CCNA Security Monitoring Questions

46 of 121 questions · Page 2/2 · Security Monitoring topic · Answers revealed

76
Multi-Selecthard

Which THREE of the following are indicators that a network may be compromised by a botnet?

Select 3 answers
A.Unusual outbound traffic to known command-and-control servers.
B.Multiple systems communicating with the same external IP at regular intervals.
C.High volume of ICMP echo requests.
D.Endpoint alerts of known malware signatures.
E.Increase in legitimate business traffic.
AnswersA, B, D

C&C communication is a hallmark of botnet activity.

Why this answer

Option A is correct because botnet-infected systems typically communicate with command-and-control (C2) servers to receive instructions or exfiltrate data. Unusual outbound traffic to known C2 IPs or domains is a strong indicator of botnet activity, as legitimate traffic rarely targets these addresses. Security monitoring tools often use threat intelligence feeds to flag such connections.

Exam trap

Cisco often tests the distinction between generic attack symptoms (like high ICMP volume) and specific botnet indicators (like C2 communication and beaconing), so candidates mistakenly select Option C because they associate any unusual traffic with botnets without considering the precise behavioral patterns.

77
MCQmedium

A SOC analyst is monitoring network traffic using Cisco Stealthwatch. An alert is generated indicating a large volume of data being transferred from a critical server to an external IP address during off-hours. The analyst observes that the data transfer is using encrypted HTTPS traffic to a cloud storage provider. The server is known to host sensitive customer data. The analyst reviews the server's outbound firewall rules and finds that HTTPS traffic to any destination is allowed. The analyst checks the server's recent login logs and sees an authentication from a user account that is typically used by a contractor who only works during business hours. The contractor's account has not been disabled after the contract ended last week. What should the analyst do first?

A.Ignore the alert because the traffic is encrypted and cannot be inspected.
B.Immediately block the external IP address at the firewall to stop the data transfer.
C.Investigate the alert further by checking the server for any signs of malware or unauthorized access, and then escalate to the incident response team.
D.Disable the contractor's user account and notify the IT manager.
AnswerC

This is the correct first action. The analyst should collect additional evidence (e.g., process lists, network connections, file system changes) to confirm the incident. Only after validation should escalation and containment occur, following the incident response plan.

Why this answer

The correct first step is to investigate the alert further to confirm whether it is a genuine security incident. Option C is correct because it follows established incident response procedures: gather more evidence (e.g., check for malware, unauthorized access) before taking containment or eradication actions. Prematurely blocking the IP (A) could disrupt legitimate business operations if the transfer is authorized.

Disabling the account (B) is a valid remediation step but should occur after confirming the incident and as part of a coordinated response. Ignoring the alert (D) is dangerous because encryption does not automatically indicate benign activity; exfiltration often uses HTTPS to evade detection.

78
MCQhard

An organization uses Cisco Stealthwatch for network traffic analysis. The analyst observes a sudden increase in traffic from a workstation to multiple external IPs on port 443. The traffic pattern shows consistent packet sizes of 1500 bytes, and the destination IPs are spread across different geographic regions. Which type of activity is most likely indicated?

A.VoIP call initiation.
B.Normal web browsing activity.
C.A DDoS attack originating from the workstation.
D.Data exfiltration via HTTPS.
AnswerD

Consistent large packets and many destinations suggest exfiltration.

Why this answer

The consistent 1500-byte packet size indicates maximum-sized TCP segments, which is atypical for interactive web browsing but common when data is being padded to fill MTU for efficient exfiltration. Cisco Stealthwatch detects this anomalous volumetric pattern to external IPs on HTTPS (port 443) as a sign of data exfiltration, where an internal host sends large, uniform chunks of data to multiple external destinations to evade detection.

Exam trap

Cisco often tests the misconception that any traffic to multiple external IPs on port 443 is normal web browsing, but the trap here is the consistent 1500-byte packet size, which is a key indicator of data exfiltration rather than typical HTTPS activity.

How to eliminate wrong answers

Option A is wrong because VoIP call initiation uses protocols like SIP (port 5060/5061) or RTP (dynamic ports), not HTTPS on port 443, and VoIP traffic typically shows variable packet sizes with small, frequent packets for voice codecs. Option B is wrong because normal web browsing generates a mix of packet sizes (e.g., small ACKs, variable HTTP responses) and does not produce a sustained stream of maximum-sized 1500-byte packets to numerous geographically diverse IPs. Option C is wrong because a DDoS attack originating from the workstation would target a single or few destinations with high-volume traffic, not multiple external IPs, and the workstation would be the attacker, not the victim; Stealthwatch would flag this as a compromised host generating outbound attack traffic, but the pattern of uniform packet sizes to many IPs is more characteristic of data exfiltration.

79
Multi-Selecthard

Which TWO of the following are best practices when configuring a SIEM correlation rule to detect lateral movement?

Select 2 answers
A.Include a time window to limit the correlation to a few minutes between events.
B.Exclude the source IP address from the correlation to focus on user identity.
C.Use only a single log source, such as domain controller logs, to simplify the rule.
D.Set the rule to trigger on any Event ID 4624 (successful logon) regardless of type.
E.Correlate successful logons across different systems from the same user within a short time window.
AnswersA, E

Reduces false positives from normal activity.

Why this answer

Option A is correct because including a time window (e.g., 5 minutes) in a SIEM correlation rule ensures that only events occurring within a short, defined interval are correlated. This is critical for detecting lateral movement, where an attacker must quickly pivot from one host to another; without a time window, the rule would match events that are too far apart in time, generating excessive false positives. The time window aligns with the typical speed of automated tools like PsExec or RDP brute-force scripts, which execute logons in rapid succession.

Exam trap

Cisco often tests the misconception that any successful logon (Event ID 4624) is suspicious, when in fact only specific logon types and patterns (e.g., multiple logons from the same user across different systems in a short time) indicate lateral movement.

80
Multi-Selectmedium

Which TWO of the following are best practices for configuring syslog to ensure reliable security event logging?

Select 2 answers
A.Use UDP for faster transmission and lower overhead.
B.Enable debug-level logging for all devices to capture maximum detail.
C.Disable log filtering to ensure all messages are sent.
D.Use TCP (port 514) instead of UDP for log transmission.
E.Configure syslog to send logs to at least two different servers.
AnswersD, E

TCP provides acknowledgment and retransmission, ensuring delivery.

Why this answer

Option D is correct because syslog over TCP (port 514) provides reliable, connection-oriented delivery, ensuring that log messages are not lost during transmission. Unlike UDP, TCP includes acknowledgment and retransmission mechanisms, which are critical for security event logging where message integrity and completeness are paramount.

Exam trap

Cisco often tests the misconception that UDP is always preferred for syslog due to lower overhead, but the exam emphasizes that for security event logging, reliability (TCP) outweighs speed, and that debug-level logging is a dangerous practice that can crash a device.

81
MCQhard

An organization is implementing monitoring for encrypted traffic without decrypting it. Which approach would be most effective for detecting malicious activity?

A.Deploy SSL/TLS inspection to decrypt traffic
B.Use NetFlow analysis to identify unusual connection patterns
C.Monitor SNMP traffic from endpoints
D.Block all encrypted traffic except from known good sources
AnswerB

NetFlow metadata can indicate malicious behavior even in encrypted traffic.

Why this answer

NetFlow analysis examines metadata (source/destination IPs, ports, protocols, byte counts) without decrypting the payload. Unusual patterns like beaconing to a known C2 server, data exfiltration via non-standard ports, or unexpected volumetric flows can indicate malicious activity even when the traffic is encrypted. This approach preserves privacy and compliance while still enabling threat detection through behavioral anomalies.

Exam trap

Cisco often tests the distinction between 'monitoring without decryption' and 'decryption-based inspection'—the trap is that candidates assume encrypted traffic is invisible to security tools, but metadata analysis (NetFlow) can reveal malicious patterns without ever seeing the plaintext.

How to eliminate wrong answers

Option A is wrong because SSL/TLS inspection decrypts the traffic, which violates the requirement to monitor without decrypting and introduces privacy, compliance, and performance overhead. Option C is wrong because SNMP traffic is used for network device management (e.g., polling OIDs for interface stats, CPU load) and does not provide visibility into encrypted session metadata or connection patterns between endpoints. Option D is wrong because blocking all encrypted traffic except from known good sources is overly restrictive, breaks legitimate encrypted services (e.g., HTTPS, VPNs), and is not a monitoring approach—it is an access control policy that fails to detect malicious activity within allowed encrypted flows.

82
Drag & Dropmedium

Drag and drop the steps for the TCP three-way handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

TCP handshake: SYN, SYN-ACK, ACK, then data transfer.

83
MCQmedium

An analyst needs to configure syslog to forward logs from multiple network devices to a central SIEM. Which syslog severity level should be used to ensure security-relevant events are sent while minimizing bandwidth usage?

A.Level 0 (Emergency)
B.Level 7 (Debug)
C.Level 6 (Informational)
D.Level 4 (Warning)
AnswerD

Warning and above includes most security events while filtering noise.

Why this answer

Option D (Level 4, Warning) is correct because it captures security-relevant events such as authentication failures, configuration changes, and interface errors while filtering out lower-severity informational and debug messages. This balances visibility of potential threats with minimal bandwidth consumption, as Warning-level logs are typically concise and less frequent than lower severity levels.

Exam trap

Cisco often tests the misconception that higher severity (lower number) is always better for security, leading candidates to choose Emergency (Level 0) or Alert (Level 1), but the question explicitly asks to minimize bandwidth while ensuring security events are sent, so Warning (Level 4) is the optimal balance.

How to eliminate wrong answers

Option A is wrong because Level 0 (Emergency) is reserved for system-wide catastrophic failures (e.g., kernel panic) and is too rare to provide adequate security monitoring; relying on it would miss most security events. Option B is wrong because Level 7 (Debug) generates verbose, high-volume logs intended for troubleshooting, which would overwhelm bandwidth and storage, and is not suitable for production security forwarding. Option C is wrong because Level 6 (Informational) includes routine operational messages (e.g., interface up/down, normal user logins) that are not inherently security-relevant, leading to unnecessary bandwidth usage without focusing on actual threats.

84
Multi-Selectmedium

Which three data sources are commonly used in a SIEM for threat hunting? (Choose three.)

Select 3 answers
A.Firewall logs.
B.Social media feeds.
C.Physical access logs.
D.NetFlow records.
E.DNS query logs.
AnswersA, D, E

Firewall logs show permitted and denied connections.

Why this answer

Firewall logs are a primary data source in SIEM for threat hunting because they record all allowed and denied traffic flows, including source/destination IPs, ports, and protocols. Analyzing these logs helps identify unauthorized access attempts, policy violations, and patterns indicative of lateral movement or data exfiltration.

Exam trap

Cisco often tests the distinction between direct log sources (firewall, NetFlow, DNS) and external threat intelligence or physical security logs, so candidates mistakenly include social media feeds or physical access logs as SIEM data sources.

85
MCQhard

Refer to the exhibit. An analyst configures an ACL to block traffic to a malicious host on port 443. After applying it inbound on the external interface, the analyst sees the ACL counters. What does the output indicate?

A.The ACL is working correctly; traffic to the malicious host is blocked.
B.The ACL is not blocking traffic because the deny line has 0 matches.
C.The ACL needs to be applied outbound to work.
D.The ACL is blocking all traffic because the permit line is never used.
AnswerB

Indicates the rule is not being hit; possible wrong direction.

Why this answer

Option B is correct because the ACL counters show 0 matches for the deny line that is intended to block traffic to the malicious host on port 443. This indicates that no traffic matching the deny condition has been processed by the ACL, meaning the rule is not being triggered. Since the ACL is applied inbound on the external interface, traffic from the external network destined for the malicious host should match the deny line if it is correctly configured; the 0 matches suggest the ACL is not blocking the intended traffic.

Exam trap

Cisco often tests the misconception that an ACL with 0 matches on a deny line is still blocking traffic, when in fact the counters prove the rule is not being hit, so the traffic is passing through unblocked.

How to eliminate wrong answers

Option A is wrong because the ACL counters show 0 matches on the deny line, which means traffic to the malicious host is not being blocked; the ACL is not working correctly. Option C is wrong because applying the ACL outbound would not change the fact that the deny line has 0 matches; the issue is with the ACL rule itself or the traffic not matching, not the direction. Option D is wrong because the permit line being unused does not indicate that all traffic is blocked; the ACL only blocks traffic matching the deny rule, and the permit line is a default implicit permit at the end of the ACL, not a configured line that would be counted.

86
MCQmedium

Refer to the exhibit. An analyst observes that the router's ACL is allowing all traffic to the web server at 192.168.1.100 on ports 80 and 443, but blocking all other TCP ports below 1024. However, the web server is also running an SSH service on port 22. What will happen to SSH traffic from the outside?

A.SSH will be permitted because of the last line 'permit ip any any'.
B.SSH will be denied because the ACL does not have an explicit permit for SSH.
C.SSH will be permitted because it is not blocked by any rule.
D.SSH will be denied because of the deny line range.
AnswerD

The deny line covers port 22, so SSH traffic is denied.

Why this answer

The ACL denies all TCP ports below 1024 except ports 80 and 443, which are explicitly permitted. Since SSH uses TCP port 22, which falls within the denied range (below 1024) and is not explicitly permitted, it is blocked by the deny line. The last line 'permit ip any any' only applies to traffic not already denied, but SSH traffic is already denied by the earlier rule, so it never reaches that permit statement.

Exam trap

Cisco often tests the misconception that a final 'permit ip any any' overrides earlier deny statements, when in fact ACLs stop processing after the first match, so traffic denied earlier never reaches the final permit.

How to eliminate wrong answers

Option A is wrong because the 'permit ip any any' line is processed only after the deny rules; since SSH traffic on port 22 is already denied by the explicit deny range, it never reaches the final permit. Option B is wrong because the ACL does not need an explicit deny for SSH; the deny line covering ports below 1024 implicitly blocks SSH port 22. Option C is wrong because SSH is blocked by the deny rule that covers all TCP ports below 1024 except those explicitly permitted (80 and 443).

87
MCQeasy

A security analyst is monitoring network traffic and notices a sudden increase in outbound connections from a single workstation to multiple IP addresses on port 443 at regular intervals. The workstation is used for standard office applications. Which action should the analyst take first?

A.Correlate the connections with firewall logs and endpoint telemetry
B.Immediately block all outbound traffic from the workstation
C.Escalate to the incident response team immediately
D.Isolate the workstation from the network
AnswerA

Correlation helps identify if the traffic is malicious or caused by legitimate software like updates or VoIP.

Why this answer

Option A is correct because the sudden increase in outbound connections to multiple IPs on port 443 (HTTPS) from a single workstation could indicate command-and-control (C2) traffic, data exfiltration, or a compromised system. The first step should be to correlate these connections with firewall logs and endpoint telemetry to gather contextual evidence—such as process names, parent processes, and connection durations—before taking any disruptive action. This aligns with the NIST incident response process (Preparation, Detection & Analysis, Containment, Eradication, Recovery) where analysis precedes containment.

Exam trap

Cisco often tests the candidate's understanding of the incident response process by presenting a plausible but premature containment action (like isolation or blocking) as a distractor, when the correct first step is always to gather and correlate evidence to confirm the threat.

How to eliminate wrong answers

Option B is wrong because immediately blocking all outbound traffic from the workstation is overly aggressive and could disrupt legitimate business operations, such as software updates or cloud application access, without confirming malicious intent. Option C is wrong because escalation to the incident response team should occur after initial analysis and triage, not as the first action; the analyst must first verify the anomaly to avoid false alarms. Option D is wrong because isolating the workstation from the network is a containment step that should be taken only after confirming malicious activity through correlation with logs and telemetry, as premature isolation can hinder forensic data collection and impact productivity.

88
MCQmedium

A company uses Cisco Firepower NGFW with intrusion prevention. The security team notices that some legitimate traffic is being blocked by the IPS, causing application outages. The analyst reviews the IPS signature events and finds false positives. What is the best approach to handle this without reducing security posture?

A.Lower the severity of the signature to informational.
B.Disable the IPS signature that is causing the false positives.
C.Create a custom rule to exclude the affected traffic based on source/destination, while monitoring the signature for true positives.
D.Update the IPS signature database to the latest version.
AnswerC

Allows traffic while enabling detection.

Why this answer

Option C is correct because it allows the security team to selectively exclude only the specific legitimate traffic causing false positives, using source/destination criteria in a custom rule, while keeping the IPS signature active for all other traffic. This approach maintains the overall security posture by still detecting true positives from the same signature against other traffic flows. Disabling or lowering the signature's severity would globally reduce detection capability, and updating the database may not address a signature that is inherently too broad for the environment.

Exam trap

Cisco often tests the misconception that disabling or lowering the severity of a false-positive signature is an acceptable quick fix, but the correct approach is to use custom rule exclusions to preserve detection for true positives.

How to eliminate wrong answers

Option A is wrong because lowering the severity to informational would suppress all alerts from that signature, effectively disabling its detection capability and reducing security posture, as the signature would no longer generate actionable alerts for true positives. Option B is wrong because disabling the IPS signature entirely removes its protection for all traffic, including potential true positives, which directly reduces security posture and is an overly aggressive response to false positives. Option D is wrong because updating the IPS signature database to the latest version does not resolve false positives caused by a signature that is too broadly matching legitimate traffic; the signature's behavior is defined by its rule logic, not by the database version, and updates typically add or modify signatures for new threats, not tune existing ones for false positives.

89
MCQeasy

A company uses Cisco Stealthwatch to monitor network traffic. Which type of data does Stealthwatch primarily rely on for visibility?

A.SNMP traps
B.Full packet captures
C.Syslog messages
D.NetFlow data
AnswerD

Stealthwatch collects and analyzes NetFlow to detect anomalies.

Why this answer

Cisco Stealthwatch is designed for network traffic analysis and relies on NetFlow data (including IPFIX and other flow protocols) to provide visibility into network behavior, traffic patterns, and anomalies. Unlike full packet captures, NetFlow metadata (source/destination IP, ports, protocols, byte counts) is lightweight and scalable for monitoring large networks, making it the primary data source for Stealthwatch's behavioral analytics and threat detection.

Exam trap

Cisco often tests the distinction between flow-based monitoring (NetFlow) and packet-based monitoring (full packet capture), and the trap here is that candidates mistakenly think full packet captures are required for security monitoring, overlooking that Stealthwatch's efficiency and scalability come from using metadata-rich flow data instead.

How to eliminate wrong answers

Option A is wrong because SNMP traps are used for device status and fault management (e.g., interface up/down, CPU spikes), not for detailed traffic flow analysis that Stealthwatch requires. Option B is wrong because full packet captures provide deep packet inspection but are resource-intensive and not scalable for continuous monitoring across large networks; Stealthwatch uses flow data for efficiency. Option C is wrong because syslog messages are event logs from devices (e.g., authentication failures, configuration changes) and do not contain the traffic metadata (flows) needed for Stealthwatch's network visibility and anomaly detection.

90
Multi-Selecthard

Which two actions should an analyst take when a security monitoring tool generates a high number of false positives for a specific signature? (Choose two.)

Select 2 answers
A.Create a whitelist for known benign traffic.
B.Tune the signature parameters (e.g., threshold).
C.Increase the sensitivity of the signature.
D.Escalate to management without analysis.
E.Immediately disable the signature.
AnswersA, B

Whitelisting exempts known good traffic from triggering the signature.

Why this answer

Option A is correct because creating a whitelist for known benign traffic allows the analyst to suppress alerts for traffic that is confirmed safe, reducing false positives without losing visibility into actual threats. This approach leverages the security monitoring tool's ability to filter based on source/destination IPs, ports, or application signatures, ensuring that only truly malicious traffic triggers the signature.

Exam trap

Cisco often tests the misconception that disabling a signature or increasing sensitivity is a valid first step for handling false positives, but the correct response is always to tune or whitelist to preserve detection capability.

91
MCQeasy

An analyst is monitoring network traffic and sees a sudden spike in outbound data transfer from an internal server to an external IP that is known to be malicious. What is the most likely scenario?

A.Software update.
B.Data exfiltration.
C.User downloading a large file.
D.Normal backup operation.
AnswerB

Data exfiltration involves sending sensitive data to an attacker-controlled IP.

Why this answer

A sudden spike in outbound data transfer from an internal server to a known malicious external IP is a classic indicator of data exfiltration. Attackers often use compromised servers to siphon sensitive data (e.g., credentials, databases) to a command-and-control (C2) server. This behavior aligns with the post-compromise phase of an attack, where the goal is to extract data without triggering immediate alarms.

Exam trap

Cisco often tests the distinction between outbound and inbound traffic direction; candidates may confuse a user downloading a file (inbound) with a server sending data out (outbound), leading them to incorrectly choose option C.

How to eliminate wrong answers

Option A is wrong because software updates typically originate from the internal server to trusted, legitimate update servers (e.g., Microsoft, Red Hat), not to a known malicious IP; the traffic pattern would be periodic and signed, not a sudden spike to an untrusted destination. Option C is wrong because a user downloading a large file would show inbound traffic from the external IP to the user's workstation, not outbound traffic from an internal server to a malicious IP. Option D is wrong because normal backup operations usually target internal backup servers or trusted cloud storage providers (e.g., AWS S3, Azure Blob) over encrypted channels like SMB or HTTPS, not a known malicious external IP.

92
MCQeasy

A Cisco ASA firewall is configured to send syslog messages to a SIEM. Which logging level includes 'informational' messages?

A.Level 5
B.Level 3
C.Level 6
D.Level 0
AnswerC

Level 6 is informational.

Why this answer

C is correct because Cisco ASA syslog messages use the standard syslog severity levels defined in RFC 5424. 'Informational' messages correspond to severity Level 6, which provides normal operational information such as connection teardowns or configuration changes. This level is commonly used for monitoring without overwhelming the SIEM with debug-level data.

Exam trap

Cisco often tests the specific mapping of syslog severity names to numeric levels, and the trap here is confusing 'Informational' (Level 6) with 'Notice' (Level 5) or 'Debugging' (Level 7), as candidates may misremember the order or assume 'Informational' is a lower number.

How to eliminate wrong answers

Option A is wrong because Level 5 is 'Notice', not 'Informational'; Notice messages indicate normal but significant events (e.g., interface up/down). Option B is wrong because Level 3 is 'Error', which indicates error conditions that require attention. Option D is wrong because Level 0 is 'Emergency', the highest severity indicating system is unusable.

Only Level 6 matches 'Informational'.

93
MCQmedium

An IDS detected the following signature match: "ET TROJAN Zeus variant outbound connection to C2 server". The destination IP is flagged as a known malicious host. What should the analyst do FIRST?

A.Block the destination IP at the firewall
B.Open the packet capture associated with the alert
C.Ignore the alert because signatures can produce false positives
D.Isolate the source host from the network immediately
AnswerB

Packet analysis confirms the threat and identifies the affected host.

Why this answer

Option B is correct because the first step in incident response after an IDS alert is to validate the alert by examining the associated packet capture (PCAP). This allows the analyst to confirm whether the traffic truly matches the Zeus C2 signature, check for false positives, and gather contextual details such as payload content, timing, and protocol behavior. Without this validation, any subsequent action (blocking, isolating) could be premature or based on incomplete information.

Exam trap

Cisco often tests the principle that validation via packet capture must precede any containment or blocking action, trapping candidates who jump to immediate remediation without confirming the alert's accuracy.

How to eliminate wrong answers

Option A is wrong because blocking the destination IP at the firewall without first verifying the alert could disrupt legitimate traffic if the IP is shared or if the alert is a false positive; it also bypasses the need to confirm the threat. Option C is wrong because ignoring the alert outright dismisses a potential high-severity threat without investigation; while false positives are possible, the correct response is to validate, not ignore. Option D is wrong because isolating the source host immediately may be too aggressive before confirming the alert is valid; isolation can cause unnecessary operational impact and should be based on confirmed evidence from the PCAP analysis.

94
MCQhard

An organization uses a SIEM that ingests logs from multiple sources. The analysts are overwhelmed with alerts, many of which are false positives. Which strategy best reduces alert fatigue without increasing risk?

A.Implement a ticketing system for alerts.
B.Disable all correlation rules except critical ones.
C.Increase the number of analysts on shift.
D.Fine-tune correlation rules and thresholds based on historical data.
AnswerD

Reduces false positives while retaining detection.

Why this answer

Fine-tuning correlation rules and thresholds (option D) reduces false positives by aligning detection logic with the organization's normal baseline, derived from historical data. This directly addresses alert fatigue without disabling security coverage, as it retains the SIEM's ability to detect genuine threats while filtering out noise. In contrast, simply disabling rules or adding staff fails to address the root cause of poor alert quality.

Exam trap

Cisco often tests the misconception that reducing alerts means disabling rules or adding more staff, when the correct approach is to refine detection logic through tuning and baselining to maintain security coverage while minimizing noise.

How to eliminate wrong answers

Option A is wrong because implementing a ticketing system for alerts does not reduce the volume of false positives; it only manages the workflow, potentially increasing analyst burden by creating tickets for every alert. Option B is wrong because disabling all correlation rules except critical ones removes detection for many legitimate threats, increasing risk by creating blind spots in the security monitoring posture. Option C is wrong because increasing the number of analysts on shift does not solve the underlying problem of excessive false positives; it merely distributes the workload, leading to burnout and potential missed true positives due to alert fatigue.

95
MCQmedium

A SOC analyst receives an alert from the SIEM indicating a high number of failed login attempts on a domain controller from a single IP address over the last 10 minutes. The source IP is a known internal workstation. What should be the analyst's FIRST action?

A.Block the source IP at the firewall
B.Escalate to the incident response team
C.Ignore the alert because it is from an internal IP
D.Contact the user to verify if they are experiencing login issues
AnswerD

Contacting the user helps determine if the activity is intentional or a misconfiguration.

Why this answer

The analyst's first priority is to verify the legitimacy of the failed login attempts before taking any disruptive action. Since the source IP is a known internal workstation, the most likely cause is a user error, such as a forgotten password or a locked account. Contacting the user allows the analyst to quickly confirm whether the activity is benign, avoiding unnecessary escalation or network disruption.

Exam trap

Cisco often tests the candidate's ability to follow the proper incident response triage process, where the trap is to jump to a technical action (like blocking or escalating) before performing the simplest verification step.

How to eliminate wrong answers

Option A is wrong because immediately blocking the source IP at the firewall could disrupt a legitimate user's access and is premature without first verifying the cause of the failed logins. Option B is wrong because escalation to the incident response team is a later step, taken only after initial triage confirms suspicious or malicious activity, not as a first action. Option C is wrong because ignoring the alert based solely on the IP being internal is a dangerous assumption; internal IPs can be compromised or misconfigured, and the alert requires investigation.

96
MCQmedium

Based on the exhibit, which traffic is permitted?

A.All IP traffic from the host 198.51.100.10.
B.Only HTTPS traffic from the host 198.51.100.10.
C.All TCP traffic from any host to any host.
D.All HTTPS traffic to the host 198.51.100.10.
AnswerD

The ACL permits TCP any to host on port 443 (HTTPS).

Why this answer

The exhibit shows an access control list (ACL) entry 'permit tcp any host 198.51.100.10 eq 443'. This permits TCP traffic with a destination port of 443 (HTTPS) to the specific host 198.51.100.10 from any source. Therefore, only HTTPS traffic destined to that host is permitted, making option D correct.

Exam trap

Cisco often tests the directionality of ACL rules, and the trap here is confusing the source and destination fields, leading candidates to mistakenly think the rule permits traffic from the host rather than to the host.

How to eliminate wrong answers

Option A is wrong because the ACL does not permit all IP traffic from the host; it only permits TCP traffic with destination port 443 to the host, not from it. Option B is wrong because the ACL permits HTTPS traffic to the host, not from the host; the source is 'any' and the destination is the specific host, so traffic originating from the host is not matched. Option C is wrong because the ACL is not a blanket permit for all TCP traffic; it is restricted to traffic destined to port 443 on host 198.51.100.10 only.

97
MCQhard

A company uses Cisco Firepower NGFW with intrusion prevention. An analyst notices that many legitimate HTTPS connections are being blocked by an IPS rule. What is the best approach to reduce false positives?

A.Create a custom rule exception for the specific destination IPs.
B.Increase the severity threshold of the rule.
C.Disable the IPS rule entirely.
D.Change the rule action from 'Drop' to 'Alert'.
AnswerA

Exceptions preserve protection while allowing legitimate traffic.

Why this answer

Creating a custom rule exception for the specific destination IPs is the best approach because it allows the IPS to continue blocking malicious traffic while exempting legitimate HTTPS connections that are incorrectly flagged. This maintains security posture by not weakening the rule globally, and it directly addresses the false positive without affecting detection of other threats.

Exam trap

Cisco often tests the misconception that changing the rule action to 'Alert' is a safe compromise, but this actually disables blocking for all traffic matching the rule, not just the false positives.

How to eliminate wrong answers

Option B is wrong because increasing the severity threshold would cause the rule to only trigger on higher-severity events, potentially missing real threats that match the rule but are not false positives. Option C is wrong because disabling the IPS rule entirely removes protection against the actual threat the rule was designed to detect, leaving the network vulnerable. Option D is wrong because changing the rule action from 'Drop' to 'Alert' would stop blocking the legitimate traffic but would also stop blocking malicious traffic matching the same rule, effectively disabling enforcement and reducing security.

98
MCQmedium

A security analyst is reviewing logs from a Cisco Firepower Management Center and notices that many legitimate SSL connections are being blocked by the intrusion policy. Which configuration change should the analyst make to reduce false positives without compromising security?

A.Increase the severity threshold for SSL-related rules.
B.Add the affected servers to a network analysis policy exception.
C.Change the intrusion policy to "Connectivity Over Security".
D.Disable SSL inspection globally.
AnswerB

This allows specific traffic to bypass inspection while keeping security for others.

Why this answer

Adding the affected servers to a network analysis policy (NAP) exception allows the Firepower system to bypass intrusion inspection for traffic to and from those specific hosts while still performing SSL decryption and other security checks. This reduces false positives from legitimate SSL connections without completely disabling SSL inspection or weakening the overall security posture.

Exam trap

Cisco often tests the distinction between modifying intrusion policy rules versus using network analysis policy exceptions, tempting candidates to choose a global or severity-based change instead of the targeted exception that preserves security for other traffic.

How to eliminate wrong answers

Option A is wrong because increasing the severity threshold for SSL-related rules would suppress alerts based on severity, not address the root cause of false positives from legitimate traffic; it could also cause real threats to be missed. Option C is wrong because changing the intrusion policy to 'Connectivity Over Security' disables most intrusion prevention features, severely compromising security rather than selectively reducing false positives. Option D is wrong because disabling SSL inspection globally would prevent the system from decrypting and inspecting any SSL traffic, leaving the network blind to threats hidden in encrypted connections.

99
MCQhard

Refer to the exhibit. An analyst sees repeated denied TCP connections from the same source to the same destination web server. Which of the following actions should the analyst take first?

A.Increase the logging level to get more details.
B.Create a permit rule for the source IP to allow legitimate traffic.
C.Investigate the source IP for malicious activity.
D.Block the source IP globally.
AnswerC

Investigation helps determine intent and whether the source is a threat.

Why this answer

Repeated denied TCP connections from the same source to the same destination web server are a classic indicator of a potential reconnaissance or attack pattern, such as a port scan or brute-force attempt. The first priority in security monitoring is to investigate the source IP for malicious activity (Option C) to determine intent and scope before taking any irreversible action. This aligns with the incident response process of identification and analysis before containment or eradication.

Exam trap

Cisco often tests the candidate's understanding of the incident response order of operations, where the trap is to jump to a containment action (like blocking or permitting) without first performing analysis and validation of the threat.

How to eliminate wrong answers

Option A is wrong because increasing the logging level may provide more detail but does not address the immediate need to determine if the source IP is malicious; it delays the investigative step and could overwhelm the analyst with noise. Option B is wrong because creating a permit rule for the source IP would allow all traffic from that IP, which could enable an attacker to bypass security controls if the source is indeed malicious; this action should only be taken after confirming the source is legitimate. Option D is wrong because blocking the source IP globally is a premature containment action that could disrupt legitimate business operations if the source is a false positive; it should only be performed after investigation confirms malicious intent.

100
MCQmedium

A security team implements a network-based IPS. During testing, they find that legitimate traffic is frequently blocked. Which tuning approach should they prioritize?

A.Change the IPS to fail-open mode.
B.Increase the number of IPS sensors.
C.Disable or modify signatures causing false positives.
D.Reduce the IPS sensitivity level to lower.
AnswerC

Directly addresses the root cause of legitimate traffic being blocked.

Why this answer

Option C is correct because false positives occur when IPS signatures incorrectly match legitimate traffic. The most direct and effective tuning approach is to disable or modify the specific signatures causing the false positives, which reduces unnecessary blocking without compromising overall security posture.

Exam trap

Cisco often tests the distinction between tuning signatures (which addresses false positives directly) versus changing operational modes or sensitivity levels, which are broader, less precise adjustments that can introduce new risks.

How to eliminate wrong answers

Option A is wrong because changing the IPS to fail-open mode would cause the device to pass all traffic if it fails, but this does not address the root cause of false positives; it merely bypasses the IPS functionality, potentially allowing attacks through. Option B is wrong because increasing the number of IPS sensors does not resolve signature misclassification; it would only distribute the same false-positive traffic across more sensors, amplifying the problem. Option D is wrong because reducing the IPS sensitivity level to lower may decrease false positives but also increases the risk of missing real threats (false negatives), as sensitivity controls the threshold for alerting, not the specific signature logic.

101
Drag & Dropmedium

Drag and drop the steps to analyze a packet capture for suspicious activity into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Packet analysis: open, filter, examine, correlate, document.

102
MCQeasy

A security monitoring tool generates an alert for a user accessing a sensitive file at an unusual hour. What is the most appropriate next step?

A.Ignore the alert since it is likely a false positive.
B.Contact the user to confirm if the access was legitimate.
C.Escalate the alert to the incident response team.
D.Block the user's account immediately.
AnswerB

Direct verification is a quick way to triage the alert.

Why this answer

Option B is correct because the alert indicates an anomaly (unusual hour), but not necessarily malicious activity. The most appropriate first step is to verify the user's intent through direct communication, as this aligns with the principle of validation before escalation. In security monitoring, contacting the user helps confirm whether the access was authorized, reducing false positives and unnecessary incident response activation.

Exam trap

Cisco often tests the distinction between triage and escalation, trapping candidates who jump to escalation or containment without first performing the basic verification step of contacting the user.

How to eliminate wrong answers

Option A is wrong because ignoring the alert outright violates the fundamental security monitoring principle of investigating anomalies; even if it is a false positive, the alert must be triaged, not dismissed without analysis. Option C is wrong because escalating directly to the incident response team bypasses the initial triage step; escalation should occur only after preliminary verification (e.g., user confirmation or log correlation) indicates a genuine security incident. Option D is wrong because immediately blocking the user's account is an overreaction that could disrupt legitimate business operations; account lockdown should be reserved for confirmed threats, not based solely on a single anomalous access time.

103
MCQmedium

A Linux server is configured with auditd to monitor file access. Which audit rule will detect any attempt to read the /etc/shadow file?

A.-w /etc/shadow -p x
B.-w /etc/shadow -p a
C.-w /etc/shadow -p w
D.-w /etc/shadow -p r
AnswerD

The -p r flag monitors read access exactly.

Why this answer

Option D is correct because the `-p r` flag in an auditd rule specifies that the rule should monitor for read access attempts. The `/etc/shadow` file contains hashed passwords, and reading it is a common post-exploitation reconnaissance step. The `-w` flag watches a file, and `-p r` triggers an audit event when the file is opened for reading.

Exam trap

Cisco often tests the specific meaning of auditd permission flags (`r`, `w`, `x`, `a`) and expects candidates to know that `-p r` is for read access, not `-p x` which is for execute, a common confusion because both involve accessing a file.

How to eliminate wrong answers

Option A is wrong because `-p x` monitors for execute access, not read access; while `/etc/shadow` is not an executable, this rule would only catch attempts to execute it, which is not the typical attack vector. Option B is wrong because `-p a` monitors for attribute changes (e.g., permissions or ownership), not read operations; this would miss the actual reading of the file. Option C is wrong because `-p w` monitors for write access, which would detect modifications but not read attempts; reading is the more common reconnaissance action against `/etc/shadow`.

104
Multi-Selectmedium

Which TWO are common indicators of a compromised host? (Choose two.)

Select 2 answers
A.User logging in during business hours.
B.Scheduled tasks running at regular intervals.
C.Unusual spikes in outbound network traffic at odd hours.
D.Unexpected outbound connections to known malicious IPs.
E.Antivirus updates occurring daily.
AnswersC, D

May indicate data exfiltration.

Why this answer

Unusual spikes in outbound network traffic at odd hours (Option C) are a common indicator of a compromised host because they often signal data exfiltration, command-and-control (C2) beaconing, or botnet activity. Attackers frequently schedule malicious traffic during off-peak hours to evade detection, and the abnormal volume or timing relative to baseline behavior is a key anomaly in security monitoring.

Exam trap

Cisco often tests the distinction between normal administrative activity (scheduled tasks, daily updates) and true behavioral anomalies (unusual timing, unexpected destinations), so candidates must avoid confusing routine operations with compromise indicators.

105
MCQmedium

Refer to the exhibit. An analyst sees this syslog message from a Cisco ASA. What does this log entry indicate?

A.The access-group 'OUTSIDE_IN' permitted the traffic.
B.An internal host attempted to connect to an external web server.
C.An external host attempted to connect to an internal web server and was blocked.
D.The ASA allowed the connection because it is a stateful firewall.
AnswerC

Matches the deny action and direction.

Why this answer

The syslog message shows a deny action for traffic from an external IP (10.10.10.10) to an internal IP (192.168.1.100) on TCP port 443 (HTTPS). The access-group 'OUTSIDE_IN' is applied to the outside interface, and the deny indicates the packet was blocked by an ACL entry. This matches the scenario of an external host attempting to connect to an internal web server and being blocked.

Exam trap

Cisco often tests the ability to interpret syslog message fields (source/destination IPs and ports) to determine traffic direction and action, and the trap here is assuming that any syslog message from an ASA implies a permitted connection, when the 'deny' keyword clearly indicates a block.

How to eliminate wrong answers

Option A is wrong because the log entry explicitly shows 'deny', meaning the access-group 'OUTSIDE_IN' blocked the traffic, not permitted it. Option B is wrong because the source IP (10.10.10.10) is external (not RFC 1918), and the destination IP (192.168.1.100) is internal, indicating an inbound connection from outside to inside, not an internal host connecting outbound. Option D is wrong because while the ASA is stateful, the log entry shows a deny action, meaning the connection was not allowed; stateful inspection would only permit traffic that matches an existing session or an explicit permit ACL.

106
MCQhard

You are a SOC analyst for a financial services firm. The firm uses a combination of Cisco Firepower IPS, Windows Event Log collection, and a custom SIEM. At 10:00 AM, the SIEM generates an alert: 'Event ID 4625: Multiple failed logins for user 'jdoe' from IP 10.0.0.100'. The alert fires 10 times within 5 minutes. The source IP is a file server. You check the file server's logs and see that it is running a scheduled script that attempts to map a network drive using jdoe's credentials. The script is legitimate and has been running for months. However, the script's credentials may have expired or changed. The user jdoe is currently on leave. The file server administrator confirms that the script is part of a backup process. What is the best course of action?

A.Escalate the alert to the incident response team for investigation
B.Disable user jdoe's account immediately to prevent further attempts
C.Block the file server's IP address in the firewall
D.Update the script with correct credentials and clear the alert
AnswerD

The root cause is expired credentials; updating the script resolves the issue without unnecessary action.

Why this answer

The alert is a false positive triggered by a legitimate scheduled script that has been running for months. The root cause is expired or changed credentials for user 'jdoe'. Updating the script with the correct credentials resolves the issue without disrupting operations.

Clearing the alert removes the noise from the SIEM, allowing the SOC to focus on genuine threats.

Exam trap

Cisco often tests the ability to distinguish between a true security incident and a false positive caused by a legitimate process, where the trap is to immediately escalate or take reactive security actions without first verifying the context and root cause of the alert.

How to eliminate wrong answers

Option A is wrong because escalating to the incident response team is unnecessary for a known, legitimate process; incident response should be reserved for confirmed security incidents, not false positives. Option B is wrong because disabling jdoe's account would disrupt the legitimate backup script and potentially other services, and the user is on leave, so the account is not actively being used maliciously. Option C is wrong because blocking the file server's IP in the firewall would break the backup process and potentially other legitimate services hosted on that server, as the source IP is a trusted internal asset.

107
MCQhard

A company uses syslog for logging from all network devices. The SOC notices that logs from a critical router are not appearing in the SIEM for the past hour, but other devices are sending logs normally. Which step should the analyst take FIRST to troubleshoot?

A.Ping the SIEM server from the router
B.Restart the router syslog service
C.Check the router logging configuration
D.Check the SIEM server's log receiver status
AnswerA

Verifying network connectivity helps isolate if the issue is network or device related.

Why this answer

The SOC sees that only one router's logs are missing while all other devices are sending logs normally. This strongly suggests the issue is isolated to that router, not the SIEM server. The quickest first step is to verify basic IP connectivity from the router to the SIEM server using ping.

If the router cannot reach the SIEM server (e.g., due to a routing problem, ACL, or firewall change), no syslog UDP packets (port 514) will arrive, and no amount of local configuration checking or service restarting will fix it. This aligns with the standard troubleshooting methodology of verifying Layer 3 reachability before diving into application-layer settings.

Exam trap

Cisco often tests the principle of 'start with the simplest, least disruptive test'—candidates mistakenly jump to checking configuration or restarting services because they assume the problem is software-related, when the most common cause is a network connectivity issue that can be verified with a single ping.

How to eliminate wrong answers

Option B is wrong because restarting the router's syslog service is a disruptive action that should only be taken after confirming connectivity and configuration; it assumes the service is hung, which is unlikely given that other devices are fine. Option C is wrong because checking the router logging configuration is a valid step, but it should come after confirming basic network connectivity—if the router can't reach the SIEM, the configuration is irrelevant. Option D is wrong because the SIEM server's log receiver status is not the likely root cause since all other devices are successfully sending logs, indicating the SIEM receiver is operational.

108
Multi-Selecteasy

Which TWO of the following are commonly used protocols for network security monitoring? (Select 2)

Select 2 answers
C.TLS
E.NetFlow
AnswersB, E

SNMP is used for device monitoring.

Why this answer

SNMP (Simple Network Management Protocol) is correct because it is a standard protocol used to collect and organize information about managed devices on IP networks, enabling network monitoring and alerting via traps and polls. NetFlow is correct because it is a Cisco-developed protocol that captures metadata about network traffic flows, providing visibility into bandwidth usage, top talkers, and security anomalies for monitoring purposes.

Exam trap

Cisco often tests the distinction between protocols used for monitoring (SNMP, NetFlow) versus protocols used for transport or security (TLS, SMTP) or logging (Syslog), leading candidates to mistakenly select Syslog because it is associated with security logs, even though it is not a monitoring protocol in the same sense as SNMP or NetFlow.

109
MCQeasy

You are a SOC analyst at a medium-sized enterprise. The company uses a SIEM that collects logs from firewalls, endpoints, and Active Directory. At 2:00 AM, the SIEM generates a high-priority alert: 'Multiple Failed Logins for Administrator Account from Remote IP 198.51.100.20'. The analyst on the night shift reviews the alert and sees that there were 50 failed attempts in 10 minutes, followed by a successful login at 2:12 AM. The successful login originated from the same IP. The account is a domain administrator. The analyst checks the firewall logs and sees that the IP is from a known VPN provider. The analyst also checks the endpoint logs and sees that no unusual activity has occurred after the login. The company has a policy that remote administration is allowed only from a specific jump server with IP 203.0.113.10. The analyst suspects a brute-force attack succeeded. What should the analyst do first?

A.Block the IP address 198.51.100.20 on the firewall
B.Disable the compromised administrator account immediately
C.Perform a full network scan of the VPN provider's entire IP range
D.Reset the password of the compromised administrator account
AnswerB

Disabling the account stops all access by the attacker and is the fastest containment action.

Why this answer

Option B is correct because the immediate priority is to contain the breach by disabling the compromised domain administrator account. The successful login from an unauthorized IP (198.51.100.20) after 50 failed attempts indicates a successful brute-force attack, and the account has domain-level privileges. Disabling the account stops any further lateral movement or privilege escalation, which is the first step in incident response containment before any remediation or investigation.

Exam trap

Cisco often tests the distinction between containment (disabling the account) and remediation (resetting the password), where candidates mistakenly choose password reset first because they think it solves the problem, but disabling is the correct immediate action to cut off access.

How to eliminate wrong answers

Option A is wrong because blocking the IP address alone does not address the fact that the attacker already has valid credentials and could reconnect from a different IP or VPN endpoint, leaving the compromised account active for further abuse. Option C is wrong because performing a full network scan of the VPN provider's entire IP range is an inefficient, broad, and potentially disruptive action that does not immediately contain the threat; it also violates typical incident response procedures by focusing on reconnaissance rather than containment. Option D is wrong because resetting the password, while necessary later, is not the first action; the account must be disabled first to prevent the attacker from using the current session or any cached credentials before the password change takes effect.

110
Multi-Selectmedium

Which THREE are essential components of a security monitoring strategy? (Choose three.)

Select 3 answers
A.Antivirus software on all endpoints.
B.Data encryption at rest.
C.Defined incident response procedures.
D.Centralized log collection from critical systems.
E.Correlation rules to identify suspicious patterns.
AnswersC, D, E

Ensures proper handling.

Why this answer

Defined incident response procedures (Option C) are essential because they provide a structured, repeatable workflow for detecting, analyzing, and containing security incidents. Without pre-defined procedures, a security team cannot consistently execute the 'Respond' phase of the NIST SP 800-61 incident response lifecycle, leading to delayed containment and increased dwell time.

Exam trap

Cisco often tests the distinction between preventive controls (antivirus, encryption) and detective/monitoring controls (log collection, correlation, incident response procedures), causing candidates to mistakenly include security hygiene measures as monitoring components.

111
MCQeasy

A SOC analyst is reviewing a security alert generated by the SIEM. The alert indicates a successful login from an unusual geographic location for a user who typically logs in from the corporate office. The analyst verifies that the user is currently on vacation and should not be accessing the network. What should the analyst do next?

A.Ignore the alert because the user might be using a VPN
B.Block the IP address in the firewall
C.Start a full incident investigation before taking any action
D.Disable the user account and begin an investigation
AnswerD

Disabling the account stops the immediate threat, then investigation can determine the scope.

Why this answer

Option D is correct because the alert indicates a clear security incident: a successful login from an unusual geographic location for a user who is on vacation and should not be accessing the network. Disabling the user account immediately contains the threat by preventing further unauthorized access, and beginning an investigation allows the analyst to determine if the account was compromised or if credentials were stolen. This aligns with the NIST SP 800-61 incident response process, where containment is a priority before proceeding to eradication and recovery.

Exam trap

Cisco often tests the candidate's understanding of the incident response lifecycle, specifically the need to contain a threat immediately (by disabling the account) rather than jumping to investigation or assuming benign intent, which is a common mistake in SOC workflows.

How to eliminate wrong answers

Option A is wrong because ignoring the alert based on a VPN assumption is a dangerous guess; the SIEM alert specifically indicates an unusual geographic location, and the user is on vacation, so the analyst must not assume benign activity without verification. Option B is wrong because blocking the IP address in the firewall is a reactive measure that does not address the root cause; the attacker could use multiple IPs or proxies, and the compromised user account remains active, allowing further unauthorized access. Option C is wrong because starting a full incident investigation without any containment action first violates the incident response principle of 'contain before investigate'; the attacker could continue to use the account during the investigation, escalating the breach.

112
Multi-Selecthard

Which TWO are best practices for managing SIEM alerts to reduce false positives? (Choose two.)

Select 2 answers
A.Disable all alerts that generate more than 100 events per day.
B.Use a separate SIEM for each department.
C.Regularly tune correlation rules based on feedback.
D.Increase the number of log sources.
E.Maintain a whitelist of known benign activity.
AnswersC, E

Adapts to environment.

Why this answer

Option C is correct because SIEM correlation rules must be regularly tuned based on feedback from incident investigations and alert reviews. This iterative process adjusts thresholds, filters, and logic to match the actual threat landscape, reducing noise from benign events that match rule patterns but are not malicious.

Exam trap

Cisco often tests the misconception that more data (Option D) or volume-based suppression (Option A) is a valid way to reduce false positives, when in fact proper tuning and whitelisting are the correct approaches.

113
MCQeasy

An analyst notices repeated failed SSH attempts from an external IP to a server. The analyst wants to quickly see all SSH-related events from that IP in the last hour. Which approach is most efficient?

A.Search the SIEM for events with destination port 22 and source IP.
B.Review all firewall logs for the past hour.
C.Run a packet capture on the server's network interface.
D.Check the server's auth.log file manually.
AnswerA

Directly retrieves SSH events for that IP.

Why this answer

Option A is correct because a SIEM indexes and correlates log data from multiple sources, allowing an analyst to quickly filter events by destination port 22 (SSH) and source IP without manually sifting through raw logs. This approach leverages the SIEM's search capabilities to retrieve only relevant events from the past hour, making it the most efficient method for targeted threat hunting.

Exam trap

Cisco often tests the distinction between centralized log analysis (SIEM) and raw data inspection (packet capture or manual log review), trapping candidates who overlook the efficiency of indexed search versus unfiltered data retrieval.

How to eliminate wrong answers

Option B is wrong because reviewing all firewall logs for the past hour would include irrelevant traffic (e.g., web, DNS) and lacks the specific filter for SSH (port 22) and the external IP, requiring manual parsing and wasting time. Option C is wrong because running a packet capture on the server's network interface captures all traffic in real-time or from a buffer, but it does not provide historical data for the past hour unless a capture was already running, and it generates large volumes of data that must be analyzed with tools like tcpdump or Wireshark, which is inefficient for a quick check. Option D is wrong because checking the server's auth.log file manually is a host-based approach that only shows authentication attempts on that specific server, not all SSH-related events from the IP (e.g., connection attempts blocked by a firewall), and it requires direct access to the server, which may not be scalable or centralized.

114
MCQeasy

Which data source provides the most detailed information about the application layer payload in network traffic?

A.NetFlow
C.Full packet capture (PCAP)
AnswerC

PCAP captures the entire packet including payload.

Why this answer

Full packet capture (PCAP) provides the most detailed information because it records the entire raw network packet, including headers and the complete application-layer payload. This allows deep inspection of protocols like HTTP, DNS, or SMTP at the byte level, which is essential for detecting malware, data exfiltration, or application-specific anomalies.

Exam trap

Cisco often tests the misconception that NetFlow provides deep packet inspection because it can report application information via NBAR, but NBAR is a classification engine that still does not capture the raw payload; the trap is confusing flow metadata with full packet content.

How to eliminate wrong answers

Option A is wrong because NetFlow only exports metadata (e.g., IP addresses, ports, protocol, byte counts) and never includes the application payload; it summarizes flows rather than capturing full packet contents. Option B is wrong because Syslog is a logging protocol for system events and messages from devices or applications, not a network traffic capture mechanism; it cannot provide packet-level payload data. Option D is wrong because SNMP is used for monitoring and managing network device status (e.g., CPU, interface counters) via MIBs, and it does not capture or transmit network traffic payloads.

115
Multi-Selectmedium

Which TWO of the following are indicators of a potential data exfiltration attempt?

Select 2 answers
A.An internal host transferring large amounts of data to an unknown external IP at 3 AM.
B.A user accessing an internal file server during business hours.
C.An internal host sending large DNS TXT queries to an external server.
D.A failed login attempt from an internal workstation.
E.A spike in ICMP echo requests from an external IP.
AnswersA, C

Unusual time and volume strongly suggest exfiltration.

Why this answer

Option A is correct because data exfiltration often involves transferring large volumes of data to an unknown external IP during off-hours (e.g., 3 AM) to evade detection. This behavior deviates from normal business patterns and is a classic indicator of a data breach or insider threat.

Exam trap

Cisco often tests the distinction between normal network activity (e.g., file server access during business hours) and anomalous patterns (e.g., off-hours bulk transfers or DNS tunneling), so candidates must focus on the context of time, volume, and protocol misuse rather than just the action itself.

116
MCQhard

An analyst is investigating a host that is beaconing to a known malicious domain every 60 seconds. The host also shows outbound connections to multiple IPs on port 443. To confirm the beaconing, which data source is most useful?

A.DNS logs from the internal DNS server.
B.NetFlow records from the border router.
C.Full packet capture of all outbound traffic.
D.Host-based firewall logs.
AnswerB

Shows flow timestamps and destinations; reveals periodic connections.

Why this answer

NetFlow records from the border router provide aggregated metadata (source/destination IP, port, protocol, timestamps) that can reveal the periodic 60-second beaconing pattern to the malicious domain and the volume of outbound connections on port 443. Unlike DNS logs, NetFlow captures the actual connection attempts regardless of DNS resolution, making it ideal for identifying regular, repetitive outbound flows.

Exam trap

Cisco often tests the distinction between DNS logs (which show name resolution) and NetFlow (which shows actual traffic flows), leading candidates to mistakenly choose DNS logs because they associate beaconing with domain names, not realizing that the beaconing is confirmed by the connection pattern itself.

How to eliminate wrong answers

Option A is wrong because DNS logs only show queries for domain resolution, not the actual TCP connections; if the host uses cached DNS or direct IP connections, the beaconing pattern may be missed. Option C is wrong because full packet capture, while thorough, is resource-intensive and impractical for continuous monitoring of all outbound traffic; NetFlow provides sufficient metadata to confirm the beaconing pattern without the overhead. Option D is wrong because host-based firewall logs only record allowed or blocked connections at the host level, but they may not capture the precise timing and destination IPs of outbound flows if the firewall is configured to permit all outbound traffic, and they lack the network-wide perspective of the border router.

117
Multi-Selecteasy

Which TWO are common sources of security event data in a Security Information and Event Management (SIEM) system?

Select 2 answers
A.SMTP logs
B.NetFlow records
C.SNMP traps
D.Syslog from network devices
E.DNS queries
AnswersB, D

NetFlow provides metadata on network traffic flows.

Why this answer

NetFlow records (B) are a common source of security event data in a SIEM because they provide detailed metadata about network flows, including source/destination IPs, ports, protocols, and byte counts. SIEMs ingest NetFlow to detect anomalies, such as data exfiltration or beaconing, by analyzing flow patterns rather than full packet payloads. This makes NetFlow a standard telemetry source for network visibility and threat hunting.

Exam trap

Cisco often tests the distinction between network management protocols (SNMP) and security monitoring sources (syslog, NetFlow), leading candidates to mistakenly select SNMP traps as a security event source because they associate 'traps' with alerts, when in fact SNMP is for device health, not security event logging.

118
MCQmedium

Refer to the exhibit. An administrator sees many alerts for DNS tunneling. The current DNS inspection policy is shown. What change would most likely help detect DNS tunneling?

A.Remove the dns-guard command.
B.Lower the message-length maximum to 128 bytes.
C.Raise the message-length maximum to 4096 bytes.
D.Disable DNS inspection entirely.
AnswerC

Larger messages allow tunneling to be observed; also, correlating with frequency can detect anomalies.

Why this answer

DNS tunneling exploits the DNS protocol to exfiltrate data by encoding it in DNS queries and responses. Raising the message-length maximum to 4096 bytes allows the DNS inspection engine to inspect larger DNS payloads, which is necessary to detect tunneling attempts that use long TXT or other resource records to carry data. The current lower limit may allow tunneled data to pass undetected because the inspection engine truncates or ignores oversized messages.

Exam trap

Cisco often tests the misconception that lowering the message-length maximum would block tunneling, when in fact tunneling uses large payloads that would be ignored or passed through if the limit is too low, so raising the limit is required to inspect and detect the oversized messages.

How to eliminate wrong answers

Option A is wrong because the dns-guard command prevents DNS spoofing and cache poisoning by ensuring DNS responses match outstanding queries; removing it would weaken security, not help detect tunneling. Option B is wrong because lowering the message-length maximum to 128 bytes would cause the inspection engine to drop or ignore legitimate DNS messages and would not help detect tunneling, as tunneled data often uses larger payloads. Option D is wrong because disabling DNS inspection entirely would remove all DNS anomaly detection, making it impossible to detect DNS tunneling through the firewall.

119
MCQhard

A SIEM correlation rule triggers when a user account is created and then added to a privileged group within 10 minutes. Which activity does this rule detect?

A.Malicious insider data theft.
B.Privileged account creation and elevation.
C.Privilege escalation via token manipulation.
D.Lateral movement using pass-the-hash.
AnswerB

The rule specifically matches account creation followed by group membership change.

Why this answer

The SIEM rule specifically correlates the creation of a user account followed by its addition to a privileged group within a short time window. This sequence directly maps to the definition of privileged account creation and elevation, where a new account is granted administrative rights. The rule does not require any other malicious activity like data theft or lateral movement to trigger.

Exam trap

Cisco often tests the distinction between the administrative action of adding a user to a privileged group (privileged account creation/elevation) and the exploitation of system tokens or authentication protocols, leading candidates to confuse the SIEM rule's trigger with token manipulation or pass-the-hash attacks.

How to eliminate wrong answers

Option A is wrong because malicious insider data theft typically involves exfiltration of sensitive data, not just account creation and group membership changes; the rule does not monitor data access or transfer events. Option C is wrong because privilege escalation via token manipulation involves exploiting operating system mechanisms like SeDebugPrivilege or token duplication, not the administrative action of adding a user to a group via directory services. Option D is wrong because lateral movement using pass-the-hash relies on NTLM hash reuse to authenticate to remote systems, which is unrelated to account creation or group membership modifications.

120
MCQeasy

A SOC analyst receives an alert from the SIEM indicating a high number of outbound DNS queries from an internal host to a domain known for malicious activity. The analyst reviews the logs and finds that the host is a DNS server. What should be the analyst's first action?

A.Isolate the DNS server from the network and escalate to incident response.
B.Check the baseline of DNS traffic to confirm it is anomalous.
C.Block the domain at the firewall and close the alert.
D.Restart the DNS service on the server and monitor.
AnswerA

Immediate containment to prevent further compromise.

Why this answer

The correct first action is to isolate the DNS server from the network and escalate to incident response. A DNS server generating outbound DNS queries to a known malicious domain indicates a likely compromise (e.g., DNS tunneling or malware command-and-control), not normal recursive resolution. Immediate containment prevents further data exfiltration or lateral movement, aligning with incident response best practices.

Exam trap

Cisco often tests the misconception that a DNS server's outbound queries are always benign recursive lookups, leading candidates to choose baseline checking or simple blocking instead of recognizing the need for immediate containment and escalation.

How to eliminate wrong answers

Option B is wrong because checking a baseline assumes the activity might be normal, but a DNS server should not be making outbound queries to a known malicious domain; this wastes critical time during an active compromise. Option C is wrong because blocking the domain at the firewall without investigation may stop the immediate symptom but does not address the root cause (e.g., a backdoor or persistent threat), and closing the alert prematurely violates proper incident handling procedures. Option D is wrong because restarting the DNS service could destroy volatile evidence (e.g., in-memory artifacts, active connections) and does not remediate the underlying compromise, potentially allowing the threat to persist.

121
MCQeasy

A security analyst notices repeated failed login attempts from a single IP address against multiple user accounts. What is the best immediate action to take?

A.Increase logging verbosity for the authentication server.
B.Change all user passwords immediately.
C.Disable the affected user accounts.
D.Block the source IP address on the firewall.
AnswerD

Blocking the IP address stops the brute-force attempt immediately.

Why this answer

Blocking the source IP address on the firewall is the best immediate action because it stops the ongoing brute-force attack at the network perimeter, preventing further authentication attempts from that IP without disrupting legitimate users. This aligns with the principle of containment before investigation, as the firewall ACL can be updated quickly to deny traffic from the offending source.

Exam trap

Cisco often tests the candidate's ability to prioritize containment over investigation or remediation; the trap here is that candidates may choose to increase logging (Option A) to gather evidence, but the immediate action must stop the active attack first.

How to eliminate wrong answers

Option A is wrong because increasing logging verbosity does not stop the attack; it only generates more log data, which could overwhelm storage and delay response. Option B is wrong because changing all user passwords is disruptive, time-consuming, and does not address the source of the attack—the attacker can simply continue trying new passwords against the same accounts. Option C is wrong because disabling affected user accounts would deny service to legitimate users and does not prevent the attacker from targeting other accounts from the same IP.

← PreviousPage 2 of 2 · 121 questions total

Ready to test yourself?

Try a timed practice session using only Security Monitoring questions.