Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

200-201Free trial

By cisco

Verified

25Q per page

Question 1

Which event is user interaction?

A: gaining root access
B: executing remote code
C: reading and writing file permission
D: opening a malicious file

—

Question 2

An analyst is investigating an incident in a SOC environment.
Which method is used to identify a session from a group of logs?

A: sequence numbers
B: IP identifier
C: 5-tuple
D: timestamps

—

Question 3

Which system monitors local system operation and local network access for violations of a security policy?

A: host-based intrusion detection
B: systems-based sandboxing
C: host-based firewall
D: antivirus

—

Question 4

An analyst received an alert on their desktop computer showing that an attack was successful on the host. After investigating, the analyst discovered that no mitigation action occurred during the attack. What is the reason for this discrepancy?

A: The computer has a HIPS installed on it.
B: The computer has a NIPS installed on it.
C: The computer has a HIDS installed on it.
D: The computer has a NIDS installed on it.

—

Question 5

Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?

A: A policy violation is active for host 10.10.101.24.
B: A host on the network is sending a DDoS attack to another inside host.
C: There are three active data exfiltration alerts.
D: A policy violation is active for host 10.201.3.149.

—

Question 6

What is a difference between tampered and untampered disk images?

A: Tampered images have the same stored and computed hash.
B: Untampered images are deliberately altered to preserve as evidence.
C: Tampered images are used as evidence.
D: Untampered images are used for forensic investigations.

—

Question 7

What is a sandbox interprocess communication service?

A: A collection of rules within the sandbox that prevent the communication between sandboxes.
B: A collection of network services that are activated on an interface, allowing for inter-port communication.
C: A collection of interfaces that allow for coordination of activities among processes.
D: A collection of host services that allow for communication between sandboxes.

—

Question 8

An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture, the analyst cannot determine the technique and payload used for the communication.
Which obfuscation technique is the attacker using?

A: Base64 encoding
B: transport layer security encryption
C: SHA-256 hashing
D: ROT13 encryption

—

Question 9

During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?

A: examination
B: investigation
C: collection
D: reporting

—

Question 10

Which step in the incident response process researches an attacking host through logs in a SIEM?

A: detection and analysis
B: preparation
C: eradication
D: containment

—

Question 11

A malicious file has been identified in a sandbox analysis tool.
Which piece of information is needed to search for additional downloads of this file by other hosts?

A: file type
B: file size
C: file name
D: file hash value

—

Question 12

What is a difference between SOAR and SIEM?

A: SOAR platforms are used for threat and vulnerability management, but SIEM applications are not
B: SIEM applications are used for threat and vulnerability management, but SOAR platforms are not
C: SOAR receives information from a single platform and delivers it to a SIEM
D: SIEM receives information from a single platform and delivers it to a SOAR

—

Question 13

Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?

A: Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.
B: Host 152.46.6.91 is being identified as a watchlist country for data transfer.
C: Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.
D: Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.

—

Question 14

Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?

A: A policy violation is active for host 10.10.101.24.
B: A host on the network is sending a DDoS attack to another inside host.
C: There are two active data exfiltration alerts.
D: A policy violation is active for host 10.201.3.149.

—

Question 15

Which security technology allows only a set of pre-approved applications to run on a system?

A: application-level blacklisting
B: host-based IPS
C: application-level whitelisting
D: antivirus

—

Question 16

An investigator is examining a copy of an ISO file that is stored in CDFS format.
What type of evidence is this file?

A: data from a CD copied using Mac-based system
B: data from a CD copied using Linux system
C: data from a DVD copied using Windows system
D: data from a CD copied using Windows

—

Question 17

Which piece of information is needed for attribution in an investigation?

A: proxy logs showing the source RFC 1918 IP addresses
B: RDP allowed from the Internet
C: known threat actor behavior
D: 802.1x RADIUS authentication pass arid fail logs

—

Question 18

What does cyber attribution identify in an investigation?

A: cause of an attack
B: exploit of an attack
C: vulnerabilities exploited
D: threat actors of an attack

—

Question 19

A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.
Which type of evidence is this?

A: best evidence
B: prima facie evidence
C: indirect evidence
D: physical evidence

—

Question 20

DRAG DROP -
Drag and drop the type of evidence from the left onto the description of that evidence on the right.
Select and Place:

—

Question 21

Refer to the exhibit. An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?

A: indirect
B: circumstantial
C: corroborative
D: best

—

Question 22

Refer to the exhibit. Which piece of information is needed to search for additional downloads of this file by other hosts?

A: file header type
B: file size
C: file name
D: file hash value

—

Question 23

What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?

A: MAC is controlled by the discretion of the owner and DAC is controlled by an administrator
B: MAC is the strictest of all levels of control and DAC is object-based access
C: DAC is controlled by the operating system and MAC is controlled by an administrator
D: DAC is the strictest of all levels of control and MAC is object-based access

—

Question 24

An organization's security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning. How should the analyst collect the traffic to isolate the suspicious host?

A: based on the most used applications
B: by most active source IP
C: by most used ports
D: based on the protocols used

—

Question 25

Which technology on a host is used to isolate a running application from other application?

A: application allow list
B: application block list
C: host-based firewall
D: sandbox

—

Page 1 of 13 • Questions 1-25 of 325

1 2 3 4 5

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!