200-201 · topic practice

Security Monitoring practice questions

Monitoring questions test your ability to match the right signal type to the right tool. Metrics for dashboards, logs for forensics, traces for distributed systems — keep this mapping in mind for every scenario.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Monitoring

What the exam tests

What to know about Security Monitoring

Monitoring and logging questions test metrics, logs, and traces as the three pillars of observability, and how to choose the right tool for each signal type.

Metrics (time-series data), logs (events), and traces (distributed request flow) — and which tools handle each.

Alert types: threshold-based, anomaly-based, and composite — and when each is appropriate.

Log levels: DEBUG, INFO, WARN, ERROR, CRITICAL — and what should be logged at each level.

Retention policies, aggregation, and the cost trade-off of storing high-cardinality data.

Watch out for

Common Security Monitoring exam traps

  • Choosing a logging solution for real-time metric alerting — logs work for metrics but introduce latency.
  • Setting all log levels to DEBUG in production — high-volume debug logging degrades performance.
  • Treating an alert silence as a resolution — silencing without root-cause investigation leaves the issue active.
  • Forgetting that distributed tracing requires instrumentation in every service in the call chain.

Practice set

Security Monitoring questions

20 questions · select your answer, then reveal the explanation

An analyst notices repeated failed SSH attempts from an external IP to a server. The analyst wants to quickly see all SSH-related events from that IP in the last hour. Which approach is most efficient?

A security team implements a network-based IPS. During testing, they find that legitimate traffic is frequently blocked. Which tuning approach should they prioritize?

An analyst is investigating a host that is beaconing to a known malicious domain every 60 seconds. The host also shows outbound connections to multiple IPs on port 443. To confirm the beaconing, which data source is most useful?

A SOC analyst receives an alert for 'Malware Detected' from an endpoint sensor. The analyst checks the endpoint and sees a file named 'invoice.exe' in the Downloads folder. What should the analyst do first?

A company uses a SIEM with correlation rules. They notice that a rule designed to detect brute-force attacks is not triggering even though failed logins are occurring. Which is the most likely cause?

During an incident, an analyst needs to determine if a specific user account 'jsmith' was used from a remote IP during a breach window. Which log sources should the analyst check first?

An organization uses a SIEM that ingests logs from multiple sources. The analysts are overwhelmed with alerts, many of which are false positives. Which strategy best reduces alert fatigue without increasing risk?

An analyst is reviewing a suspicious email reported by a user. The email contains an attachment 'invoice.pdf' and urges the user to open it. Which indicator is most likely to confirm it is a phishing attempt?

A network engineer configures a SPAN port to send traffic from a critical server to an IDS. After configuration, the IDS sees no traffic. What is the most likely issue?

Question 10hardmultiple choice
Read the full DNS explanation →

An analyst observes a sudden spike in DNS queries from an internal host to a random subdomain of a legitimate domain (e.g., randomstring.google.com). This behavior is consistent with which technique?

Question 11easymultiple choice
Read the full wireless explanation →

A company wants to monitor for unauthorized wireless access points. Which technique should they implement?

Which TWO are common indicators of a compromised host? (Choose two.)

Which THREE are essential components of a security monitoring strategy? (Choose three.)

Which TWO are best practices for managing SIEM alerts to reduce false positives? (Choose two.)

Which THREE are typical sources of log data used in security monitoring? (Choose three.)

Question 16hardmultiple choice
Study the full ACL explanation →

Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?

Exhibit

Refer to the exhibit.
```
Router# show ip access-lists
Extended IP access list BLOCK_MALICIOUS
    10 deny tcp any host 203.0.113.5 eq 443
    20 permit ip any any (2623 matches)
```
Question 17mediummultiple choice
Read the full network assurance explanation →

Refer to the exhibit. An analyst sees this syslog message from a Cisco ASA. What does this log entry indicate?

Exhibit

Refer to the exhibit.
```
Mar  1 12:34:56 192.168.1.100 %ASA-4-106023: Deny tcp src outside:10.0.0.1/54321 dst inside:192.168.1.100/80 by access-group "OUTSIDE_IN" [0x0, 0x0]
```

Refer to the exhibit. An EDR alert shows this JSON event. What is the most significant indicator of a potential malware infection?

Exhibit

Refer to the exhibit.
```
{
  "event": "Process Creation",
  "timestamp": "2024-08-01T10:00:00Z",
  "hostname": "DESKTOP-ABC123",
  "user": "jsmith",
  "process": "C:\\Users\\jsmith\\Downloads\\invoice.exe",
  "parent_process": "C:\\Windows\\explorer.exe"
}
```
Question 19hardmultiple choice
Read the full NAT/PAT explanation →

You are a SOC analyst at a mid-sized company. The company uses a SIEM that ingests logs from firewalls, IDS, and endpoints. Over the past week, you've noticed a gradual increase in outbound traffic from several internal hosts to IP addresses in a foreign country during non-business hours. The traffic is primarily on port 443. The IDS has not generated any alerts. The firewall logs show the connections are established. You check the endpoints and find no unusual processes running. However, the outbound connections persist. What is the most likely explanation and the best next step?

Question 20mediummultiple choice
Read the full DNS explanation →

You are a security administrator for a company with 500 employees. The company uses a SIEM with basic correlation rules. Recently, the HR department reported that several employees received phishing emails with a link to a fake login page. The emails bypassed the spam filter. You want to detect if any employees clicked the link. You have access to web proxy logs, DNS logs, and endpoint antivirus logs. The phishing link is 'http://malicious-login.com/verify'. Which action should you take first to identify affected users?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Monitoring sessions

Start a Security Monitoring only practice session

Every question in these sessions is drawn from the Security Monitoring domain — nothing else.

Related practice questions

Related 200-201 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the 200-201 exam test about Security Monitoring?
Monitoring and logging questions test metrics, logs, and traces as the three pillars of observability, and how to choose the right tool for each signal type.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Monitoring questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Monitoring domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other 200-201 topics?
Use the topic links above to move to related areas, or go back to the 200-201 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the 200-201 exam covers. They are not copied from any real exam or dump site.