring to new threats and changing environments.

Why this answer

Establishing a feedback loop for continuous improvement (A) is a key element because security monitoring is not a static process; it requires iterative refinement based on lessons learned from incidents, false positives, and changes in the threat landscape. This loop ensures that detection rules, response playbooks, and monitoring configurations evolve to maintain effectiveness against new attack vectors and reduce noise over time.

Exam trap

Cisco often tests the misconception that security monitoring can be purely network-focused or fully automated, but the correct approach requires a balanced, multi-source strategy with human oversight and continuous tuning.

25
MCQeasy

You are a security analyst at a mid-sized company. The company uses a SIEM to collect logs from firewalls, IDS, and servers. Recently, the SIEM generated an alert for a potential brute-force attack against the company's VPN server. The alert is based on a correlation rule that triggers when more than 30 failed authentication attempts from a single source IP occur within 10 minutes. You investigate and see that the source IP is 203.0.113.50, which is a known IP address of a partner company that uses the VPN for remote access. The failed attempts are all from the same username 'john.doe'. You also notice that the attempts are happening every 5 seconds, exactly 6 attempts per minute. The partner company has a policy that locks accounts after 3 failed attempts. Based on this scenario, what is the most likely cause of the alert?

A.The user 'john.doe' has forgotten his password and is repeatedly trying to log in.
B.A script or automated process at the partner site is misconfigured and repeatedly trying to authenticate with an incorrect password.
C.A man-in-the-middle attack is replaying captured authentication packets.
D.The partner's account 'john.doe' has been compromised and an attacker is attempting to gain access.
AnswerB

The exact timing and same username point to a script; the lockout policy would lock the account after 3 attempts, but the script may be retrying from the same source, causing the SIEM alert before the lockout.

Why this answer

The alert is triggered by a correlation rule that detects more than 30 failed authentication attempts from a single source IP within 10 minutes. The observed pattern—exactly 6 attempts per minute, every 5 seconds—is highly regular and mechanical, which is characteristic of an automated script or misconfigured process, not human behavior. Since the partner company locks accounts after 3 failed attempts, a human user would be locked out quickly and could not sustain 30+ attempts; only a script ignoring the lockout policy or using a cached incorrect password could produce this pattern.

Exam trap

Cisco often tests the distinction between human behavior and automated patterns by including precise timing data; the trap here is that candidates focus on the source IP being a 'known partner' and assume compromise or user error, ignoring the mechanical regularity that points to a script.

How to eliminate wrong answers

Option A is wrong because a human user forgetting their password would not produce exactly 6 attempts per minute at precise 5-second intervals; human behavior is irregular and would stop after the account is locked (3 failed attempts). Option C is wrong because a man-in-the-middle attack replaying captured authentication packets would not cause repeated failed attempts from a single source IP with the same username; replay attacks typically cause successful authentications or session hijacking, not a steady stream of failures. Option D is wrong because if the account were compromised, an attacker would likely use a password spraying or credential stuffing tool with multiple usernames or random timing, not a fixed 5-second interval with the same username; the regular pattern suggests a misconfigured script, not an active attacker.

26
MCQmedium

During an incident, an analyst needs to determine if a specific user account 'jsmith' was used from a remote IP during a breach window. Which log sources should the analyst check first?

A.NetFlow records from the core switch.
B.VPN concentrator logs.
C.File server audit logs.
D.Windows Security Event Logs (Event ID 4624, 4625).
AnswerD

Contains logon events with username and source IP.

Why this answer

Windows Security Event Logs with Event ID 4624 (successful logon) and 4625 (failed logon) are the authoritative source for interactive and remote logon events on a Windows system. They record the target user account (jsmith), the source IP address of the remote connection, and the timestamp, making them the direct and most reliable log source to determine if a specific user account was used from a remote IP during a breach window.

Exam trap

Cisco often tests the misconception that NetFlow or VPN logs can identify user-level authentication details, when in fact only Windows Security Event Logs (or equivalent OS authentication logs) contain the specific user account and source IP for a logon event.

How to eliminate wrong answers

Option A is wrong because NetFlow records provide metadata about network flows (IP addresses, ports, protocols, and byte counts) but do not log user account names or authentication events, so they cannot identify which user account was used. Option B is wrong because VPN concentrator logs show when a user establishes a VPN tunnel and the assigned IP, but they do not log individual authentication attempts to a specific Windows workstation or server, and the remote IP seen in the VPN logs is the VPN client's external IP, not the internal IP of the machine where the logon occurred. Option C is wrong because file server audit logs track access to files and folders (e.g., reads, writes, deletes) but do not record interactive or remote logon events for a specific user account on a different system; they only show file-level operations after authentication has already occurred.

27
MCQmedium

Based on the Cisco ASA syslog message, what does this event indicate?

A.A DNS response from an external server to an internal client was allowed.
B.An inbound UDP packet from an external source to an internal destination was denied.
C.The access-group "OUTSIDE_IN" is misconfigured.
D.An outbound UDP connection was denied.
AnswerB

The syslog clearly states 'Deny udp src outside:... dst inside:...'.

Why this answer

The syslog message indicates that an inbound UDP packet from an external source to an internal destination was denied by the Cisco ASA. The message includes the source and destination IP addresses and ports, and the action is 'denied' due to the access-group 'OUTSIDE_IN' applied to the outside interface. This matches option B, which correctly identifies the denied inbound UDP traffic.

Exam trap

Cisco often tests the ability to distinguish between inbound and outbound traffic based on source/destination IPs in syslog messages, leading candidates to confuse the direction when the access-group name suggests an inbound policy but the traffic flow is misinterpreted.

How to eliminate wrong answers

Option A is wrong because the event is a denial, not an allowance, and it involves UDP, not DNS specifically (though DNS uses UDP, the message does not indicate a response). Option C is wrong because the access-group 'OUTSIDE_IN' is correctly referenced in the syslog message; there is no evidence of misconfiguration—the denial is the expected behavior based on the ACL. Option D is wrong because the traffic is inbound (from external to internal), not outbound; the syslog shows source as external and destination as internal.

28
MCQeasy

Which Cisco tool provides network-wide visibility and can detect anomalies using NetFlow and behavioral analysis?

A.Cisco Firepower Threat Defense (FTD)
B.Cisco Catalyst 9300 Switch
C.Cisco Identity Services Engine (ISE)
D.Cisco Secure Network Analytics (Stealthwatch)
AnswerD

It uses NetFlow and behavioral analysis for anomaly detection.

Why this answer

Cisco Secure Network Analytics (formerly Stealthwatch) is the correct answer because it is a dedicated network visibility and security analytics platform that leverages NetFlow, IPFIX, and other telemetry sources to perform behavioral analysis and detect anomalies across the entire network. Unlike a firewall or switch, its primary function is to ingest flow data and apply machine learning models to identify threats such as lateral movement, data exfiltration, and command-and-control traffic.

Exam trap

The trap here is that candidates confuse a device that generates NetFlow data (like a Catalyst switch) with a tool that analyzes NetFlow data for security anomalies, leading them to select the switch instead of the dedicated analytics platform.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower Threat Defense (FTD) is a next-generation firewall and IPS appliance that inspects packets inline for threats, but it does not provide network-wide visibility or behavioral analysis based on NetFlow; its visibility is limited to traffic passing through the firewall. Option B is wrong because the Cisco Catalyst 9300 Switch is a network switching platform that can generate NetFlow data but lacks the analytics engine to perform behavioral analysis or detect anomalies itself; it is a data source, not an analysis tool. Option C is wrong because Cisco Identity Services Engine (ISE) focuses on identity management, policy enforcement, and network access control (e.g., 802.1X, profiling), not on flow-based anomaly detection or behavioral analysis of network traffic.

29
Multi-Selecteasy

Which THREE of the following are common indicators of compromise (IOCs) that a security monitoring system might trigger on?

Select 3 answers
A.Unusual outbound network connections to unfamiliar IP addresses.
B.Packets with destination IP addresses from a threat intelligence feed.
C.High CPU usage on a server.
D.Successful logon from a domain administrator account.
E.Changes to critical system files or registry keys.
AnswersA, B, E

Common C2 indicator.

Why this answer

Unusual outbound network connections to unfamiliar IP addresses are a common indicator of compromise (IOC) because they often signal command-and-control (C2) communication, data exfiltration, or malware beaconing. Security monitoring systems analyze netflow or firewall logs to detect connections to IP addresses not in the organization's baseline or known threat intelligence feeds. This behavior deviates from normal traffic patterns and is a key trigger for alerts in SIEM or IDS/IPS systems.

Exam trap

Cisco often tests the distinction between performance metrics (like CPU usage) and true security indicators, so candidates mistakenly select high CPU usage as an IOC when it is actually a symptom that requires further investigation, not a direct compromise indicator.

30
Multi-Selecteasy

Which TWO of the following are common sources of security events used in security monitoring?

Select 2 answers
A.Employee attendance records
B.Firewall logs
C.Marketing campaign results
D.Company newsletter subscriptions
E.DNS query logs
AnswersB, E

Firewall logs provide information on allowed and denied connections.

Why this answer

Firewall logs (B) are a primary source of security events because they record allowed and denied traffic based on access control lists (ACLs), providing critical data on attempted intrusions, policy violations, and reconnaissance scans. DNS query logs (E) are equally vital as they capture domain resolution requests, enabling detection of malware command-and-control (C2) communication, DNS tunneling, and connections to known malicious domains. Both are standard inputs for SIEM systems and security monitoring platforms.

Exam trap

Cisco often tests the distinction between operational business data (HR, marketing) and actual security telemetry sources, expecting candidates to recognize that only logs from network infrastructure (firewalls, DNS servers, IDS/IPS) generate actionable security events.

31
MCQmedium

A security analyst is configuring a new SIEM platform. The organization has multiple log sources, including Windows Event Logs, Linux syslog, and firewall logs. The analyst wants to ensure that logs are not lost if the SIEM becomes unavailable. Which approach best addresses this requirement?

A.Configure the SIEM to pull logs from sources via Syslog over TCP.
B.Configure log sources to send logs to a centralized collector with local storage and forwarding capabilities.
C.Implement log replication between SIEM nodes.
D.Increase the storage capacity of the SIEM to hold more logs.
AnswerB

Collector can buffer logs and forward when SIEM recovers.

Why this answer

Option B is correct because deploying a centralized collector with local storage and forwarding capabilities creates a buffer that ensures logs are not lost during SIEM unavailability. The collector receives logs from sources, stores them locally (e.g., on disk or in a queue), and forwards them to the SIEM when it becomes available again. This decouples log generation from SIEM ingestion, preventing data loss even during extended outages.

Exam trap

Cisco often tests the distinction between reliable transport (TCP) and guaranteed delivery with buffering; the trap here is assuming that Syslog over TCP alone prevents data loss, when in fact it only ensures in-transit reliability, not resilience against SIEM unavailability.

How to eliminate wrong answers

Option A is wrong because Syslog over TCP provides reliable delivery only if the SIEM is reachable; if the SIEM goes down, the TCP connection fails and logs are dropped (unless the source has its own buffering, which is not guaranteed). Option C is wrong because log replication between SIEM nodes addresses high availability and redundancy of the SIEM itself, but does not protect against data loss if all SIEM nodes become unavailable simultaneously. Option D is wrong because increasing SIEM storage capacity only helps retain more logs once they are ingested; it does nothing to prevent loss during an outage when logs cannot be received.

32
Multi-Selectmedium

Which TWO of the following are valid sources of security monitoring data in a Cisco security architecture?

Select 2 answers
A.RADIUS accounting
B.SNMP traps
C.Syslog messages
D.WMI queries
E.NetFlow records
AnswersC, E

Syslog is a standard for security event logging.

Why this answer

Syslog messages (C) are a standard protocol for logging events from network devices, servers, and applications, making them a primary source of security monitoring data. NetFlow records (E) provide IP traffic flow statistics, enabling network behavior analysis and anomaly detection. Both are explicitly listed as valid data sources in Cisco's security monitoring architecture.

Exam trap

Cisco often tests the distinction between data sources used for security monitoring (Syslog, NetFlow) versus management or authentication protocols (RADIUS, SNMP, WMI), leading candidates to confuse RADIUS accounting or SNMP traps as valid monitoring inputs.

33
Multi-Selecthard

Which THREE are typical sources of log data used in security monitoring? (Choose three.)

Select 3 answers
A.Printer spool logs.
B.HVAC system logs.
C.Windows Event Logs.
D.Firewall logs.
E.DNS server logs.
AnswersC, D, E

Contain authentication and system events.

Why this answer

Windows Event Logs are a primary source of security monitoring data because they record critical security events such as logon attempts, account changes, and process creation (Event IDs 4624, 4625, 4688). Security Information and Event Management (SIEM) systems ingest these logs to detect unauthorized access, privilege escalation, and malware execution.

Exam trap

Cisco often tests the distinction between logs that are security-relevant versus operational or environmental logs, so candidates mistakenly choose printer or HVAC logs because they are 'logs' in a general sense, but they lack the authentication, network, or system event data required for security monitoring.

34
Multi-Selectmedium

A network security monitoring analyst is analyzing firewall logs and sees the following traffic: Source IP 10.1.1.50 to Destination IP 203.0.113.5 on port 443, protocol TCP, with a large amount of data transferred in both directions during business hours. The analyst suspects data exfiltration. Which TWO additional indicators would most strongly support this suspicion? (Choose two.)

Select 2 answers
A.The traffic uses TLS encryption with a self-signed certificate.
B.The destination IP belongs to a cloud storage provider commonly used for backups.
C.The data transfer rate is consistently high for several hours.
D.The destination port is used by a well-known web service.
E.The source IP has never communicated with this destination IP before.
AnswersA, E

Self-signed certificates in data transfers can indicate attempts to hide exfiltration.

Why this answer

Option A is correct because a self-signed TLS certificate is often used by attackers to encrypt exfiltrated data without the overhead of obtaining a legitimate certificate from a trusted CA. Legitimate services typically use certificates signed by a recognized CA, so a self-signed certificate in traffic to an external IP on port 443 is a strong indicator of malicious activity, especially when combined with large data transfers.

Exam trap

Cisco often tests the misconception that any encrypted traffic or high data transfer is automatically suspicious, when in fact the context of the certificate type and communication history is what distinguishes malicious exfiltration from legitimate business use.

35
MCQeasy

A security analyst notices a sudden spike in NetFlow data from a single workstation to multiple external IP addresses on port 443. What is the most likely explanation for this traffic pattern?

A.Internal network scanning
B.Normal web browsing activity
C.Potential data exfiltration
D.A scheduled software update
AnswerC

Multiple connections to many external IPs on the same port (443) at a high rate suggests beaconing or data theft.

Why this answer

A single workstation sending a sudden spike of NetFlow data to multiple external IP addresses on port 443 (HTTPS) is a classic indicator of data exfiltration. Attackers often encrypt stolen data in HTTPS tunnels to evade detection, and the abrupt increase in outbound connections to many distinct external hosts is not typical of normal user behavior. NetFlow records showing a high volume of flows from one source to many destinations on the same port strongly suggest an automated process, such as a data theft tool, rather than legitimate traffic.

Exam trap

Cisco often tests the misconception that any HTTPS traffic is benign, but the trap here is that a sudden spike in outbound HTTPS flows from a single source to many external IPs is abnormal and indicates data exfiltration, not normal web browsing.

How to eliminate wrong answers

Option A is wrong because internal network scanning would target internal IP addresses, not external IP addresses, and would typically use ports like ICMP or TCP 445/3389, not exclusively port 443. Option B is wrong because normal web browsing activity is distributed across many users and times, not a sudden spike from a single workstation to multiple external IPs; a single user's browsing would not generate a sharp, sustained increase in NetFlow data volume. Option D is wrong because a scheduled software update usually contacts a single or few known update servers (e.g., Microsoft or Adobe CDNs), not multiple random external IPs, and updates typically use HTTP/HTTPS but with predictable patterns and destinations.

36
MCQmedium

A network engineer configures a SPAN port to send traffic from a critical server to an IDS. After configuration, the IDS sees no traffic. What is the most likely issue?

A.The IDS is in a different subnet.
B.The monitor session source interface is incorrectly specified.
C.The SPAN destination interface is not connected to the IDS.
D.The server is using VLAN tagging.
AnswerB

Common misconfiguration; wrong VLAN or port.

Why this answer

The most likely issue is that the monitor session source interface is incorrectly specified. SPAN (Switched Port Analyzer) requires the engineer to designate the correct source interface (the port connected to the critical server) and a destination interface (the port connected to the IDS). If the source interface is misconfigured—for example, pointing to the wrong switch port or using a VLAN instead of a specific port—the IDS will receive no mirrored traffic.

This is a common configuration error when setting up local SPAN on Cisco switches.

Exam trap

Cisco often tests the distinction between source and destination misconfiguration in SPAN, trapping candidates who assume the IDS must be in the same subnet (Option A) or that VLAN tagging (Option D) would block mirrored traffic, when the real issue is an incorrect source interface specification.

How to eliminate wrong answers

Option A is wrong because the IDS being in a different subnet does not prevent SPAN from sending traffic to it; SPAN operates at Layer 2 and forwards frames regardless of IP subnet, as long as the destination interface is correctly connected and configured. Option C is wrong because if the SPAN destination interface were not connected to the IDS, the IDS would not be physically linked, which would be a cabling or connectivity issue, but the question states the IDS sees no traffic, implying a configuration problem rather than a physical disconnection. Option D is wrong because VLAN tagging on the server does not inherently block SPAN; SPAN can copy tagged frames, and the IDS would still see them if the source interface is correctly specified and the destination interface is configured to accept tagged traffic.

37
MCQmedium

A security analyst notices repeated failed login attempts to a critical server from a single external IP address over the past 30 minutes. The SIEM has a correlation rule that triggers an alert when the threshold of 10 failed attempts in 5 minutes is exceeded. However, no alert was generated. What is the most likely cause?

A.The SIEM is not receiving logs from the authentication server.
B.The correlation rule uses a sliding window, and the failed attempts occurred over more than 5 minutes.
C.The analyst is monitoring the wrong log source.
D.The SIEM correlation rule requires a minimum of 15 failed attempts.
AnswerB

Threshold not met in any 5-minute window.

Why this answer

Option B is correct because the SIEM correlation rule uses a sliding window that triggers an alert only when 10 failed attempts occur within a 5-minute window. Since the analyst observed repeated failed attempts over 30 minutes, the attempts are spread across multiple 5-minute windows, so no single window exceeds the threshold. This is a classic case where the event frequency is high overall but does not meet the rule's temporal aggregation criteria.

Exam trap

Cisco often tests the distinction between event frequency over a long period versus event rate within a specific time window, trapping candidates who assume any repeated failed login attempts will trigger an alert regardless of the correlation rule's temporal constraints.

How to eliminate wrong answers

Option A is wrong because if the SIEM were not receiving logs from the authentication server, the analyst would not have observed any failed login attempts at all, but the analyst explicitly notes repeated failed attempts. Option C is wrong because the analyst is monitoring the correct log source (the critical server's authentication logs) as evidenced by the observed failed attempts; the issue is with the correlation rule's window, not the log source. Option D is wrong because the question states the threshold is 10 failed attempts in 5 minutes, not 15; the rule's threshold is clearly defined and not misconfigured to a higher value.

38
MCQmedium

You are a security analyst at a healthcare organization. The organization uses Cisco Stealthwatch for network visibility and a SIEM for event correlation. You receive an alert that a medical records database server (IP 10.0.3.20) is communicating with an external IP (198.51.100.100) on port 22 (SSH) at 2:00 AM. The database server should have no outbound SSH connections; only remote administration is allowed from a management subnet via VPN. You check Stealthwatch and see that the connection duration is 30 minutes and the volume of data transferred is 500 MB. The database server logs show no local account logins at that time. The firewall logs show that the connection was initiated from the database server. The incident response team has been alerted. What is the most likely scenario and your immediate action?

A.Change the database administrator password immediately
B.Check if the SSH connection was an authorized remote administration session
C.Investigate the database server logs for signs of compromise before taking action
D.Block the external IP 198.51.100.100 on the firewall and isolate the database server
AnswerD

Blocking the IP stops the exfiltration, and isolation prevents further compromise.

Why this answer

The database server is initiating an outbound SSH connection to an unknown external IP at an anomalous time, transferring 500 MB of data—far beyond typical administrative traffic. This behavior, combined with no local account logins and the server's policy prohibiting outbound SSH, strongly indicates compromise (e.g., an attacker using SSH for data exfiltration). Immediate isolation and blocking the external IP are critical to contain the threat and prevent further data loss, aligning with incident response best practices.

Exam trap

Cisco often tests the candidate's ability to prioritize containment over investigation in active incident response scenarios, trapping those who choose to investigate first (Option C) instead of immediately isolating the compromised asset.

How to eliminate wrong answers

Option A is wrong because changing the database administrator password is a reactive step that does not address the active, ongoing data exfiltration; the attacker may already have persistent access or credentials, and isolation must come first. Option B is wrong because the scenario explicitly states that remote administration is only allowed from a management subnet via VPN, and the connection is from the database server to an external IP at 2:00 AM—this cannot be an authorized session. Option C is wrong because while investigating logs is important, the immediate action must be containment (isolation and blocking) to stop the active data transfer; waiting to investigate first risks further data loss and gives the attacker time to cover tracks.

39
MCQhard

During a security incident, a SOC analyst finds that the SIEM is not receiving logs from a critical firewall due to a network issue. The analyst needs to ensure that no alerts are missed during the outage. What should the analyst do?

A.Restart the SIEM collector service.
B.Manually monitor the firewall console.
C.Configure the firewall to queue logs locally and forward when connectivity is restored.
D.Ignore the gap because logs are not critical.
AnswerC

Queuing ensures logs are not lost and can be sent later, preserving visibility.

Why this answer

Option C is correct because configuring the firewall to queue logs locally ensures that log data generated during the network outage is stored in a local buffer (often using syslog buffering or a local log file) and automatically forwarded once connectivity to the SIEM is restored. This prevents any gap in security monitoring and ensures that all alerts are captured for analysis, even during transient network failures.

Exam trap

Cisco often tests the misconception that restarting services or manual monitoring can compensate for a network outage, when the correct approach is to leverage local log queuing or buffering on the source device to prevent data loss.

How to eliminate wrong answers

Option A is wrong because restarting the SIEM collector service does not address the root cause—the network outage preventing log transmission—and would not recover logs that were never sent. Option B is wrong because manually monitoring the firewall console is not scalable, does not provide centralized alerting, and would require constant human attention, which is impractical during an outage and does not guarantee that all alerts are captured. Option D is wrong because ignoring the log gap violates fundamental security monitoring principles; logs from critical firewalls are essential for incident detection, forensics, and compliance, and any gap could allow a security event to go undetected.

40
MCQmedium

You are a security administrator for a company with 500 employees. The company uses a SIEM with basic correlation rules. Recently, the HR department reported that several employees received phishing emails with a link to a fake login page. The emails bypassed the spam filter. You want to detect if any employees clicked the link. You have access to web proxy logs, DNS logs, and endpoint antivirus logs. The phishing link is 'http://malicious-login.com/verify'. Which action should you take first to identify affected users?

A.Run a vulnerability scan on all employee workstations.
B.Search DNS logs for queries to 'malicious-login.com'.
C.Search endpoint logs for any malware detections.
D.Query the web proxy logs for HTTP requests containing the URL.
AnswerD

Web proxy logs record full URLs accessed by users.

Why this answer

The web proxy logs record all HTTP requests made by clients, including the full URL path. Querying for 'http://malicious-login.com/verify' directly shows which employees clicked the link, because the proxy captures the exact destination and timestamp of each request. This is the most direct and reliable evidence of user interaction with the phishing link.

Exam trap

Cisco often tests the distinction between DNS resolution and actual HTTP request completion, tricking candidates into thinking DNS logs are sufficient to prove a user clicked a link, when in fact only web proxy logs confirm the full URL was requested.

How to eliminate wrong answers

Option A is wrong because a vulnerability scan identifies system weaknesses, not user actions like clicking a link; it would not reveal whether an employee visited the phishing URL. Option B is wrong because DNS logs only show that a client resolved the domain 'malicious-login.com', not that the user actually made an HTTP request to the specific '/verify' path; a DNS query could occur from background processes or pre-fetching without user interaction. Option C is wrong because endpoint antivirus logs only record malware detections; the phishing page itself is not malware, and no malicious file would be detected unless the user downloaded and executed a payload.

41
MCQhard

An organization must retain security logs for at least one year due to regulatory compliance. However, their SIEM storage is limited. Which strategy best balances compliance and storage?

A.Archive logs to compressed files after 30 days and retain for one year.
B.Delete logs after 30 days and rely on local log rotation.
C.Only store alerts and drop raw logs.
D.Increase SIEM storage without archiving.
AnswerA

Archiving preserves logs for compliance while reducing storage consumption.

Why this answer

Option A is correct because archiving logs to compressed files after 30 days preserves data for compliance while saving storage space. Option B deletes logs too early; Option C loses raw data; Option D is expensive.

42
MCQmedium

A security analyst is investigating an alert from a host-based intrusion detection system (HIDS) that detected a file modification in the system32 directory. Which log source should the analyst check first to understand the process that made the change?

A.Firewall logs.
B.Windows Event Logs.
C.NetFlow data.
D.DNS logs.
AnswerB

Windows Event Logs record process creation events that can identify the process modifying files.

Why this answer

Windows Event Logs (specifically Security Event ID 4656 or 4663) record detailed information about file operations, including the process that initiated the modification. Since the HIDS detected a file change in system32, the Event Logs provide the process name, user account, and timestamp needed to trace the source of the modification.

Exam trap

Cisco often tests the distinction between host-based logs (Windows Event Logs) and network-based logs (firewall, NetFlow, DNS), expecting candidates to recognize that only host logs can reveal the process responsible for a local file change.

How to eliminate wrong answers

Option A is wrong because firewall logs track network traffic (source/destination IPs, ports, protocols) and do not record local file system operations on a host. Option C is wrong because NetFlow data captures network flow metadata (IP conversations, byte counts) and has no visibility into local file modifications. Option D is wrong because DNS logs record domain name resolution queries and responses, not process-level file changes on the endpoint.

43
MCQmedium

A security analyst is reviewing baseline network traffic and notices that the normal HTTP traffic volume has increased by 300% over the past hour. The increase is from a single client IP to a single external web server. What does this indicate?

A.Possible data exfiltration via HTTP
B.A denial-of-service (DoS) attack against the web server
C.A distributed denial-of-service (DDoS) attack from botnets
D.Normal fluctuations during peak hours
AnswerA

Large upload of data to a single external server is suspicious.

Why this answer

A 300% increase in HTTP traffic from a single client IP to a single external web server is anomalous and strongly suggests data exfiltration. Attackers often use HTTP (port 80) to tunnel stolen data out of a network because it is typically allowed through firewalls and proxies without inspection. The fact that the traffic is from one IP to one server indicates a targeted, non-distributed activity, which aligns with exfiltration rather than a volumetric attack.

Exam trap

Cisco often tests the distinction between a single-source anomaly (exfiltration or DoS) and a multi-source anomaly (DDoS), and the trap here is that candidates confuse a traffic volume increase with a DoS attack, ignoring the single-source indicator that points to exfiltration.

How to eliminate wrong answers

Option B is wrong because a denial-of-service (DoS) attack would typically involve a flood of traffic from a single source to overwhelm the server, but the scenario describes a 300% increase in HTTP traffic volume, which is more consistent with sustained data transfer than a flood designed to cause resource exhaustion. Option C is wrong because a distributed denial-of-service (DDoS) attack involves multiple source IPs (botnets) generating traffic, but the question explicitly states the increase is from a single client IP, ruling out a distributed attack. Option D is wrong because a 300% increase from a single IP to a single external server is not normal peak-hour fluctuation; normal traffic patterns show gradual changes across many clients, not a sudden spike from one source.

44
MCQmedium

During a security incident, an analyst needs to preserve network evidence for forensic analysis. Which action should be taken first?

A.Isolate the affected systems from the network.
B.Create a forensic image of all hard drives.
C.Shut down the affected systems to prevent further damage.
D.Capture the contents of volatile memory from affected systems.
AnswerD

Volatile data is lost when power is removed, so it must be captured first.

Why this answer

During a security incident, the first priority is to capture volatile memory (RAM) because it contains critical evidence such as running processes, network connections, and encryption keys that will be lost when the system is powered off. Option D is correct because volatile data is ephemeral and must be collected before any action that could alter the system state, such as shutdown or isolation.

Exam trap

Cisco often tests the order of volatility (RFC 3227) and the misconception that isolating or shutting down the system is the safest first step, when in fact it destroys the most volatile evidence.

How to eliminate wrong answers

Option A is wrong because isolating the affected systems from the network may trigger network-level changes (e.g., ARP cache updates, connection teardowns) that alter volatile memory contents, and it does not preserve the current state of memory. Option B is wrong because creating a forensic image of hard drives is a non-volatile data acquisition step that should occur after volatile memory capture, as it does not preserve RAM contents and may be delayed without losing evidence. Option C is wrong because shutting down the system destroys all volatile memory data (e.g., running processes, open network sockets, encryption keys) and may also cause disk writes (e.g., pagefile updates) that overwrite evidence.

45
Multi-Selecthard

Which TWO of the following are characteristics of behavioral-based anomaly detection in network monitoring? (Select 2)

Select 2 answers
A.Establishes a baseline of normal traffic
B.Relies on predefined signatures
C.Can inspect encrypted traffic without decryption
D.Uses static rules written by administrators
E.Can detect zero-day attacks
AnswersA, E

Behavioral analysis uses baselines to find deviations.

Why this answer

Correct: B (establishes baseline) and C (detects unknown attacks). A is wrong because signature-based detection is not behavioral. D is wrong because rule-based is static.

E is wrong because only signature-based can decode encrypted payloads (if decryption used).

46
MCQhard

A SOC team is evaluating a SIEM rule that triggers on 'more than 10 failed login attempts from a single source within 5 minutes.' The rule is generating too many alerts from a legitimate external monitoring service. How should the rule be modified?

A.Increase the threshold to 20 failed attempts.
B.Disable the rule and rely on other detection methods.
C.Add an exception for the source IP of the monitoring service.
D.Extend the time window to 10 minutes.
AnswerC

Exceptions effectively reduce false positives without changing rule logic.

Why this answer

Option C is correct because the rule is generating false positives from a known, legitimate source. Adding an exception for the monitoring service's source IP allows the SIEM to continue detecting actual brute-force attacks while ignoring expected traffic from that specific host. This is a standard whitelisting technique in SIEM rule tuning to reduce noise without compromising security coverage.

Exam trap

Cisco often tests the concept that tuning a SIEM rule should preserve detection capability for actual threats, so candidates mistakenly choose threshold or time-window adjustments (A or D) instead of the more precise fix of adding an exception for the known benign source.

How to eliminate wrong answers

Option A is wrong because increasing the threshold to 20 failed attempts would still generate alerts from the monitoring service if it performs more than 20 attempts in 5 minutes, and it could also delay detection of a real brute-force attack that uses fewer than 20 attempts. Option B is wrong because disabling the rule entirely removes detection of brute-force attacks from all sources, creating a critical security gap that cannot be justified by a single false positive source. Option D is wrong because extending the time window to 10 minutes would still trigger on the monitoring service if it performs more than 10 failed attempts in that longer period, and it would also slow down detection of actual attacks by requiring a longer observation window.

47
MCQmedium

A SOC analyst is reviewing alerts from a network-based intrusion detection system (NIDS). An alert indicates a potential SQL injection attempt, but the destination server is a web application that accepts SQL queries as part of its normal function. What should the analyst do?

A.Disable the alert to reduce noise.
B.Tune the NIDS signature to ignore that server.
C.Immediately block the source IP.
D.Correlate with web server logs to determine if the request was malicious.
AnswerD

Correlation provides context to differentiate between normal and malicious SQL queries.

Why this answer

Option D is correct because the NIDS alert alone cannot confirm malicious intent when the destination server legitimately accepts SQL queries. Correlating with web server logs allows the analyst to examine the full HTTP request (e.g., parameters, payload, referrer) to distinguish between a benign feature usage and an actual SQL injection attack, such as detecting unexpected SQL keywords or syntax in input fields that should not contain them.

Exam trap

Cisco often tests the misconception that any NIDS alert indicating a known attack pattern must be acted upon immediately with a blocking action, without considering the application's normal behavior or the need for log correlation.

How to eliminate wrong answers

Option A is wrong because disabling the alert removes visibility into a potential threat and violates the principle of maintaining detection coverage; alerts should be tuned or suppressed, not disabled entirely. Option B is wrong because tuning the NIDS signature to ignore that server would create a blind spot for all future SQL-related traffic to that host, including genuine attacks, and does not address the need to investigate the current alert. Option C is wrong because immediately blocking the source IP is an overly aggressive response that could block legitimate users and disrupt business operations; the analyst must first verify malicious intent through log correlation.

48
MCQmedium

A company uses Snort for intrusion detection. The analyst receives an alert for 'ET POLICY Outgoing DNS Query to Possible Malicious Domain'. The destination IP is 203.0.113.5. The analyst checks the DNS query and finds it is for 'update.software.com', which is a legitimate update server. However, the Snort rule triggered because the domain was recently added to a threat intelligence feed. What is the most likely cause of this false positive?

A.The Snort rule is misconfigured and should be disabled
B.The rule is too broad and matches all DNS queries
C.The Snort signature is too generic and should be tuned
D.The threat intelligence feed contains a false positive for that domain
AnswerD

The domain is legitimate but was erroneously flagged by the threat feed, causing a false positive alert.

Why this answer

The Snort rule triggered because the domain 'update.software.com' was listed in a threat intelligence feed, but the analyst verified it is a legitimate update server. This indicates the threat intelligence feed itself incorrectly flagged the domain as malicious, making it a false positive in the feed. Option D is correct because the root cause is the feed's inaccuracy, not a misconfiguration or overly broad rule.

Exam trap

Cisco often tests the distinction between a false positive caused by a rule or signature issue versus a false positive caused by inaccurate threat intelligence, leading candidates to incorrectly blame the rule configuration or signature specificity.

How to eliminate wrong answers

Option A is wrong because disabling the rule would remove detection for legitimate threats; the rule itself is not misconfigured, as it correctly matches the feed. Option B is wrong because the rule is not too broad—it specifically matches DNS queries to domains in the threat intelligence feed, not all DNS queries. Option C is wrong because the Snort signature is not too generic; it is precisely targeting domains from the feed, and tuning the signature would not fix an incorrect feed entry.

49
Multi-Selectmedium

Which THREE of the following are best practices for implementing security logging and monitoring? (Select 3)

Select 3 answers
A.Define alert thresholds based on baselines
B.Synchronize device clocks using NTP
C.Minimize log retention to reduce storage costs
D.Centralize logs to a dedicated log server
E.Log only during incident response to reduce noise
AnswersA, B, D

Baselines reduce false positives.

Why this answer

Defining alert thresholds based on baselines is a best practice because it allows the security monitoring system to distinguish between normal and anomalous behavior. By establishing a baseline of typical network traffic, CPU usage, or login patterns, you can set thresholds that trigger alerts only when deviations occur, reducing false positives and ensuring that genuine security incidents are not missed.

Exam trap

Cisco often tests the misconception that logging should be minimized to reduce noise or storage costs, but the correct approach is to log continuously and use baselines and centralized aggregation to manage volume and relevance.

50
MCQhard

A security analyst is reviewing NetFlow records and notices a host sending data to an external IP at regular intervals during non-business hours. Which flow characteristic is most indicative of data exfiltration?

A.Random destination ports.
B.High number of small packets.
C.Low number of bytes per flow.
D.Constant bit rate and consistent packet size.
AnswerD

Data exfiltration tools often send data at a steady rate to avoid suspicion.

Why this answer

Data exfiltration often uses a steady, low-and-slow approach to evade detection. A constant bit rate and consistent packet size indicate a scripted, automated transfer, such as a beacon or a covert channel, which is highly suspicious during non-business hours. This pattern contrasts with legitimate traffic, which typically shows variable packet sizes and bursty behavior.

Exam trap

Cisco often tests the misconception that data exfiltration always involves large volumes of data or many small packets, when in fact the hallmark of stealthy exfiltration is consistency and regularity to blend in with normal traffic patterns.

How to eliminate wrong answers

Option A is wrong because random destination ports are more indicative of port scanning or malware trying to find an open service, not a sustained data transfer. Option B is wrong because a high number of small packets is characteristic of VoIP, DNS queries, or DDoS attacks, not the steady, consistent flow of exfiltrated data. Option C is wrong because a low number of bytes per flow suggests minimal data transfer, which is the opposite of what you would expect from a successful exfiltration of significant data.

51
MCQeasy

A company wants to monitor for unauthorized wireless access points. Which technique should they implement?

A.Enable port security on all switches.
B.Use VLAN segmentation.
C.Deploy a Wireless Intrusion Prevention System (WIPS).
D.Implement 802.1X authentication.
AnswerC

Designed to detect rogue APs and wireless threats.

Why this answer

A Wireless Intrusion Prevention System (WIPS) is specifically designed to detect, classify, and block unauthorized wireless access points (rogue APs) by continuously monitoring the RF spectrum. Unlike wired-only controls, WIPS can identify rogue devices that are not connected to the wired network, making it the correct choice for this requirement.

Exam trap

Cisco often tests the distinction between wired security controls (port security, VLANs, 802.1X) and wireless-specific monitoring (WIPS), trapping candidates who assume that any network security measure can detect unauthorized wireless devices.

How to eliminate wrong answers

Option A is wrong because port security is a wired switch feature that limits the number of MAC addresses per port and does not monitor or detect wireless rogue access points. Option B is wrong because VLAN segmentation logically separates network traffic but provides no mechanism to discover or prevent unauthorized wireless devices from operating. Option D is wrong because 802.1X authentication controls network access for wired and wireless clients via RADIUS, but it does not actively scan for or block rogue access points that are not part of the authentication domain.

52
MCQeasy

Refer to the exhibit. An EDR alert shows this JSON event. What is the most significant indicator of a potential malware infection?

A.The user is 'jsmith'.
B.The parent process is explorer.exe.
C.The process path is in the Downloads folder.
D.The event type is 'Process Creation'.
AnswerC

Common location for malware delivered via email or web.

Why this answer

The process path in the Downloads folder is the most significant indicator because it suggests the executable was downloaded from the internet, a common vector for malware delivery. Attackers frequently use social engineering to trick users into saving malicious files to the Downloads folder, which then execute and initiate infection chains. In EDR analysis, execution from user-writable directories like Downloads is a high-fidelity alert, as legitimate software is rarely launched from this location.

Exam trap

Cisco often tests the distinction between benign system behavior (like explorer.exe as a parent process) and high-risk execution paths (like the Downloads folder), tricking candidates into focusing on the user or event type rather than the contextual risk of the file's origin.

How to eliminate wrong answers

Option A is wrong because the username 'jsmith' alone is not an indicator of compromise; it only identifies the user context and does not provide evidence of malicious activity. Option B is wrong because explorer.exe is a legitimate Windows shell process that commonly spawns child processes when users interact with the system, so it is not inherently suspicious. Option D is wrong because 'Process Creation' is a standard event type in Windows ETW and Sysmon logs; it is the specific attributes of the process (such as its path) that indicate potential malware, not the event type itself.

53
Multi-Selecthard

Which THREE of the following are valid techniques to detect a compromised host using network monitoring?

Select 3 answers
A.Identifying periodic outbound connections to an unknown IP at regular intervals (beaconing).
B.Watching for ICMP echo requests from internal hosts to external hosts.
C.Observing DNS queries for domains that are known to be malicious from threat intelligence.
D.Detecting a host that is sending SMTP traffic to a server not authorized as a mail relay.
E.Monitoring for high volumes of HTTP traffic to a known CDN.
AnswersA, C, D

Beaconing is a common C2 technique.

Why this answer

Option A is correct because beaconing is a classic indicator of a compromised host establishing a command-and-control (C2) channel. The host periodically sends outbound connections to an unknown IP at regular intervals, which is a behavior that network monitoring tools can detect as anomalous traffic patterns, often used by malware to maintain persistence and receive instructions.

Exam trap

Cisco often tests the distinction between normal network behavior (like ICMP pings or CDN traffic) and actual malicious indicators, so candidates may mistake common but benign traffic for signs of compromise.

54
MCQhard

During an incident response, the SOC needs to determine the scope of a compromise by identifying all hosts that communicated with a known malicious IP in the last 30 days. Which data source would best support this analysis?

A.SNMP traps from routers
B.Syslog from the DHCP server
C.Firewall deny logs
D.NetFlow records from the router
AnswerD

NetFlow captures all traffic flows, allowing historical analysis.

Why this answer

NetFlow records capture metadata about all IP traffic flows traversing a router, including source and destination IP addresses, ports, and timestamps. This allows the SOC to query for any host that communicated with the known malicious IP over the past 30 days, providing a complete picture of the compromise's scope. Unlike logs that only record denied traffic or administrative events, NetFlow records all successful communications, making it the ideal data source for this analysis.

Exam trap

Cisco often tests the distinction between logs that record only denied traffic (firewall deny logs) versus logs that record all traffic (NetFlow), leading candidates to mistakenly choose firewall deny logs because they associate firewalls with security monitoring.

How to eliminate wrong answers

Option A is wrong because SNMP traps from routers are used for network device monitoring and fault management (e.g., link up/down, CPU spikes), not for recording per-flow IP communication history with specific destinations. Option B is wrong because syslog from the DHCP server logs IP address lease assignments and client MAC addresses, but does not log the actual network traffic flows or communications between hosts and external IPs. Option C is wrong because firewall deny logs only record traffic that was blocked, not allowed traffic; since the malicious IP was likely contacted successfully, deny logs would miss the very communications needed to identify compromised hosts.

55
MCQhard

Your organization uses a SIEM solution (Cisco Secure Network Analytics and Cisco Secure Cloud Analytics) for monitoring. You are the lead analyst and receive multiple alerts: (1) A host on the internal network is making thousands of outbound connections to a known malicious IP on port 80 in a short time. (2) At the same time, there is a spike in DNS queries from the same host to a domain that is registered very recently. (3) The firewall logs show that the host is communicating with internal servers on high ports (e.g., 4444, 5555). The host is a Windows 10 workstation used by the finance department. The user reports it has been slow recently. You have access to Cisco AMP for Endpoints, Cisco Firepower NGFW, and Cisco Stealthwatch. The environment has 500 endpoints, and the network uses 802.1X authentication. What should be your first course of action?

A.Check the current baseline for the host to confirm it is anomalous.
B.Block the malicious IP at the firewall and continue monitoring.
C.Update the antivirus signatures on the host and run a full scan.
D.Isolate the host from the network immediately and begin investigation.
AnswerD

Containment is the first priority before analysis.

Why this answer

Option D is correct because the combination of outbound connections to a known malicious IP, recent domain DNS queries, and internal C2-like traffic on high ports (4444, 5555) indicates a confirmed compromise. Immediate isolation via 802.1X or switch ACL stops lateral movement and data exfiltration while preserving forensic evidence. Cisco AMP for Endpoints can then be used to analyze the host offline without risking further spread.

Exam trap

Cisco often tests the principle of 'containment before eradication' — candidates mistakenly choose to block the IP or scan the host, but the correct first step is always to isolate the compromised endpoint to stop the attack from spreading.

How to eliminate wrong answers

Option A is wrong because checking the baseline is a passive analysis step that wastes time during an active, multi-indicator compromise; the alerts already confirm anomalous behavior. Option B is wrong because blocking only the external IP leaves the host still infected and able to communicate internally via high ports (e.g., 4444, 5555), allowing lateral movement and persistence. Option C is wrong because updating antivirus signatures and scanning is a reactive, slow step that may miss advanced malware; the host should be isolated first to prevent damage while a deeper investigation is conducted.

56
MCQhard

During a security incident, a network engineer captures traffic with tcpdump and saves it to a pcap file. The analyst needs to extract all HTTP POST requests containing a specific string in the URI. Which command should be used?

A.tcpdump -r traffic.pcap -X | grep 'string'
B.tcpdump -r traffic.pcap 'tcp port 80' -A | grep 'POST' | grep 'string'
C.ngrep -q -W byline 'POST.*string' port 80
D.tcpdump -r traffic.pcap -nn 'host 10.0.0.1'
AnswerB

Reads pcap, filters HTTP, prints ASCII, then greps for POST and string.

Why this answer

Option B is correct because it uses tcpdump with the `-r` flag to read the pcap file, filters for TCP port 80 (HTTP), uses `-A` to print packet payloads in ASCII, and then pipes the output through two grep commands: first to isolate lines containing 'POST' (indicating HTTP POST requests) and second to filter for the specific string in the URI. This combination efficiently extracts only the relevant HTTP POST requests with the target string from the captured traffic.

Exam trap

Cisco often tests the distinction between reading a pcap file with `-r` versus capturing live traffic, and the trap here is that candidates may forget to include the `-A` flag for ASCII output or the `tcp port 80` filter, leading to incomplete or irrelevant results.

How to eliminate wrong answers

Option A is wrong because piping tcpdump output through `-X` prints hex and ASCII, but the grep for 'string' will match any occurrence in the raw packet data, not specifically within HTTP POST URIs, and it lacks a filter for port 80 or POST method. Option C is wrong because ngrep is not a standard tool included in most base Linux distributions or the Cisco exam's assumed toolset, and while it could work, the question asks for a command using tcpdump, making this an incorrect choice. Option D is wrong because it filters only for traffic to/from host 10.0.0.1 with `-nn` (no name resolution), but it does not isolate HTTP POST requests or search for a specific string in the URI.

57
Matchingmedium

Match each Cisco CyberOps concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Security Operations Center

Confidentiality, Integrity, Availability

Indicator of Compromise

Tactics, Techniques, and Procedures

Adversary, Capability, Infrastructure, Victim

Why these pairings

These are fundamental concepts in cybersecurity analysis.

58
MCQeasy

Based on the exhibit, which type of traffic is being denied?

A.Traffic permitted by the access group.
B.TCP traffic to a DNS server.
C.UDP traffic from an internal host to an external DNS server.
D.ICMP traffic from an external host.
AnswerC

The log matches UDP from inside to outside port 53.

Why this answer

The exhibit shows an access control list (ACL) entry that denies UDP traffic from any source to any destination with a destination port of 53, which is the standard port for DNS. Since the ACL is applied inbound on an interface facing the internal network, it specifically blocks UDP traffic originating from an internal host destined for an external DNS server. This matches option C exactly.

Exam trap

Cisco often tests the distinction between UDP and TCP for DNS traffic, leading candidates to assume that all DNS traffic uses UDP, when in fact DNS can use TCP for larger responses or zone transfers, and the ACL only blocks UDP.

How to eliminate wrong answers

Option A is wrong because the ACL is explicitly denying traffic, not permitting it; the access group is used to apply the ACL, but the ACL itself contains a deny statement. Option B is wrong because the ACL denies UDP traffic to port 53, but TCP traffic to a DNS server (port 53) is not affected by this rule; the rule only targets UDP. Option D is wrong because the ACL denies UDP traffic from any source, but ICMP traffic uses a different protocol (type 1) and is not affected by a UDP-specific deny statement.

59
MCQmedium

Refer to the exhibit. An analyst sees these syslog messages from the Cisco ASA. What is the most likely cause?

A.An external host attempting to connect to an internal server.
B.A denial-of-service attack from the external IP.
C.An internal host (10.0.0.10) is attempting to access the Internet on port 80 and is being blocked.
D.An internal host is performing a port scan of the external server.
AnswerC

The deny messages indicate outbound traffic is blocked.

Why this answer

The syslog messages show the Cisco ASA denying traffic from internal IP 10.0.0.10 to external destination 203.0.113.5 on TCP port 80. The ASA's access control list (ACL) is configured to block outbound HTTP traffic from this host, which is the most likely cause of the denial. The messages indicate a standard deny action, not a signature-based attack detection.

Exam trap

Cisco often tests the ability to read syslog message fields (source vs. destination) to determine traffic direction, and the trap here is that candidates may misinterpret the deny as an attack from the external IP (option A) or as a scan (option D) without carefully parsing the source and destination addresses.

How to eliminate wrong answers

Option A is wrong because the syslog shows the source IP is internal (10.0.0.10) and the destination is external (203.0.113.5), meaning the connection attempt originates from inside the network, not from an external host. Option B is wrong because a denial-of-service attack would typically generate multiple rapid connection attempts or specific DoS signatures, not a single deny message per connection; the ASA would also log a different severity or event type for DoS. Option D is wrong because a port scan would involve multiple destination ports or sequential connection attempts, but the log only shows a single denied connection to port 80, not a pattern of scanning behavior.

60
MCQhard

A Security Operations Center (SOC) uses Security Information and Event Management (SIEM) with event correlation. Analysts notice that alerts for a specific malware signature have decreased sharply after a new firewall rule was deployed. However, endpoint scans still show infections on several hosts. What is the most likely explanation for the decrease in SIEM alerts?

A.The firewall rule blocks the malware's C2 traffic, so SIEM no longer receives network alerts, but endpoint infections persist
B.The SIEM correlation rules were accidentally disabled during the firewall update
C.The SIEM is not receiving logs from the endpoint detection and response (EDR) tool
D.The malware has mutated into a different variant that evades detection
AnswerA

The SIEM relies on network events for that signature; blocking C2 traffic stops the alerts but does not remediate existing infections.

Why this answer

The firewall rule specifically blocks command-and-control (C2) traffic, which is the network communication channel the malware uses to send data or receive instructions. Since the SIEM relies on network-based alerts (e.g., from intrusion detection systems or firewall logs) to detect this traffic, blocking the C2 traffic eliminates those network alerts. However, the malware remains on the endpoints because the firewall does not remove the infection; it only prevents outbound communication, so endpoint scans still detect the malware files or processes.

Exam trap

Cisco often tests the concept that blocking C2 traffic reduces network alerts but does not remediate endpoint infections, leading candidates to mistakenly think the firewall rule eliminated the malware entirely.

How to eliminate wrong answers

Option B is wrong because if SIEM correlation rules were accidentally disabled, the SIEM would stop generating alerts for all events, not just for this specific malware signature, and the sharp decrease would be broad, not isolated to one signature. Option C is wrong because the SIEM not receiving logs from the EDR tool would cause a loss of endpoint-based alerts, but the question states that endpoint scans still show infections, implying the EDR is still functioning and reporting; the decrease is in SIEM alerts, which are primarily network-based in this context. Option D is wrong because if the malware mutated into a different variant, it would evade detection by both network and endpoint tools, but endpoint scans still detect the infections, indicating the original signature is still present on the hosts.

61
Multi-Selecthard

A security analyst is reviewing the firewall log exhibit. The analyst suspects that this traffic might be part of a command-and-control (C2) communication based on the packet size and the timing of similar events. Which TWO additional pieces of evidence would most strongly support the suspicion of C2 traffic?

Select 2 answers
A.The packet size is consistently 1452 bytes across multiple connections.
B.The destination IP is listed in a threat intelligence feed as a known C2 server.
C.The same source IP makes similar connections to the same destination IP every 60 seconds.
D.The source IP also connected to multiple other external IPs on port 443 within the same hour.
E.The traffic is using HTTPS (port 443) which is commonly used for covert channels.
AnswersB, C

Threat intelligence provides direct evidence of malicious intent.

Why this answer

Option B is correct because a destination IP listed in a threat intelligence feed as a known C2 server directly indicates that the endpoint is associated with malicious command-and-control infrastructure. This external corroboration is strong evidence that the traffic is part of a C2 channel, as threat feeds aggregate confirmed indicators of compromise (IoCs) from multiple sources.

Exam trap

Cisco often tests the distinction between generic network behavior (like consistent packet sizes or common port usage) and specific indicators of compromise (like threat intelligence matches or periodic beaconing), trapping candidates who mistake normal traffic patterns for malicious activity.

62
MCQmedium

A company uses a SIEM with correlation rules. They notice that a rule designed to detect brute-force attacks is not triggering even though failed logins are occurring. Which is the most likely cause?

A.The SIEM is receiving too many logs and dropping events.
B.The correlation rule threshold is set too high.
C.The SIEM time zone is misconfigured.
D.The log source is not sending syslog data.
AnswerB

The number of failed attempts may be below the threshold.

Why this answer

A SIEM correlation rule for brute-force attacks typically triggers when the number of failed login attempts from a single source exceeds a defined threshold within a specific time window. If the threshold is set too high, the rule will not fire even though failed logins are occurring, because the count never reaches the required value. This is the most direct and common cause for a correlation rule not triggering when expected.

Exam trap

Cisco often tests the concept that a correlation rule's threshold is a direct control over its sensitivity, and candidates may mistakenly attribute the issue to data ingestion problems (like dropped logs or misconfigured time zones) rather than the rule's own configuration.

How to eliminate wrong answers

Option A is wrong because while a SIEM can drop events when overwhelmed, this would typically cause incomplete or missing data, not a consistent failure of a specific correlation rule to trigger; the rule would still fire if the threshold were met in the logs that are processed. Option C is wrong because a time zone misconfiguration would cause timestamps to be offset, potentially affecting time-window calculations, but it would not prevent the rule from triggering entirely if the raw count of failed logins still exceeds the threshold within the adjusted window. Option D is wrong because if the log source were not sending syslog data, the SIEM would not receive any failed login events at all, and the question explicitly states that failed logins are occurring, meaning the logs are being received.

63
Matchingmedium

Match each network device to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters traffic based on security rules

Detects suspicious activity and alerts

Detects and blocks malicious traffic inline

Forwards packets between networks

Forwards frames within a LAN

Why these pairings

These devices are fundamental to network security architecture.

64
MCQhard

Based on the exhibit, what condition triggers an alert?

A.More than 1000 DNS queries from a single source within 60 seconds.
B.A single DNS query to a known malicious domain.
C.Any UDP traffic to port 53 exceeding 1000 packets per second.
D.More than 1000 UDP connections to port 53 within 60 seconds.
AnswerA

This matches typical DNS anomaly detection for excessive queries.

Why this answer

The exhibit shows a rule configured to trigger an alert when the number of DNS queries from a single source IP exceeds 1000 within a 60-second sliding window. This is a rate-based threshold designed to detect DNS amplification or tunneling attacks, where a single host generates an abnormally high volume of DNS requests. Option A correctly describes this condition.

Exam trap

Cisco often tests the distinction between a rate-based threshold (counting events over time) and a signature-based match (single event), leading candidates to confuse a single malicious query with a volumetric anomaly.

How to eliminate wrong answers

Option B is wrong because a single DNS query to a known malicious domain would typically be detected by a signature-based or threat-intelligence rule, not by a rate-based threshold as shown in the exhibit. Option C is wrong because the rule specifically counts DNS queries (typically UDP packets to port 53), not all UDP traffic to port 53; the threshold is based on queries, not raw packets, and the exhibit shows a query count, not a packet-per-second rate. Option D is wrong because the rule counts DNS queries, not UDP connections; DNS queries are typically stateless UDP datagrams, not connections, and the exhibit does not reference connection tracking or a 60-second window for connections.

65
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address to the company's VPN gateway. Which action should the analyst take first?

A.Escalate to the incident response team immediately.
B.Block the IP at the firewall immediately.
C.Investigate the source IP for malicious activity.
D.Ignore the activity as it may be a user error.
AnswerC

Investigation helps determine the nature of the failed attempts before taking action.

Why this answer

Option C is correct because the first step in security monitoring is to investigate the source IP to determine if the failed login attempts are part of a brute-force attack, a misconfigured client, or a legitimate user error. Without context, blocking the IP or escalating prematurely could disrupt legitimate access or waste resources. The analyst should gather evidence (e.g., logs, timestamps, user accounts targeted) before taking further action.

Exam trap

Cisco often tests the principle that investigation must precede action, tempting candidates to choose immediate blocking (Option B) because it seems proactive, but the correct first step is always to gather context to avoid disrupting legitimate traffic.

How to eliminate wrong answers

Option A is wrong because escalating to the incident response team immediately without investigation is premature; the analyst must first confirm malicious intent to avoid unnecessary escalation. Option B is wrong because blocking the IP at the firewall immediately could deny service to a legitimate user if the IP is shared (e.g., NAT) or if the attempts are due to a forgotten password, and it bypasses the required investigative step. Option D is wrong because ignoring the activity violates security monitoring best practices; repeated failed login attempts are a common indicator of brute-force attacks and must be investigated, not dismissed as user error.

66
MCQeasy

A SOC analyst receives an alert for 'Malware Detected' from an endpoint sensor. The analyst checks the endpoint and sees a file named 'invoice.exe' in the Downloads folder. What should the analyst do first?

A.Escalate to a senior analyst.
B.Run a full antivirus scan.
C.Isolate the host from the network.
D.Delete the file immediately.
AnswerC

Contains the threat and prevents spread.

Why this answer

The correct first step is to isolate the host from the network (C) because the alert indicates active malware ('invoice.exe' in Downloads). Containment is the immediate priority in incident response to prevent lateral movement and data exfiltration. Isolating the host stops any ongoing C2 communication or propagation over the network, aligning with the NIST SP 800-61 containment strategy.

Exam trap

Cisco often tests the incident response priority of containment over eradication or escalation, and the trap here is that candidates may choose to delete the file (D) or run a scan (B) first, mistaking remediation for the initial response step.

How to eliminate wrong answers

Option A is wrong because escalation to a senior analyst should occur after initial containment, not before; the SOC analyst has the authority and responsibility to isolate the host first. Option B is wrong because running a full antivirus scan is a secondary step that could alert the malware or consume time while the threat remains active on the network. Option D is wrong because deleting the file immediately destroys forensic evidence and does not stop potential in-memory or persistence mechanisms that may already be active.

67
MCQeasy

An analyst is reviewing a suspicious email reported by a user. The email contains an attachment 'invoice.pdf' and urges the user to open it. Which indicator is most likely to confirm it is a phishing attempt?

A.The email has a company logo.
B.The email was sent from a domain that looks like 'arnazon.com'.
C.The attachment is a PDF file.
D.The email was sent during business hours.
AnswerB

Typo-squatting domain indicates phishing.

Why this answer

The most definitive indicator of a phishing attempt is a spoofed sender domain that mimics a legitimate company (e.g., 'arnazon.com' instead of 'amazon.com'). This is a classic typosquatting technique used to deceive users into trusting the email's origin. While other elements like logos or PDF attachments can be part of a phishing campaign, they are not inherently malicious and are commonly used in legitimate business communications.

Exam trap

Cisco often tests the distinction between a suspicious element (like a PDF attachment) and a definitive indicator of phishing (like a spoofed domain), leading candidates to incorrectly choose the attachment type as the answer.

How to eliminate wrong answers

Option A is wrong because a company logo can be easily copied and embedded in any email; its presence does not confirm phishing and is often used in both legitimate and malicious emails. Option C is wrong because PDF files are a standard, legitimate file format used for invoices; the attachment type alone is not an indicator of phishing. Option D is wrong because phishing emails can be sent at any time, including business hours, to blend in with normal traffic; timing is not a reliable indicator of malicious intent.

68
MCQhard

An organization uses Cisco AMP for Endpoints. A file with a low prevalence score is executed on multiple endpoints, and AMP identifies it as malicious after behavioral analysis. The analyst needs to ensure that all endpoints are protected from this file. Which action should be taken?

A.Create a custom IOC for the file hash and apply it to an outbreak policy.
B.Isolate all endpoints that executed the file.
C.Disable cloud connectivity for AMP to prevent recurrence.
D.Run a scan on each endpoint using the local AMP engine.
AnswerA

Outbreak policy blocks the file across all endpoints.

Why this answer

Creating a custom IOC for the file hash and applying it to an outbreak policy is correct because Cisco AMP for Endpoints uses outbreak policies to rapidly deploy protections across all endpoints. Once behavioral analysis identifies the file as malicious, the IOC (based on the file's SHA-256 hash) can be pushed via an outbreak policy to block execution, quarantine, or remediate the file on every endpoint, regardless of prior prevalence. This ensures immediate, global protection without waiting for cloud signature updates.

Exam trap

Cisco often tests the distinction between reactive containment (isolation) and proactive prevention (outbreak policies), leading candidates to choose isolation because it seems immediate, but the question asks for ensuring all endpoints are protected, which requires a policy-based push, not just isolating affected systems.

How to eliminate wrong answers

Option B is wrong because isolating all endpoints that executed the file is a reactive containment step that does not prevent the file from executing on other endpoints that have not yet encountered it; it also disrupts user productivity unnecessarily. Option C is wrong because disabling cloud connectivity for AMP would prevent the endpoints from receiving real-time threat intelligence and outbreak policies, leaving them vulnerable to new threats and defeating the purpose of AMP's cloud-based analysis. Option D is wrong because running a local scan using the AMP engine only checks for known signatures already present on the endpoint; it cannot detect or remediate a file that was just identified as malicious via behavioral analysis unless the local signatures are updated, which is slower and less reliable than an outbreak policy.

69
MCQhard

A company uses a SIEM that collects logs from firewalls, servers, and endpoints. The SIEM is generating a high volume of low-priority events, causing analysts to miss critical alerts. Which approach would best improve the signal-to-noise ratio?

A.Implement event filtering and correlation rules to reduce false positives.
B.Deploy additional sensors to collect more data.
C.Hire more analysts to review all events.
D.Increase the storage capacity of the SIEM.
AnswerA

Filtering and correlation reduce noise and highlight relevant events.

Why this answer

The SIEM's high volume of low-priority events indicates a poor signal-to-noise ratio, where benign or irrelevant events drown out critical alerts. Implementing event filtering and correlation rules directly reduces false positives by discarding known noise (e.g., repeated benign scans) and grouping related events into meaningful alerts, allowing analysts to focus on genuine threats. This is the standard approach in SIEM tuning to improve detection fidelity without adding resources or data.

Exam trap

Cisco often tests the misconception that 'more data equals better security' (Option B), but the real goal is to reduce noise through intelligent filtering and correlation, not to increase data volume.

How to eliminate wrong answers

Option B is wrong because deploying additional sensors would increase the total volume of events, likely worsening the noise problem rather than improving the signal-to-noise ratio. Option C is wrong because hiring more analysts does not address the root cause of excessive low-priority events; it merely shifts the bottleneck from missing alerts to manual review, which is inefficient and unsustainable. Option D is wrong because increasing storage capacity only allows the SIEM to retain more events, but does nothing to reduce the volume of low-priority alerts or improve alert prioritization.

70
MCQmedium

A Cisco Firepower sensor is generating an alert for a known benign application. The analyst has verified it is a false positive. What is the first step to suppress this alert?

A.Create a network analysis policy exception.
B.Increase the severity threshold.
C.Submit a false positive report to Talos.
D.Disable the intrusion rule globally.
AnswerA

This suppresses the alert for the specific benign traffic without affecting other detections.

Why this answer

A network analysis policy (NAP) exception is the correct first step because it allows you to suppress alerts for specific benign applications without affecting the overall detection posture. In Cisco Firepower, NAP exceptions are applied before intrusion rules are evaluated, so they can filter out known false positives at the preprocessor level, preventing the rule from even triggering. This is more efficient than modifying the intrusion rule itself, as it avoids disabling detection for other traffic.

Exam trap

Cisco often tests the distinction between preprocessor-level suppression (NAP exceptions) and rule-level suppression (disabling rules), where candidates mistakenly choose to disable the rule globally instead of creating a targeted exception.

How to eliminate wrong answers

Option B is wrong because increasing the severity threshold would suppress all alerts below that severity level, not just the specific benign application, potentially missing real threats. Option C is wrong because submitting a false positive report to Talos is a feedback mechanism for improving future rule updates, not an immediate operational step to suppress an alert. Option D is wrong because disabling the intrusion rule globally would stop all alerts from that rule, including for malicious traffic that the rule is designed to detect, which is too broad and risky.

71
MCQmedium

A security analyst is reviewing logs from a web proxy and sees that a user's machine is making frequent connections to a domain that is registered recently and has a low reputation score. What is the best action?

A.Check if the user has a legitimate need to access the domain.
B.Disable the user's network access.
C.Block the domain immediately.
D.Ignore because it might be a false positive.
AnswerA

Investigating the purpose of the connection helps determine if the activity is malicious.

Why this answer

The best action is to check if the user has a legitimate need to access the domain because a recently registered domain with a low reputation score is a strong indicator of potential malicious activity, but it could also be a false positive or a legitimate new service. Security analysts must validate the context through user inquiry or additional log correlation before taking irreversible actions like blocking or disabling access. This aligns with the principle of least disruption and evidence-based decision-making in security monitoring.

Exam trap

Cisco often tests the misconception that a low reputation score alone justifies immediate blocking, but the trap here is that the question requires you to prioritize investigation over reaction, as the best action is to gather context before applying a control.

How to eliminate wrong answers

Option B is wrong because disabling the user's network access is an overly aggressive response that disrupts productivity without confirming malicious intent, and it violates the principle of verifying before acting. Option C is wrong because blocking the domain immediately could break legitimate business operations if the domain is a newly registered but legitimate service, and it bypasses the necessary validation step. Option D is wrong because ignoring the alert dismisses a high-risk indicator (recent registration + low reputation) that commonly correlates with command-and-control (C2) traffic or phishing domains, and false positives should be investigated, not ignored.

72
MCQeasy

Which of the following is a common indicator of a brute-force attack on an SSH server?

A.A single failed login attempt.
B.Multiple successful logins from the same user.
C.Repeated login attempts with different usernames and passwords in a short period.
D.High CPU usage on the server.
AnswerC

This pattern matches brute-force attacks trying to guess credentials.

Why this answer

A brute-force attack on an SSH server is characterized by a high volume of authentication attempts, typically using different usernames and passwords, in a short time window. This pattern aims to guess valid credentials through repeated trial and error, which is distinct from a single failure or a few successful logins. The rapid, automated nature of the attempts is the key indicator that distinguishes brute-force activity from normal user behavior.

Exam trap

Cisco often tests the distinction between a single failed login (normal) and a pattern of repeated failures (attack), leading candidates to mistakenly choose Option A because they focus on the word 'failed' rather than the volume and pattern of attempts.

How to eliminate wrong answers

Option A is wrong because a single failed login attempt is a normal event that can occur due to a typo or forgotten password, and does not indicate a systematic attack. Option B is wrong because multiple successful logins from the same user could indicate legitimate concurrent sessions or a compromised account, but it is not a direct sign of a brute-force attack, which focuses on failed attempts. Option D is wrong because high CPU usage on the server can have many causes, such as resource-intensive processes or denial-of-service attacks, and is not a specific or reliable indicator of SSH brute-force attempts.

73
MCQeasy

A SOC analyst is reviewing a firewall log and sees a large number of outbound connections from an internal server to a known command-and-control (C2) domain. The connections are on port 443, and the packets have irregular timing. What should the analyst do first?

A.Isolate the server from the network and escalate to incident response.
B.Check the server's logs for signs of compromise.
C.Ignore the alert because port 443 is normal traffic.
D.Block the domain at the firewall immediately.
AnswerA

Containment first.

Why this answer

The irregular timing and outbound connections to a known C2 domain on port 443 strongly indicate a compromised host using HTTPS to blend in with normal traffic. Isolating the server first prevents further data exfiltration or lateral movement while preserving forensic evidence, which aligns with the NIST incident response framework. Escalating to incident response ensures proper handling and analysis.

Exam trap

Cisco often tests the principle of containment before investigation, where candidates mistakenly choose to investigate logs first instead of isolating the compromised host to prevent further damage.

How to eliminate wrong answers

Option B is wrong because checking the server's logs before containment risks the attacker destroying evidence or continuing malicious activity; isolation must come first. Option C is wrong because while port 443 is used for legitimate HTTPS, the combination of a known C2 domain and irregular timing is a clear indicator of compromise, not normal traffic. Option D is wrong because blocking the domain at the firewall alone does not stop the compromised server from using other C2 domains or IPs, and it may alert the attacker without containing the host.

74
MCQmedium

A security analyst observes repeated failed login attempts to an internal web server from multiple external IP addresses. The analyst creates a correlation rule that triggers an alert if more than 10 failed logins occur from a single source IP within 5 minutes. After deploying the rule, the analyst finds that the rule generates false positives from legitimate users who mistype passwords. Which action should the analyst take to reduce false positives while maintaining detection effectiveness?

A.Whitelist all external IP addresses that belong to business partners.
B.Reduce the time window to 2 minutes to catch attacks faster.
C.Change the rule to block the source IP after 5 failed attempts.
D.Increase the threshold to 15 failed logins within a 10-minute window.
AnswerD

Higher threshold and longer window reduce false positives from occasional mistypes while still detecting sustained attacks.

Why this answer

Option D is correct because increasing the threshold to 15 failed logins within a 10-minute window reduces false positives by allowing more mistyped attempts from legitimate users before triggering an alert, while still detecting brute-force attacks. The longer time window and higher threshold smooth out transient user errors without significantly delaying detection of sustained attack patterns.

Exam trap

Cisco often tests the misconception that reducing the time window or lowering the threshold improves detection, when in fact it increases false positives, and that whitelisting or blocking IPs is a proper tuning action rather than adjusting the rule's parameters.

How to eliminate wrong answers

Option A is wrong because whitelisting external IPs of business partners would bypass security monitoring entirely, allowing those IPs to conduct unlimited failed logins without triggering alerts, which could mask compromised partner accounts. Option B is wrong because reducing the time window to 2 minutes would increase false positives by making the rule more sensitive to brief bursts of legitimate mistypes, and it would not address the root cause of user errors. Option C is wrong because changing the rule to block the source IP after 5 failed attempts would aggressively block legitimate users after a few mistypes, causing denial-of-service for valid users and potentially blocking shared IPs (e.g., NAT) used by multiple people.

75
MCQhard

Refer to the exhibit. An analyst sees these log messages on a Cisco router. The source IP 10.0.0.2 is an internal server. What is the most likely explanation?

A.An external host is scanning the router.
B.The router is under a brute-force attack on the HTTP server.
C.The internal server is trying to access the router's web interface, which is blocked by an ACL.
D.The router is infected with malware and generating traffic.
AnswerC

The router's own IP is being targeted on HTTP; this is likely management access.

Why this answer

The log messages show repeated TCP connection attempts from internal server 10.0.0.2 to the router's IP on port 443 (HTTPS) and port 80 (HTTP), which are denied by an ACL. Since the source is an internal server and the destination is the router's own IP, this indicates the server is trying to reach the router's web interface, but the ACL is blocking those packets. Option C correctly identifies this scenario.

Exam trap

Cisco often tests the distinction between inbound vs. outbound traffic and internal vs. external sources, so the trap here is assuming any denied traffic to a router must be an external attack, when the source IP clearly shows it is an internal host.

How to eliminate wrong answers

Option A is wrong because the source IP 10.0.0.2 is internal, not external, so this is not an external host scanning the router. Option B is wrong because a brute-force attack on the HTTP server would typically show repeated authentication failures (e.g., HTTP 401 or 403 responses) or many login attempts, not simple TCP connection denials by an ACL. Option D is wrong because malware on the router would generate traffic from the router to other hosts, not inbound connection attempts to the router's own web interface; the logs show inbound packets being denied, not outbound traffic.

Page 1 of 2 · 121 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Monitoring questions.