350 701 459qa

e
ic
Exam : 350-701 Implementing and Operating Cisco Security Core Technologies (SCOR)
t
ac
Total Questions : 459
--------------------------------------------------------------------------------------------------------------------------------
Pr
x am
tE
es
:B
ay
Eb
Ebay: BestExamPractice
QUESTION 1
Refer to the exhibit. What does the number 15 represent in this configuration?
A. privilege level for an authorized user to this router

B. access list that identifies the SNMP devices that can access the router
C. interval in seconds between SNMPv3 authentication attempts
D. number of possible failed attempts until the SNMPv3 user is locked out
Correct Answer: B
e
ic
QUESTION 2 Which network monitoring solution uses streams and pushes operational data to provide a near real-time
view of activity?
t
ac
A. SNMP
B. SMTP
C. syslog
Pr
D. model-driven telemetry
Correct Answer: D
x am
QUESTION 3
tE
What is the result of running the crypto isakmp key ciscXXXXXXXX address 172.16.0.0 command?
A. authenticates the IKEv2 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX
es
B. authenticates the IP address of the 172.16.0.0/32 peer by using the key ciscXXXXXXXX
C. authenticates the IKEv1 peers in the 172.16.0.0/16 range by using the key ciscXXXXXXXX
:B
D. secures all the certificates in the IKE exchange by using the key ciscXXXXXXXX
Correct Answer: B
ay
Eb
QUESTION 4 Which two probes are configured to gather attributes of connected endpoints using Cisco Identity Services
Engine? (Choose two.)
A. RADIUS
B. TACACS+
C. DHCP
D. sFlow
E. SMTP
Correct Answer: AC
QUESTION 5
What does the anomaly detection Cisco IOS IPS component detection ?
A. ARP Spoofing Ebay: BestExamPractice

B. Worm-infected hosts
C. Signature changes
D. Network Congestion
Correct Answer: B
QUESTION 6 Which solution protects hybrid cloud deployment workloads with application visibility and
segmentation?
A. Nexus
B. Stealthwatch
C. Firepower
D. Tetration
e
Correct Answer: D
ic
t
ac
QUESTION 7 What are the two most commonly used authentication factors in multifactor authentication?
(Choose two.)
Pr
A. biometric factor
am
B. time factor
C. confidentiality factor
D. knowledge factor
E. encryption factor
x
tE
Correct Answer: AD
es
QUESTION 8 :B
Which type of malicious software can create a back-door into a device or network?
A. Worm
B. Trojan
ay
C. Virus
D. Bot
Eb
Correct Answer: B
QUESTION 9 What are two Detection and Analytics Engines of Cognitive Threat
Analytics? (Choose two.)
A. data exfiltration
B. command and control communication
C. intelligent proxy
D. snort
E. URL categorization
Correct Answer: AB
QUESTION 10
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
Refer to the exhibit. Which two steps mitigate attacks on the webserver from the Internet? (Choose two.)
A. Create an ACL on the firewall to allow only TLS 1.3

B. Implement a proxy server in the DMZ network
C. Create an ACL on the firewall to allow only external connections
D. Move the webserver to the internal network
Correct Answer: BD
QUESTION 11
DRAG DROP
e
Drag and drop the phases to evaluate the security posture of an asset from the left onto the activity that happens during the phases on the right.
ic
Select and Place:
t
ac
Pr
x am
tE
es
:B
ay
Correct Answer:
Eb
QUESTION 12 According to GDPR, what should be done with data to ensure its confidentiality, integrity, and availability?
A. Perform a vulnerability assessment

B. Conduct a data protection impact assessment
C. Conduct penetration testing
D. Perform awareness testing
Correct Answer: B
Reference: https://apdcat.gencat.cat/web/.content/-documentacio/Reglament_general_de_proteccio_de_dades/documents/DPIA-Guide.pdf
QUESTION 13
e
A payroll administrator noticed unexpected changes within a piece of software and reported the incident to the incident response team. Which actions should be taken at this step in the incident response workflow?
ic
A. Classify the criticality of the information, research the attacker’s motives, and identify missing patches
t
B. Determine the damage to the business, extract reports, and save evidence according to a chain of custody
ac
C. Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited
D. Determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan
Pr
Correct Answer: B
am
QUESTION 14 A company recently completed an internal audit and discovered that there is CSRF vulnerability in 20 of its hosted applications. Based on the audit, which recommendation should an engineer make for
patching?
x
A. Identify the business applications running on the assets
tE
B. Update software to patch third-party software
C. Validate CSRF by executing exploits within Metasploit
es
D. Fix applications according to the risk scores
Correct Answer: D
:B
ay
QUESTION 15
An engineer is analyzing a possible compromise that happened a week ago when the company ? (Choose two.)
Eb
A. firewall
B. Wireshark
C. autopsy
D. SHA512
E. IPS
Correct Answer: AB
QUESTION 16 A European-based advertisement company collects tracking information from partner websites and stores it on a local server to provide tailored ads. Which standard must the company follow to safeguard
the resting data?
A. HIPAA
B. PCI-DSS
C. Sarbanes-Oxley
D. GDPR
Correct Answer: D
Reference: https://www.thesslstore.com/blog/-data-privacy-and-encryption-laws-every-business-needs-to-know/
QUESTION 17
An organization had a breach due to a phishing attack. An engineer leads a team through the recovery phase of the incident response process. Which action should be taken during this phase?
A. Host a discovery meeting and define configuration and policy updates

B. Update the IDS/IPS signatures and reimage the affected hosts
C. Identify the systems that have been affected and tools used to detect the attack
D. Identify the traffic with data capture using Wireshark and review email filters
e
ic
Correct Answer: C
t
ac
QUESTION 18
An engineer is going through vulnerability triage with company management because of a recent malware outbreak from which 21 affected assets need to be patched or remediated. Management decides not to prioritize
fixing the assets and accepts the vulnerabilities. What is the next step the engineer should take?
Pr
A. Investigate the vulnerability to prevent further spread
am
B. Acknowledge the vulnerabilities and document the risk
C. Apply vendor patches or available hot fixes
D. Isolate the assets affected in a separate network
x
Correct Answer: D
tE
es
QUESTION 19 :B
The incident response team receives information about the abnormal behavior of a host. A malicious file is found being executed from an external USB flash drive. The team collects and documents all the necessary
evidence from the computing resource. What is the next step?
A. Conduct a risk assessment of systems and applications

ay
B. Isolate the infected host from the rest of the subnet

C. Install malware prevention software on the host
Eb
D. Analyze network traffic on the host’s subnet
Correct Answer: B
QUESTION 20
DRAG DROP
An engineer notices that unauthorized software was installed on the network and discovers that it was installed by a dormant user account. The engineer suspects an escalation of privilege attack and responds to the
incident. Drag and drop the activities from the left into the order for the response on the right.
Select and Place:
e
Correct Answer:
t ic
ac
Pr
x am
tE
es
:B
QUESTION 21
An organization had several cyberattacks over the last 6 months and has tasked an engineer with looking for patterns or trends that will help the organization anticipate future attacks and mitigate them. Which data analytic
ay
technique should the engineer use to accomplish this task?
A. diagnostic
Eb
B. qualitative
C. predictive
D. statistical
Correct Answer: C
Reference: https://insights.principa.co.za/-types-of-data-analytics-descriptive-diagnostic-predictive-prescriptive
QUESTION 22 A malware outbreak is detected by the SIEM and is confirmed as a true positive. The incident response team follows the playbook to mitigate the threat. What is the first action for the incident response
team?
A. Assess the network for unexpected behavior

B. Isolate critical hosts from the network
C. Patch detected vulnerabilities from critical hosts
D. Perform analysis based on the established risk factors
Correct Answer: B
QUESTION 23
e
t ic
ac
Pr
x am
tE
es
:B
ay
Refer to the exhibit. Cisco Advanced Malware Protection installed on an end-user desktop automatically submitted a low prevalence file to the Threat Grid analysis engine. What should be concluded from this report?
Eb
A. Threat scores are high, malicious ransomware has been detected, and files have been modified
B. Threat scores are low, malicious ransomware has been detected, and files have been modified
C. Threat scores are high, malicious activity is detected, but files have not been modified
D. Threat scores are low and no malicious file activity is detected
Correct Answer: B
QUESTION 24
An organization is using a PKI management server and a SOAR platform to manage the certificate lifecycle. The SOAR platform queries a certificate management tool to check all endpoints for SSL certificates that have
either expired or are nearing expiration. Engineers are struggling to manage problematic certificates outside of PKI management since deploying certificates and tracking them requires searching server owners manually.
Which action will improve workflow automation?
A. Implement a new workflow within SOAR to create tickets in the incident response system, assign problematic certificate update requests to server owners, and register change requests.
B. Integrate a PKI solution within SOAR to create certificates within the SOAR engines to track, update, and monitor problematic certificates.
C. Implement a new workflow for SOAR to fetch a report of assets that are outside of the PKI zone, sort assets by certification management leads and automate alerts that updates are needed.
D. Integrate a SOAR solution with Active Directory to pull server owner details from the AD and send an automated email for problematic certificates requesting updates.
Correct Answer: C
QUESTION 25
DRAG DROP
Drag and drop the NIST incident response process steps from the left onto the actions that occur in the steps on the right.
e
Select and Place:
t ic
ac
Pr
x am
tE
es
Correct Answer:
:B
ay
Eb
Reference:
https://www.securitymetrics.com/blog/-phases-incident-response-plan
QUESTION 26
Which command does an engineer use to set read/write/execute access on a folder for everyone who reaches the resource?
A. chmod 666
B. chmod 774
C. chmod 775
D. chmod 777
Correct Answer: D
Reference: https://www.pluralsight.com/blog/it-ops/linux-file-permissions
QUESTION 27
e
A SIEM tool fires an alert about a VPN connection attempt from an unusual location. The incident response team validates that an attacker has installed a remote access tool on a user’s laptop while traveling. The attacker
ic
has the user’s credentials and is attempting to connect to the network.
t
What is the next step in handling the incident?
ac
A. Block the source IP from the firewall
B. Perform an antivirus scan on the laptop
Pr
C. Identify systems or services at risk
D. Identify lateral movement
am
Correct Answer: C
x
tE
es
:B
ay
Eb
QUESTION 28 A threat actor used a phishing email to deliver a file with an embedded macro. The file was opened, and a remote code execution attack occurred in a company’s infrastructure. Which steps should an
engineer take at the recovery stage?
A. Determine the systems involved and deploy available patches

B. Analyze event logs and restrict network access
C. Review access lists and require users to increase password complexity
D. Identify the attack vector and update the IDS signature list
Correct Answer: B
QUESTION 29
e
A patient views information that is not theirs when they sign in to the hospital’s online portal. The patient calls the support center at the hospital but continues to be put on hold because other patients are experiencing the
same issue. An incident has been declared, and an engineer is now on the incident bridge as the CyberOps Tier 3 Analyst. There is a concern about the disclosure of PII occurring in real-time. What is the first step the
ic
analyst should take to address this incident?
t
ac
A. Evaluate visibility tools to determine if external access resulted in tampering
B. Contact the third-party handling provider to respond to the incident as critical
C. Turn off all access to the patient portal to secure patient records
Pr
D. Review system and application logs to identify errors in the portal code
Correct Answer: C
am
QUESTION 30
x
tE
es
:B
ay
Eb
e
ic
t
ac
Pr
x am
tE
es
:B
Refer to the exhibit. What results from this script?
ay
A. Seeds for existing domains are checked
B. A search is conducted for additional seeds
C. Domains are compared to seed rules
Eb
D. A list of domains as seeds is blocked
Correct Answer: B
QUESTION 31
DRAG DROP
Drag and drop the threat from the left onto the scenario that introduces the threat on the right. Not all options are used.
Select and Place:
e
ic
t
ac
Correct Answer:
Pr
x am
tE
es
:B
ay
Eb
QUESTION 32
Refer to the exhibit. Which data format is being used?
A. JSON
B. HTML
C. XML
D. CSV
Correct Answer: B
QUESTION 33
The incident response team was notified of detected malware. The team identified the infected hosts, removed the malware, restored the functionality and data of infected systems, and planned a company meeting to
improve the incident handling capability. Which step was missed according to the NIST incident handling guide?
e
A. Contain the malware
ic
B. Install IPS software
C. Determine the escalation path
t
ac
D. Perform vulnerability assessment
Correct Answer: D
Pr
QUESTION 34
x am
tE
es
:B
ay
Eb
e
t ic
ac
Pr
x am
tE
es
Refer to the exhibit. An engineer must tune the Cisco IOS device to mitigate an attack that is broadcasting a large number of ICMP packets. The attack is sending the victim’s spoofed source IP to a network using an IP
:B
broadcast address that causes devices in the network to respond back to the source IP address. Which action does the engineer recommend?
A. Use command ip verify reverse-path interface

ay
B. Use global configuration command service tcp-keepalives-out

C. Use subinterface command no ip directed-broadcast
Eb
D. Use logging trap 6
Correct Answer: A
Reference: https://www.ccexpert.us/pix-firewall/ip-verify-reversepath-command.html
QUESTION 35
e
Refer to the exhibit. An engineer is analyzing this Vlan0386-int12-117.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a
ic
google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable. What does this STIX
indicate?
t
ac
A. The extension is not performing as intended because of restrictions since ports 80 and 443 should be accessible
B. The traffic is legitimate as the google chrome extension is reaching out to check for updates and fetches this information
Pr
C. There is a possible data leak because payloads should be encoded as UTF-8 text
D. There is a malware that is communicating via encrypted channels to the command and control server
am
Correct Answer: C
x
tE
QUESTION 36
What do 2xx HTTP response codes indicate for REST APIs?
es
A. additional action must be taken by the client to complete the request
B. the server takes responsibility for error status codes :B
C. communication of transfer protocol-level information
D. successful acceptance of the client’s request
ay
Correct Answer: D
Eb
QUESTION 37
An engineer received an alert of a zero-day vulnerability affecting desktop phones through which an attacker sends a crafted packet to a device, resets the credentials, makes the device unavailable, and allows a default
administrator account login. Which step should an engineer take after receiving this alert?
A. Initiate a triage meeting to acknowledge the vulnerability and its potential impact
B. Determine company usage of the affected products
C. Search for a patch to install from the vendor
D. Implement restrictions within the VoIP VLANS
Correct Answer: C
QUESTION 38
e
t ic
ac
Pr
x am
tE
es
Refer to the exhibit. Which code snippet will parse the response to identify the status of the domain as malicious, clean or undefined?
A.
:B
ay
Eb
B.
C.
D.
Correct Answer: C Ebay: BestExamPractice

QUESTION 39
An engineer receives an incident ticket with hundreds of intrusion alerts that require investigation. An analysis of the incident log shows that the alerts are from trusted IP addresses and internal devices. The final incident
report stated that these alerts were false positives and that no intrusions were detected. What action should be taken to harden the network?
A. Move the IPS to after the firewall facing the internal network
B. Move the IPS to before the firewall facing the outside network
C. Configure the proxy service on the IPS
D. Configure reverse port forwarding on the IPS
e
Correct Answer: C
t ic
ac
QUESTION 40
A SOC team is informed that a UK-based user will be traveling between three countries over the next 60 days. Having the names of the 3 destination countries and the user's working hours, what must the analyst do next
Pr
to detect an abnormal behavior?
A. Create a rule triggered by 3 failed VPN connection attempts in an 8-hour period
am
B. Create a rule triggered by 1 successful VPN connection from any nondestination country
C. Create a rule triggered by multiple successful VPN connections from the destination countries
D. Analyze the logs from all countries related to this user during the traveling period
x
Correct Answer: D
tE
es
QUESTION 41 An engineer receives a report that indicates a possible incident of a malicious insider sending company information to outside parties. What is the first action the engineer must take to determine whether an
incident has occurred?
:B
A. Analyze environmental threats and causes
ay
B. Inform the product security incident response team to investigate further
C. Analyze the precursors and indicators
D. Inform the computer security incident response team to investigate further
Eb
Correct Answer: C
QUESTION 42
An employee abused PowerShell commands and script interpreters, which lead to an indicator of compromise (IOC) trigger. The IOC event shows that a known malicious file has been executed, and there is an increased
likelihood of a breach. Which indicator generated this IOC event?
A. ExecutedMalware.ioc
B. Crossrider.ioc
C. ConnectToSuspiciousDomain.ioc
D. W32 AccesschkUtility.ioc
Correct Answer: D
QUESTION 43
Refer to the exhibit. Which command was executed in PowerShell to generate this log?
e
ic
t
A. Get-EventLog -LogName*
ac
B. Get-EventLog -List
C. Get-WinEvent -ListLog* -ComputerName localhost
Pr
D. Get-WinEvent -ListLog*
Correct Answer: A
am
Reference: https://lists.xymon.com/archive/-March/.html
x
tE
QUESTION 44
es
:B
ay
Eb
Refer to the exhibit. Cisco Rapid Threat Containment using Cisco Secure Network Analytics (Stealthwatch) and ISE detects the threat of malware-infected 802.1x authenticated endpoints and places that endpoint into a
Quarantine VLAN using Adaptive Network Control policy. Which telemetry feeds were correlated with SMC to identify the malware?
A. NetFlow and event data

B. event data and syslog data
C. SNMP and syslog data
D. NetFlow and SNMP
Correct Answer: B
QUESTION 45
A security architect is working in a processing center and must implement a DLP solution to detect and prevent any type of copy and paste attempts of sensitive data within unapproved applications and removable devices.
Which technical architecture must be used?
e
A. DLP for data in motion
ic
B. DLP for removable data
C. DLP for data in use
t
ac
D. DLP for data at rest
Correct Answer: C
Pr
Reference: https://www.endpointprotector.com/blog/what-is-data-loss-prevention-dlp/
am
QUESTION 46
A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool
x
process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?
tE
A. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack
B. Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities
es
C. Review the server backup and identify server content and data criticality to assess the intrusion risk
D. Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious
:B
Correct Answer: C
ay
QUESTION 47
Eb
A security expert is investigating a breach that resulted in a $32 million loss from customer accounts. Hackers were able to steal API keys and two-factor codes due to a vulnerability that was introduced in a new code a
few weeks before the attack. Which step was missed that would have prevented this breach?
A. use of the Nmap tool to identify the vulnerability when the new code was deployed
B. implementation of a firewall and intrusion detection system
C. implementation of an endpoint protection system
D. use of SecDevOps to detect the vulnerability during development
Correct Answer: D
Reference: https://securityintelligence.com/how-to-prioritize-security-vulnerabilities-in-secdevops/
QUESTION 48
An API developer is improving an application code to prevent DDoS attacks. The solution needs to accommodate instances of a large number of API requests coming for legitimate purposes from trustworthy services.
Which solution should be implemented?
A. Restrict the number of requests based on a calculation of daily averages. If the limit is exceeded, temporarily block access from the IP address and return a 402 HTTP error code.
B. Implement REST API Security Essentials solution to automatically mitigate limit exhaustion. If the limit is exceeded, temporarily block access from the service and return a 409 HTTP error code.
C. Increase a limit of replies in a given interval for each API. If the limit is exceeded, block access from the API key permanently and return a 450 HTTP error code.
D. Apply a limit to the number of requests in a given time interval for each API. If the rate is exceeded, block access from the API key temporarily and return a 429 HTTP error code.
Correct Answer: D
e
Reference: https://www.whoishostingthis.com/resources/http-status-codes/
ic
QUESTION 49
t
ac
Pr
am
Refer to the exhibit. IDS is producing an increased amount of false positive events about brute force attempts on the organization’s mail server. How should the Snort rule be modified to improve performance?
x
tE
A. Block list of internal IPs from the rule
B. Change the rule content match to case sensitive
es
C. Set the rule to track the source IP
D. Tune the count and seconds threshold of the rule :B
Correct Answer: B
ay
QUESTION 50
Eb
Where do threat intelligence tools search for data to identify potential malicious IP addresses, domain names, and URLs?
A. customer data
B. internal database
C. internal cloud
D. Internet
Correct Answer: D
QUESTION 51 An engineer wants to review the packet overviews of SNORT alerts. When printing the SNORT alerts, all the packet headers are included, and the file is too large to utilize. Which action is needed to correct
this problem?
A. Modify the alert rule to “output alert_syslog: output log”

B. Modify the output module rule to “output alert_quick: output filename”
C. Modify the alert rule to “output alert_syslog: output header”
D. Modify the output module rule to “output alert_fast: output filename”
Correct Answer: A
QUESTION 52
DRAG DROP
e
Drag and drop the type of attacks from the left onto the cyber kill chain stages at which the attacks are seen on the right.
ic
Select and Place:
t
ac
Pr
x am
tE
es
:B
ay
Eb
Correct Answer:
e
t ic
ac
Pr
am
QUESTION 53
x
tE
es
:B
ay
Eb
Refer to the exhibit. An engineer received a report that an attacker has compromised a workstation and gained access to sensitive customer data from the network using insecure protocols. Which action prevents this type
of attack in the future?
A. Use VLANs to segregate zones and the firewall to allow only required services and secured protocols
B. Deploy a SOAR solution and correlate log alerts from customer zones
C. Deploy IDS within sensitive areas and continuously update signatures
D. Use syslog to gather data from multiple sources and detect intrusion logs for timely responses
Correct Answer: A
QUESTION 54 How does Wireshark decrypt TLS network traffic?
A. with a key log file using per-session secrets

B. using an RSA public key
C. by observing DH key exchange
D. by defining a user-specified decode-as
Correct Answer: A
QUESTION 55
e
t ic
ac
Pr
x am
Refer to the exhibit. An organization is using an internal application for printing documents that requires a separate registration on the website. The application allows format-free user creation, and users must match these
tE
required conditions to comply with the company’s user creation policy:
minimum length: 3
usernames can only use letters, numbers, dots, and underscores usernames cannot begin with a number
es
The application administrator has to manually change and track these daily to ensure compliance. An engineer is tasked to implement a script to automate the process according to the company user creation policy. The
engineer implemented this piece of code within the application, but users are still able to create format-free usernames. Which change is needed to apply the restrictions?
:B
A. modify code to return error on restrictions def return false_user(username, minlen)
B. automate the restrictions def automate_user(username, minlen)
ay
C. validate the restrictions, def validate_user(username, minlen)

D. modify code to force the restrictions, def force_user(username, minlen)
Eb
Correct Answer: B
QUESTION 56
An engineer implemented a SOAR workflow to detect and respond to incorrect login attempts and anomalous user behavior. Since the implementation, the security team has received dozens of false positive alerts and
negative feedback from system administrators and privileged users. Several legitimate users were tagged as a threat and their accounts blocked, or credentials reset because of unexpected login times and incorrectly
typed credentials. How should the workflow be improved to resolve these issues?
A. Meet with privileged users to increase awareness and modify the rules for threat tags and anomalous behavior alerts
B. Change the SOAR configuration flow to remove the automatic remediation that is increasing the false positives and triggering threats
C. Add a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts
D. Increase incorrect login tries and tune anomalous user behavior not to affect privileged accounts
Correct Answer: B
QUESTION 57
e
t ic
ac
Refer to the exhibit. Where does it signify that a page will be stopped from loading when a scripting attack is detected?
Pr
A. x-frame-options
B. x-content-type-options
am
C. x-xss-protection
D. x-test-debug
Correct Answer: C
x
tE
Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs
es
QUESTION 58 What is the HTTP response code when the REST API information requested by the authenticated user cannot be found?
A. 401
:B
B. 402
C. 403
ay
D. 404
E. 405
Eb
Correct Answer: A
Reference: https://airbrake.io/blog/http-errors/-unauthorized-error#:~:text=The%%Unauthorized%Error%is,client%could%not%be%authenticated.
QUESTION 59 What is a principle of Infrastructure as Code?
A. System maintenance is delegated to software systems

B. Comprehensive initial designs support robust systems
C. Scripts and manual configurations work together to ensure repeatable routines
D. System downtime is grouped and scheduled across the infrastructure
Correct Answer: B
QUESTION 60
Refer to the exhibit. An engineer configured this SOAR solution workflow to identify account theft threats and privilege escalation, evaluate risk, and respond by resolving the threat. This solution is handling more threats
e
than Security analysts have time to analyze. Without this analysis, the team cannot be proactive and anticipate attacks. Which action will accomplish this goal?
ic
A. Exclude the step “BAN malicious IP” to allow analysts to conduct and track the remediation
t
B. Include a step “Take a Snapshot” to capture the endpoint state to contain the threat for analysis
ac
C. Exclude the step “Check for GeoIP location” to allow analysts to analyze the location and the associated risk based on asset criticality
D. Include a step “Reporting” to alert the security department of threats identified by the SOAR reporting engine
Pr
Correct Answer: A
am
QUESTION 61
x
DRAG DROP
tE
Drag and drop the telemetry-related considerations from the left onto their cloud service models on the right.
es
Select and Place:
:B
ay
Eb
Correct Answer:
e
t ic
ac
QUESTION 62
A company’s web server availability was breached by a DDoS attack and was offline for 3 hours because it was not deemed a critical asset in the incident response playbook. Leadership has requested a risk assessment
of the asset. An analyst conducted the risk assessment using the threat sources, events, and vulnerabilities. Which additional element is needed to calculate the risk?
Pr
A. assessment scope
B. event severity and likelihood
am
C. incident response playbook
D. risk model framework
x
Correct Answer: D
tE
es
:B
ay
Eb
QUESTION 63
DRAG DROP
Drag and drop the components from the left onto the phases of the CI/CD pipeline on the right.
Select and Place:
e
ic
t
ac
Pr
x am
tE
es
Correct Answer: :B
ay
Eb
e
t ic
ac
Pr
am
Reference:
x
https://www.densify.com/resources/continuous-integration-delivery-phases
tE
QUESTION 64
es
An employee who often travels abroad logs in from a first-seen country during non-working hours. The SIEM tool generates an alert that the user is forwarding an increased amount of emails to an external mail domain and
then logs out. The investigation concludes that the external domain belongs to a competitor. Which two behaviors triggered UEBA? (Choose two.)
A. domain belongs to a competitor

:B
B. log in during non-working hours
C. email forwarding to an external domain
ay
D. log in from a first-seen country

E. increased number of sent mails
Eb
Correct Answer: AB
QUESTION 65 How is a SIEM tool used?
A. To collect security data from authentication failures and cyber attacks and forward it for analysis
B. To search and compare security data against acceptance standards and generate reports for analysis
C. To compare security alerts against configured scenarios and trigger system responses
D. To collect and analyze security data from network devices and servers and produce alerts
Correct Answer: D
Reference: https://www.varonis.com/blog/what-is-siem/
QUESTION 66
e
Refer to the exhibit. An engineer is reverse engineering a suspicious file by examining its resources. What does this file indicate?
ic
A. a DOS MZ executable format
t
ac
B. a MS-DOS executable archive
C. an archived malware
D. a Windows executable file
Pr
Correct Answer: D
am
QUESTION 67
x
tE
es
:B
ay
Eb
Refer to the exhibit. An engineer is performing a static analysis on a malware and knows that it is capturing keys and webcam events on a company server. What is the indicator of compromise?
A. The malware is performing comprehensive fingerprinting of the host, including a processor, motherboard manufacturer, and connected removable storage.
B. The malware is a ransomware querying for installed anti-virus products and operating systems to encrypt and render unreadable until payment is made for file decryption.
C. The malware has moved to harvesting cookies and stored account information from major browsers and configuring a reverse proxy for intercepting network activity.
D. The malware contains an encryption and decryption routine to hide URLs/IP addresses and is storing the output of loggers and webcam captures in locally encrypted files for retrieval.
Correct Answer: B
QUESTION 68
An audit is assessing a small business that is selling automotive parts and diagnostic services. Due to increased customer demands, the company recently started to accept credit card payments and acquired a POS
terminal. Which compliance regulations must the audit apply to the company?
e
A. HIPAA
ic
B. FISMA
C. COBIT
t
D. PCI DSS
ac
Correct Answer: D
Pr
Reference: https://upserve.com/restaurant-insider/restaurant-pos-pci-compliance-checklist/
am
QUESTION 69
A customer is using a central device to manage network devices over SNMPv2. A remote attacker caused a denial of service condition and can trigger this vulnerability by issuing a GET request for the ciscoFlashMIB OID
on an affected device. Which should be disabled to resolve the issue?
x
tE
A. SNMPv2
B. TCP small services
es
C. port UDP 161 and 162
D. UDP small services
Correct Answer: A
:B
ay
Reference: https://nvd.nist.gov/vuln/detail/CVE--
QUESTION 70
Eb
DRAG DROP
Drag and drop the mitigation steps from the left onto the vulnerabilities they mitigate on the right.
Select and Place:
e
ic
t
ac
Pr
x am
tE
Correct Answer:
es
:B
ay
Eb
e
ic
t
ac
Pr
x am
QUESTION 71
tE
es
:B
ay
Eb
Refer to the exhibit. Which indicator of compromise is represented by this STIX?
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
A. website redirecting traffic to ransomware server

B. website hosting malware to download files
C. web server vulnerability exploited by malware
D. cross-site scripting vulnerability to backdoor server
Correct Answer: C
QUESTION 72
Refer to the exhibit. What is occurring in this packet capture?
e
ic
t
A. TCP port scan
ac
B. TCP flood
C. DNS flood
Pr
D. DNS tunneling
Correct Answer: B
x am
QUESTION 73
tE
DRAG DROP
Drag and drop the cloud computing service descriptions from the left onto the cloud service categories on the right.
es
Select and Place: :B
ay
Eb
Correct Answer:
e
QUESTION 74
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
e
tic
ac
Pr
am
Refer to the exhibit. What is the threat in this Wireshark traffic capture?
A. A high rate of SYN packets being sent from multiple sources toward a single destination IP
B. A flood of ACK packets coming from a single source IP to multiple destination IPs
x
C. A high rate of SYN packets being sent from a single source IP toward multiple destination IPs
tE
D. A flood of SYN packets coming from a single source IP to a single destination IP
Correct Answer: D
es
:B
QUESTION 75 An engineer is moving data from NAS servers in different departments to a combined storage database so that the data can be accessed and analyzed by the organization on-demand. Which data
management process is being used?
ay
A. data clustering
B. data regression
Eb
C. data ingestion
D. data obfuscation
Correct Answer: A
QUESTION 76 What is a benefit of key risk indicators?
A. clear perspective into the risk position of an organization

B. improved visibility on quantifiable information
C. improved mitigation techniques for unknown threats
D. clear procedures and processes for organizational risk
Correct Answer: C
QUESTION 77
An engineer is developing an application that requires frequent updates to close feedback loops and enable teams to quickly apply patches. The team wants their code updates to get to market as often as possible. Which
software development approach should be used to accomplish these goals?
A. continuous delivery
B. continuous integration
C. continuous deployment
D. continuous monitoring
e
ic
Correct Answer: A
t
ac
QUESTION 78
Pr
x am
tE
es
:B
ay
Refer to the exhibit. An engineer notices a significant anomaly in the traffic in one of the host groups in Cisco Secure Network Analytics (Stealthwatch) and must analyze the top data transmissions. Which tool
accomplishes this task?
Eb
A. Top Peers
B. Top Hosts
C. Top Conversations
D. Top Ports
Correct Answer: B
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs//pdf/BRKSEC-.pdf
QUESTION 79
Employees report computer system crashes within the same week. An analyst is investigating one of the computers that crashed and discovers multiple shortcuts in the system’s startup folder. It appears that the shortcuts
redirect users to malicious URLs. What is the next step the engineer should take to investigate this case?
A. Remove the shortcut files

B. Check the audit logs
C. Identify affected systems
D. Investigate the malicious URLs
Correct Answer: C
QUESTION 80 An engineer has created a bash script to automate a complicated process. During script execution, this error occurs: permission denied. Which command must be added to execute this script?
e
A. chmod +x ex.sh
ic
B. source ex.sh
t
C. chroot ex.sh
ac
D. sh ex.sh
Correct Answer: A
Pr
am
Reference: https://www.redhat.com/sysadmin/exit-codes-demystified
QUESTION 81
An engineer is investigating several cases of increased incoming spam emails and suspicious emails from the HR and service departments. While checking the event sources, the website monitoring tool showed several
x
web scraping alerts overnight. Which type of compromise is indicated?
tE
A. phishing
es
B. dumpster diving
C. social engineering
D. privilege escalation
:B
Correct Answer: C
ay
QUESTION 82
Eb
e
t ic
ac
Pr
x am
tE
es
:B
ay
Eb
Refer to the exhibit. How are tokens authenticated when the REST API on a device is accessed from a REST API client?
A. The token is obtained by providing a password. The REST client requests access to a resource using the access token. The REST API validates the access token and gives access to the resource.
B. The token is obtained by providing a password. The REST API requests access to a resource using the access token, validates the access token, and gives access to the resource.
C. The token is obtained before providing a password. The REST API provides resource access, refreshes tokens, and returns them to the REST client. The REST client requests access to a resource using the access token.
D. The token is obtained before providing a password. The REST client provides access to a resource using the access token. The REST API encrypts the access token and gives access to the resource.
Correct Answer: D
QUESTION 83
Refer to the exhibit. Where are the browser page rendering permissions displayed?
A. x-frame-options
B. x-xss-protection
e
C. x-content-type-options
ic
D. x-test-debug
t
Correct Answer: C
ac
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Pr
QUESTION 84
am
DRAG DROP
Drag and drop the actions below the image onto the boxes in the image for the actions that should be taken during this playbook step. Not all options are used.
x
Select and Place:
tE
es
:B
ay
Eb
Correct Answer:
e
t ic
ac
Pr
x am
tE
es
:B
ay
Eb
QUESTION 85
An engineer is utilizing interactive behavior analysis to test malware in a sandbox environment to see how the malware performs when it is successfully executed. A location is secured to perform reverse engineering on a
piece of malware. What is the next step the engineer should take to analyze this malware?
A. Run the program through a debugger to see the sequential actions

B. Unpack the file in a sandbox to see how it reacts
C. Research the malware online to see if there are noted findings
D. Disassemble the malware to understand how it was constructed
Correct Answer: C
QUESTION 86
What is a limitation of cyber security risk insurance?
A. It does not cover the costs to restore stolen identities as a result of a cyber attack
B. It does not cover the costs to hire forensics experts to analyze the cyber attack
C. It does not cover the costs of damage done by third parties as a result of a cyber attack
D. It does not cover the costs to hire a public relations company to help deal with a cyber attack
Correct Answer: A
Reference: https://tplinsurance.com/products/cyber-risk-insurance/
QUESTION 87
An engineer returned to work and realized that payments that were received over the weekend were sent to the wrong recipient. The engineer discovered that the SaaS tool that processes these payments was down over
e
the weekend. Which step should the engineer take first?
ic
A. Utilize the SaaS tool team to gather more information on the potential breach
t
B. Contact the incident response team to inform them of a potential breach
ac
C. Organize a meeting to discuss the services that may be affected
D. Request that the purchasing department creates and sends the payments manually
Pr
Correct Answer: A
am
QUESTION 88
x
An analyst is alerted for a malicious file hash. After analysis, the analyst determined that an internal workstation is communicating over port 80 with an external server and that the file hash is associated with Duqu
tE
malware. Which tactics, techniques, and procedures align with this analysis?
A. Command and Control, Application Layer Protocol, Duqu
es
B. Discovery, Remote Services: SMB/Windows Admin Shares, Duqu
C. Lateral Movement, Remote Services: SMB/Windows Admin Shares, Duqu
D. Discovery, System Network Configuration Discovery, Duqu
:B
Correct Answer: A
ay
Eb
QUESTION 89
DRAG DROP
Drag and drop the function on the left onto the mechanism on the right.
Select and Place:
e
ic
t
ac
Pr
Correct Answer:
x am
tE
es
:B
ay
Eb
QUESTION 90
A Mac laptop user notices that several files have disappeared from their laptop documents folder. While looking for the files, the user notices that the browser history was recently cleared. The user raises a case, and an
analyst reviews the network usage and discovers that it is abnormally high. Which step should be taken to continue the investigation?
A. Run the sudo sysdiagnose command

B. Run the sh command
C. Run the w command
D. Run the who command
Correct Answer: A
Reference: https://eclecticlight.co////the-ultimate-diagnostic-tool-sysdiagnose/
QUESTION 91
e
A SOC analyst is investigating a recent email delivered to a high-value user for a customer whose network their organization monitors. The email includes a suspicious attachment titled “Invoice RE: 0004489”. The hash of
ic
the file is gathered from the Cisco Email Security Appliance. After searching Open Source Intelligence, no available history of this hash is found anywhere on the web. What is the next step in analyzing this attachment to
allow the analyst to gather indicators of compromise?
t
ac
A. Run and analyze the DLP Incident Summary Report from the Email Security Appliance
B. Ask the company to execute the payload for real time analysis
Pr
C. Investigate further in open source repositories using YARA to find matches
D. Obtain a copy of the file for detonation in a sandbox
am
Correct Answer: D
x
tE
QUESTION 92
A SOC analyst is notified by the network monitoring tool that there are unusual types of internal traffic on IP subnet 103.861.2117.0/24. The analyst discovers unexplained encrypted data files on a computer system that
belongs on that specific subnet. What is the cause of the issue?
es
A. DDoS attack :B
B. phishing attack
C. virus outbreak
D. malware outbreak
ay
Correct Answer: D
Eb
QUESTION 93
Refer to the exhibit. An employee is a victim of a social engineering phone call and installs remote access software to allow an “MS Support” technician to check his machine for malware. The employee becomes
suspicious after the remote technician requests payment in the form of gift cards. The employee has copies of multiple, unencrypted database files, over 400 MB each, on his system and is worried that the scammer
copied the files off but has no proof of it. The remote technician was connected sometime between 2:00 pm and 3:00 pm over https. What should be determined regarding data loss between the employee’s laptop and the
remote technician’s system?
A. No database files were disclosed

B. The database files were disclosed
C. The database files integrity was violated
D. The database files were intentionally corrupted, and encryption is possible
Correct Answer: C
e
QUESTION 94
ic
Refer to the exhibit. Which asset has the highest risk value?
t
ac
Pr
x am
A. servers
B. website
tE
C. payment process
D. secretary workstation
es
Correct Answer: C :B
ay
QUESTION 95
DRAG DROP
Eb
Refer to the exhibit. The Cisco Secure Network Analytics (Stealthwatch) console alerted with “New Malware Server Discovered” and the IOC indicates communication from an end-user desktop to a Zeus C&C Server.
Drag and drop the actions that the analyst should take from the left into the order on the right to investigate and remediate this IOC.
Select and Place:
e
t ic
ac
Pr
Correct Answer:
x am
tE
es
:B
ay
QUESTION 96 What is the purpose of hardening systems?

Eb
A. to securely configure machines to limit the attack surface

B. to create the logic that triggers alerts when anomalies occur
C. to identify vulnerabilities within an operating system
D. to analyze attacks to identify threat actors and points of entry
Correct Answer: A
QUESTION 97
A company launched an e-commerce website with multiple points of sale through internal and external e-stores. Customers access the stores from the public website, and employees access the stores from the intranet
with an SSO. Which action is needed to comply with PCI standards for hardening the systems?
A. Mask PAN numbers

B. Encrypt personal data
C. Encrypt access
D. Mask sales details
Correct Answer: B
QUESTION 98
An organization installed a new application server for IP phones. An automated process fetched user credentials from the Active Directory server, and the application will have access to on-premises and cloud services.
Which security threat should be mitigated first?
A. aligning access control policies

B. exfiltration during data transfer
C. attack using default accounts
e
D. data exposure from backups
ic
Correct Answer: B
t
ac
QUESTION 99
A threat actor has crafted and sent a spear-phishing email with what appears to be a trustworthy link to the site of a conference that an employee recently attended. The employee clicked the link and was redirected to
Pr
a malicious site through which the employee downloaded a PDF attachment infected with ransomware. The employee opened the attachment, which exploited vulnerabilities on the desktop. The ransomware is now
installed and is calling back to its command and control server. Which security solution is needed at this stage to mitigate the attack?
am
A. web security solution
B. email security solution
C. endpoint security solution
x
D. network security solution
tE
Correct Answer: D
es
:B
ay
Eb
QUESTION 100
Refer to the exhibit. An engineer is investigating a case with suspicious usernames within the active directory. After the engineer investigates and cross-correlates events from other sources, it appears that the 2 users
are privileged, and their creation date matches suspicious network traffic that was initiated from the internal network 2 days prior. Which type of compromise is occurring?
A. compromised insider
B. compromised root access
C. compromised database tables
D. compromised network
Correct Answer: D
QUESTION 101
Refer to the exhibit. For IP 192.168.1.209, what are the risk level, activity, and next step?
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
• A. high risk level, anomalous periodic communication, quarantine with antivirus

• B. critical risk level, malicious server IP, run in a sandboxed environment
• C. critical risk level, data exfiltration, isolate the device
• D. high risk level, malicious host, investigate further
Correct Answer: A
QUESTION 102 Ebay: BestExamPractice

Refer to the exhibit. What is the connection status of the ICMP event?
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
• A. blocked by a configured access policy rule

• B. allowed by a configured access policy rule
• C. blocked by an intrusion policy rule
• D. allowed in the default action
Correct Answer: B
QUESTION 103
An analyst wants to upload an infected file containing sensitive information to a hybrid-analysis sandbox. According to the NIST.SP 800-150 guide to cyber threat information sharing, what is the analyst required to do
before uploading the file to safeguard privacy?
• A. Verify hash integrity.

• B. Remove all personally identifiable information.
• C. Ensure the online sandbox is GDPR compliant.
• D. Lock the file to prevent unauthorized access.
Correct Answer: B
QUESTION 104
e
t ic
ac
Pr
x am
tE
es
:B
ay
Refer to the exhibit. An engineer received multiple reports from employees unable to log into systems with the error: The Group Policy Client service failed to logon `" Access is denied. Through further analysis, the
engineer discovered several unexpected modifications to system settings. Which type of breach is occurring?
Eb
• A. malware break
• B. data theft
• C. elevation of privileges
• D. denial-of-service
Correct Answer: C
QUESTION 105
What is needed to assess risk mitigation effectiveness in an organization?
• A. analysis of key performance indicators

• B. compliance with security standards
• C. cost-effectiveness of control measures
• D. updated list of vulnerable systems
Correct Answer: C
QUESTION 106
e
ic
t
ac
Pr
am
Refer to the exhibit. Where is the MIME type that should be followed indicated?
x
tE
• A. x-test-debug
• B. strict-transport-security
es
• C. x-xss-protection
• D. x-content-type-options :B
Correct Answer: A
ay
QUESTION 107
Eb
e
t ic
ac
Pr
x am
tE
Refer to the exhibit. Based on the detected vulnerabilities, what is the next recommended mitigation step?
es
• A. Evaluate service disruption and associated risk before prioritizing patches.
• B. Perform root cause analysis for all detected vulnerabilities.
:B
• C. Remediate all vulnerabilities with descending CVSS score order.
• D. Temporarily shut down unnecessary services until patch deployment ends.
ay
Correct Answer: B
Eb
QUESTION 108
An engineer received an incident ticket of a malware outbreak and used antivirus and malware removal tools to eradicate the threat. The engineer notices that abnormal processes are still occurring in the system and
determines that manual intervention is needed to clean the infected host and restore functionality. What is the next step the engineer should take to complete this playbook step?
• A. Scan the network to identify unknown assets and the asset owners.
• B. Analyze the components of the infected hosts and associated business services.
• C. Scan the host with updated signatures and remove temporary containment.
• D. Analyze the impact of the malware and contain the artifacts.
Correct Answer: B
QUESTION 109
The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and proceeds with behavioral
analysis. What is the next step in the malware analysis process? Ebay: BestExamPractice
• A. Perform static and dynamic code analysis of the specimen.
• B. Unpack the specimen and perform memory forensics.
• C. Contain the subnet in which the suspicious file was found.
• D. Document findings and clean-up the laboratory.
Correct Answer: B
QUESTION 110
A logistic company must use an outdated application located in a private VLAN during the migration to new technologies. The IPS blocked and reported an unencrypted communication. Which tuning option should be
applied to IPS?
• A. Allow list only authorized hosts to contact the application‫ג‬€™s IP at a specific port.
e
• B. Allow list HTTP traffic through the corporate VLANS.
• C. Allow list traffic to application‫ג‬€™s IP from the internal network at a specific port.
ic
• D. Allow list only authorized hosts to contact the application‫ג‬€™s VLAN.
t
ac
Correct Answer: D
Pr
QUESTION 111
A company recently started accepting credit card payments in their local warehouses and is undergoing a PCI audit. Based on business requirements, the company needs to store sensitive authentication data for 45
am
days. How must data be stored for compliance?
• A. post-authorization by non-issuing entities if there is a documented business justification
x
• B. by entities that issue the payment cards or that perform support issuing services
tE
• C. post-authorization by non-issuing entities if the data is encrypted and securely stored
• D. by issuers and issuer processors if there is a legitimate reason
es
Correct Answer: C
:B
QUESTION 112
A security engineer discovers that a spreadsheet containing confidential information for nine of their employees was fraudulently posted on a competitor's website.
The spreadsheet contains names, salaries, and social security numbers. What is the next step the engineer should take in this investigation?
ay
•
Eb
A. Determine if there is internal knowledge of this incident.

• B. Check incoming and outgoing communications to identify spoofed emails.
• C. Disconnect the network from Internet access to stop the phishing threats and regain control.
• D. Engage the legal department to explore action against the competitor that posted the spreadsheet.
Correct Answer: D
QUESTION 113
An engineer notices that every Sunday night, there is a two-hour period with a large load of network activity. Upon further investigation, the engineer finds that the activity is from locations around the globe outside the
organization's service area. What are the next steps the engineer must take?
• A. Assign the issue to the incident handling provider because no suspicious activity has been observed during business hours.
• B. Review the SIEM and FirePower logs, block all traffic, and document the results of calling the call center.
• C. Define the access points using StealthWatch or SIEM logs, understand services being offered during the hours in question, and cross-correlate other source events.
• D. Treat it as a false positive, and accept the SIEM issue as valid to avoid alerts from triggering on weekends.
Correct Answer: A
QUESTION 114
An organization had an incident with the network availability during which devices unexpectedly malfunctioned. An engineer is investigating the incident and found that the memory pool buffer usage reached a peak
before the malfunction. Which action should the engineer take to prevent this issue from reoccurring?
• A. Disable memory limit.

• B. Disable CPU threshold trap toward the SNMP server.
• C. Enable memory tracing notifications.
• D. Enable memory threshold notifications.
e
Correct Answer: D
ic
QUESTION 115
A SOC analyst detected a ransomware outbreak in the organization coming from a malicious email attachment. Affected parties are notified, and the incident response team is assigned to the case. According to the
t
ac
NIST incident response handbook, what is the next step in handling the incident?
Pr
• A. Create a follow-up report based on the incident documentation.
• B. Perform a vulnerability assessment to find existing vulnerabilities.
• C. Eradicate malicious software from the infected machines.
am
• D. Collect evidence and maintain a chain-of-custody during further analysis.
x
Correct Answer: D
tE
QUESTION 116
A security manager received an email from an anomaly detection service, that one of their contractors has downloaded 50 documents from the company's confidential document management folder using a company-
es
owned asset al039-ice-4ce687TL0500. A security manager reviewed the content of downloaded documents and noticed that the data affected is from different departments. What are the actions a security manager
should take? :B
• A. Measure confidentiality level of downloaded documents.
• B. Report to the incident response team.
ay
• C. Escalate to contractor‫ג‬€™s manager.

• D. Communicate with the contractor to identify the motives.
Eb
Correct Answer: B
QUESTION 117
An engineer detects an intrusion event inside an organization's network and becomes aware that files that contain personal data have been accessed. Which action must be taken to contain this attack?
• A. Disconnect the affected server from the network.

• B. Analyze the source.
• C. Access the affected server to confirm compromised files are encrypted.
• D. Determine the attack surface.
Correct Answer: C
QUESTION 118 Ebay: BestExamPractice

The network operations center has identified malware, created a ticket within their ticketing system, and assigned the case to the SOC with high-level information.
A SOC analyst was able to stop the malware from spreading and identified the attacking host. What is the next step in the incident response workflow?
• A. eradication and recovery

• B. post-incident activity
• C. containment
• D. detection and analysis
Correct Answer: A
QUESTION 119
A SOC engineer discovers that the organization had three DDOS attacks overnight. Four servers are reported offline, even though the hardware seems to be working as expected. One of the offline servers is affecting
e
the pay system reporting times. Three employees, including executive management, have reported ransomware on their laptops. Which steps help the engineer understand a comprehensive overview of the incident?
ic
• A. Run and evaluate a full packet capture on the workloads, review SIEM logs, and define a root cause.
t
•
ac
B. Run and evaluate a full packet capture on the workloads, review SIEM logs, and plan mitigation steps.
• C. Check SOAR to learn what the security systems are reporting about the overnight events, research the attacks, and plan mitigation step.
• D. Check SOAR to know what the security systems are reporting about the overnight events, review the threat vectors, and define a root cause.
Pr
am
Correct Answer: D
QUESTION 120
Which action should be taken when the HTTP response code 301 is received from a web application?
x
tE
• A. Update the cached header metadata.
• B. Confirm the resource‫ג‬€™s location.
es
• C. Increase the allowed user limit.
• D. Modify the session timeout setting. :B
Correct Answer: A
ay
QUESTION 121
Employees receive an email from an executive within the organization that summarizes a recent security breach and requests that employees verify their credentials through a provided link. Several employees report
Eb
the email as suspicious, and a security analyst is investigating the reports. Which two steps should the analyst take to begin this investigation? (Choose two.)
• A. Evaluate the intrusion detection system alerts to determine the threat source and attack surface.
• B. Communicate with employees to determine who opened the link and isolate the affected assets.
• C. Examine the firewall and HIPS configuration to identify the exploited vulnerabilities and apply recommended mitigation.
• D. Review the mail server and proxy logs to identify the impact of a potential breach.
• E. Check the email header to identify the sender and analyze the link in an isolated environment.
Correct Answer: CE
QUESTION 122
A SOC team is investigating a recent, targeted social engineering attack on multiple employees. Cross-correlated log analysis revealed that two hours before the attack, multiple assets received requests on TCP port
79. Which action should be taken by the SOC team to mitigate this attack?
• A. Disable BIND forwarding from the DNS server to avoid reconnaissance.
• B. Disable affected assets and isolate them for further investigation.
• C. Configure affected devices to disable NETRJS protocol.
• D. Configure affected devices to disable the Finger service.
Correct Answer: D
QUESTION 123
What is idempotence?
• A. the assurance of system uniformity throughout the whole delivery process

•
e
B. the ability to recover from failures while keeping critical services running
• C. the necessity of setting maintenance of individual deployment environments
ic
• D. the ability to set the target environment configuration regardless of the starting state
t
ac
Correct Answer: A
Pr
QUESTION 124
A security architect in an automotive factory is working on the Cyber Security Management System and is implementing procedures and creating policies to prevent attacks. Which standard must the architect apply?
am
• A. IEC62446
• B. IEC62443
•
x
C. IEC62439-3
• D. IEC62439-2
tE
es
Correct Answer: B
:B
•
ay
QUESTION 125
An organization suffered a security breach in which the attacker exploited a Netlogon Remote Protocol vulnerability for further privilege escalation. Which two actions should the incident response team take to prevent
this type of attack from reoccurring? (Choose two.)
Eb
• A. Implement a patch management process.

• B. Scan the company server files for known viruses.
• C. Apply existing patches to the company servers.
• D. Automate antivirus scans of the company servers.
• E. Define roles and responsibilities in the incident response playbook.
Correct Answer: DE
QUESTION 126
e
t ic
ac
Pr
Refer to the exhibit. Two types of clients are accessing the front ends and the core database that manages transactions, access control, and atomicity. What is the threat model for the SQL database?
am
• A. An attacker can initiate a DoS attack.
• B. An attacker can read or change data.
• C. An attacker can transfer data to an external server.
x
• D. An attacker can modify the access logs.
tE
Correct Answer: A
es
QUESTION 127
Which bash command will print all lines from the `colors.txt` file containing the non case-sensitive pattern `Yellow`?
:B
• A. grep -i ‫ג‬€yellow‫ג‬€ colors.txt
ay
• B. locate ‫ג‬€yellow‫ג‬€ colors.txt

• C. locate -i ‫ג‬€Yellow‫ג‬€ colors.txt
• D. grep ‫ג‬€Yellow‫ג‬€ colors.txt
Eb
Correct Answer: A
QUESTION 128
An engineer received multiple reports from users trying to access a company website and instead of landing on the website, they are redirected to a malicious website that asks them to fill in sensitive personal data.
Which type of attack is occurring?
• A. Address Resolution Protocol poisoning

• B. session hijacking attack
• C. teardrop attack
• D. Domain Name System poisoning
Correct Answer: D
QUESTION 129
e
t ic
ac
Pr
Refer to the exhibit. An engineer is performing static analysis of a file received and reported by a user. Which risk is indicated in this STIX?
am
• A. The file is redirecting users to a website that requests privilege escalations from the user.
• B. The file is redirecting users to the website that is downloading ransomware to encrypt files.
• C. The file is redirecting users to a website that harvests cookies and stored account information.
• D. The file is redirecting users to a website that is determining users‫ג‬€™ geographic location.
x
tE
Correct Answer: D
es
QUESTION 130
A SOC team receives multiple alerts by a rule that detects requests to malicious URLs and informs the incident response team to block the malicious URLs requested on the firewall. Which action will improve the
effectiveness of the process?
:B
ay
• A. Block local to remote HTTP/HTTPS requests on the firewall for users who triggered the rule.
• B. Inform the user by enabling an automated email response when the rule is triggered.
• C. Inform the incident response team by enabling an automated email response when the rule is triggered.
Eb
• D. Create an automation script for blocking URLs on the firewall when the rule is triggered.
Correct Answer: A
QUESTION 131
A cloud engineer needs a solution to deploy applications on a cloud without being able to manage and control the server OS. Which type of cloud environment should be used?
• A. IaaS
• B. PaaS
• C. DaaS
• D. SaaS
Correct Answer: A
QUESTION 132
Engineers are working to document, list, and discover all used applications within an organization. During the regular assessment of applications from the HR backup server, an engineer discovered an unknown
application. The analysis showed that the application is communicating with external addresses on a non- secure, unencrypted channel. Information gathering revealed that the unknown application does not have an
owner and is not being used by a business unit. What are the next two steps the engineers should take in this investigation? (Choose two.)
• A. Determine the type of data stored on the affected asset, document the access logs, and engage the incident response team.
• B. Identify who installed the application by reviewing the logs and gather a user access log from the HR department.
• C. Verify user credentials on the affected asset, modify passwords, and confirm available patches and updates are installed.
• D. Initiate a triage meeting with department leads to determine if the application is owned internally or used by any business unit and document the asset owner.
Correct Answer: AD
e
QUESTION 133
ic
A security incident affected an organization's critical business services, and the customer-side web API became unresponsive and crashed. An investigation revealed a spike of API call requests and a high number of
inactive sessions during the incident. Which two recommendations should the engineers make to prevent similar incidents in the future? (Choose two.)
t
ac
• A. Configure shorter timeout periods.
Pr
• B. Determine API rate-limiting requirements.
• C. Implement API key maintenance.
•
am
D. Automate server-side error reporting for customers.
• E. Decrease simultaneous API responses.
x
Correct Answer: BD
tE
QUESTION 134
What is the impact of hardening machine images for deployment?
es
• A. reduces the attack surface
:B
• B. increases the speed of patch deployment
• C. reduces the steps needed to mitigate threats
• D. increases the availability of threat alerts
ay
Eb
Correct Answer: A
QUESTION 135
What is the difference between process orchestration and automation?
• A. Orchestration combines a set of automated tools, while automation is focused on the tools to automate process flows.
• B. Orchestration arranges the tasks, while automation arranges processes.
• C. Orchestration minimizes redundancies, while automation decreases the time to recover from redundancies.
• D. Automation optimizes the individual tasks to execute the process, while orchestration optimizes frequent and repeatable processes.
Correct Answer: A
QUESTION 136
An analyst received multiple alerts on the SIEM console of users that are navigating to malicious URLs. The analyst needs to automate the task of receiving alerts and processing the data for further investigations.
Three variables are available from the SIEM console to include in an automation script: console_ip, api_token, and reference_set_name. What must be added to this script to receive a successful HTTP response?
#!/usr/bin/python Ebay: BestExamPractice
import sys
import requests
• A. {1}, {2}
• B. {1}, {3}
• C. console_ip, api_token
• D. console_ip, reference_set_name
Correct Answer: C
QUESTION 137
e
After a recent malware incident, the forensic investigator is gathering details to identify the breach and causes. The investigator has isolated the affected workstation. What is the next step that should be taken in this
investigation?
t ic
•
ac
A. Analyze the applications and services running on the affected workstation.
• B. Compare workstation configuration and asset configuration policy to identify gaps.
• C. Inspect registry entries for recently executed files.
Pr
• D. Review audit logs for privilege escalation events.
am
Correct Answer: C
QUESTION 138
x
tE
es
:B
ay
Eb
Refer to the exhibit. Where are the browser page rendering permissions displayed?
• A. X-Frame-Options
• B. X-XSS-Protection
• C. Content-Type
• D. Cache-Control
Correct Answer: C
QUESTION 139
e
t ic
ac
Pr
x am
tE
es
:B
Refer to the exhibit. Rapid Threat Containment using Cisco Secure Network Analytics (Stealthwatch) and ISE detects the threat of malware-infected 802.1x authenticated endpoints and places that endpoint into a
quarantine VLAN using Adaptive Network Control policy. Which method was used to signal ISE to quarantine the endpoints?
ay
• A. SNMP
• B. syslog
Eb
• C. REST API
• D. pxGrid
Correct Answer: C
QUESTION 140
Which artifact is used to uniquely identify a detected file?
A. file timestamp
B. file extension
C. file size
D. file hash
Correct Answer: D
QUESTION 141
Which regular expression matches "color" and "colour"?
A. colo?ur
B. col[0−8]+our
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
C. colou?r
D. col[0−9]+our
Correct Answer: C
QUESTION 142 A user received a malicious attachment

but did not run it.
Which category classifies the intrusion?
A. weaponization
B. reconnaissance
e
C. installation
D. delivery
ic
Correct Answer: D
t
ac
Pr
QUESTION 143 Which process is used when IPS events are removed to
improve data integrity?
am
A. data availability
B. data normalization
C. data signature
x
D. data protection
tE
Correct Answer: B
es
QUESTION 144 An investigator is examining a copy of an ISO file that is stored
:B
in CDFS format.
What type of evidence is this file?

ay
A. data from a CD copied using Mac-based system

B. data from a CD copied using Linux system
Eb
C. data from a DVD copied using Windows system

D. data from a CD copied using Windows
Correct Answer: B
QUESTION 145 Which piece of information is needed for attribution in
an investigation?
A. proxy logs showing the source RFC 1918 IP addresses

B. RDP allowed from the Internet
C. known threat actor behavior
D. 802.1x RADIUS authentication pass arid fail logs
Correct Answer: C
QUESTION 146
e
ic
t
ac
Pr
Refer to the exhibit. In which Linux log file is this output found?
am
A. /var/log/authorization.log
B. /var/log/dmesg
C. var/log/var.log
x
D. /var/log/auth.log
tE
Correct Answer: D
es
QUESTION 147 What is the difference between the ACK flag and the RST flag in the NetFlow
log session?
:B
A. The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the data for the payload is complete
ay
B. The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the data for the payload is complete
C. The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the spontaneous termination of a connection
D. The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous termination of a connection
Eb
Correct Answer: D
QUESTION 148 An analyst is investigating an incident in a

SOC environment.
Which method is used to identify a session from a group of logs?
A. sequence numbers
B. IP identifier
C. 5-tuple
D. timestamps
Correct Answer: C
QUESTION 149
e
Refer to the exhibit. Which type of log is displayed?
ic
A. proxy
t
B. NetFlow
ac
C. IDS
D. sys
Pr
Correct Answer: B
am
QUESTION 150
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?
A. Tapping interrogation replicates signals to a separate port for analyzing traffic
x
B. Tapping interrogations detect and block malicious traffic
tE
C. Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies
D. Inline interrogation detects malicious traffic but does not block the traffic
es
Correct Answer: A
:B
QUESTION 151 Which two components reduce the attack surface on an endpoint?
ay
(Choose two.)
A. secure boot
Eb
B. load balancing
C. increased audit log levels
D. restricting USB ports
E. full packet captures at the endpoint
Correct Answer: AD
QUESTION 152 An analyst discovers that a legitimate security alert has
been dismissed.
Which signature caused this impact on network traffic?
A. true negative
B. false negative
C. false positive
D. true positive
Correct Answer: B
e
ic
QUESTION 153
t
DRAG DROP
ac
Drag and drop the security concept on the left onto the example of that concept on the right.
Pr
Select and Place:
x am
tE
es
:B
ay
Correct Answer:
Eb
QUESTION 154 Which event artifact is used to identity HTTP GET requests
for a specific file?
A. destination IP address
B. TCP ACK
C. HTTP status code
D. URI
Correct Answer: D
e
ic
QUESTION 155 Which security principle requires more than one person is required to
t
perform a critical task?
ac
A. least privilege
B. need to know
Pr
C. separation of duties
D. due diligence
am
Correct Answer: C
x
tE
QUESTION 156 What are two differences in how tampered and untampered disk images affect a security
incident? (Choose two.)
es
A. Untampered images are used in the security investigation process
B. Tampered images are used in the security investigation process :B
C. The image is tampered if the stored hash and the computed hash match
D. Tampered images are used in the incident recovery process
E. The image is untampered if the stored hash and the computed hash match
ay
Correct Answer: BE
Eb
QUESTION 157 What makes HTTPS traffic

difficult to monitor?
A. SSL interception
B. packet header size
C. signature detection time
D. encryption
Correct Answer: D
QUESTION 158
DRAG DROP
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
Refer to the exhibit. Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.
Select and Place:
e
ic
t
ac
Pr
am
Correct Answer:
x
tE
es
:B
ay
Eb
QUESTION 159
e
t ic
ac
Pr
x am
tE
es
An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture the analyst cannot determine the technique and payload used for the
communication.
:B
Which obfuscation technique is the attacker using?
ay
A. Base64 encoding
B. transport layer security encryption
Eb
C. SHA-256 hashing
D. ROT13 encryption
Correct Answer: B
QUESTION 160
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header.
Which technology makes this behavior possible?
A. encapsulation
B. TOR
C. tunneling
D. NAT
Correct Answer: D Ebay: BestExamPractice

QUESTION 161 How does an attacker observe network traffic exchanged
between two users?
A. port scanning
B. man-in-the-middle
C. command injection
D. denial of service
Correct Answer: B
e
ic
QUESTION 162
t
ac
Refer to the exhibit. Which event is occurring?
Pr
A. A binary named "submit" is running on VM cuckoo1.
am
B. A binary is being submitted to run on VM cuckoo1
C. A binary on VM cuckoo1 is being submitted for evaluation
D. A URL is being evaluated to see if it has a malicious binary
x
Correct Answer: C
tE
es
QUESTION 163 What is a benefit of agent-based protection when compared to
agentless protection? :B
A. It lowers maintenance costs
B. It provides a centralized platform
C. It collects and detects all traffic locally
ay
D. It manages numerous devices simultaneously
Correct Answer: B
Eb
QUESTION 164
Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?
A. decision making
B. rapid response
C. data mining
D. due diligence
Correct Answer: A
QUESTION 165
An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post infection.
Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)
e
A. signatures
B. host IP addresses
ic
C. file size
t
D. dropped files
ac
E. domain names
Correct Answer: BE
Pr
am
QUESTION 166 An analyst is exploring the functionality of different
operating systems.
x
What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?
tE
A. queries Linux devices that have Microsoft Services for Linux installed
B. deploys Windows Operating Systems in an automated fashion
es
C. is an efficient tool for working with Active Directory
D. has a Common Information Model, which describes installed hardware and software :B
Correct Answer: D
ay
QUESTION 167 One of the objectives of information security is to protect the CIA of
information and systems.
Eb
What does CIA mean in this context?
A. confidentiality, identity, and authorization

B. confidentiality, integrity, and authorization
C. confidentiality, identity, and availability
D. confidentiality, integrity, and availability
Correct Answer: D
QUESTION 168 What is rule-based detection when compared to
statistical detection?
A. proof of a user's identity

B. proof of a user's action
C. likelihood of user's action
D. falsification of a user's identity
Correct Answer: B
e
ic
QUESTION 169 What is personally identifiable information that must be safeguarded from
t
unauthorized access?
ac
A. date of birth
B. driver's license number
Pr
C. gender
D. zip code
am
Correct Answer: B
QUESTION 170 What does cyber attribution identity in an
x
investigation?
tE
A. cause of an attack
B. exploit of an attack
es
C. vulnerabilities exploited
D. threat actors of an attack :B
Correct Answer: D
ay
QUESTION 171
Eb
Which type of data consists of connection level, application-specific records generated from network traffic?
A. transaction data
B. location data
C. statistical data
D. alert data
Correct Answer: A
QUESTION 172
How does an SSL certificate impact security between the client and the server?
A. by enabling an authenticated channel between the client and the server

B. by creating an integrated channel between the client and the server
C. by enabling an authorized channel between the client and the server
D. by creating an encrypted channel between the client and the server
Correct Answer: D
e
ic
t
ac
QUESTION 173 Which open-sourced packet capture tool uses Linux and Mac OS X
operating systems?
Pr
A. NetScout
B. tcpdump
C. SolarWinds
am
D. netsh
Correct Answer: B
x
tE
es
QUESTION 174
DRAG DROP
Drag and drop the access control models from the left onto the correct descriptions on the right.
:B
Select and Place:
ay
Eb
Correct Answer:
e
ic
QUESTION 175 An organization has recently adjusted its security stance in response to online threats made by a known
t
hacktivist group.
ac
What is the initial event called in the NIST SP800-61?
Pr
A. online assault
B. precursor
am
C. trigger
D. instigator
Correct Answer: B
x
tE
es
QUESTION 176 What is an attack surface as compared
to a vulnerability?
A. any potential danger to an asset

:B
B. the sum of all paths for data into and out of the application
C. an exploitable weakness in a system or its design
ay
D. the individuals who perform an attack
Correct Answer: B
Eb
QUESTION 177
What is a difference between SOAR and SIEM?
A. SOAR platforms are used for threat and vulnerability management, but SIEM applications are not
B. SIEM applications are used for threat and vulnerability management, but SOAR platforms are not
C. SOAR receives information from a single platform and delivers it to a SIEM
D. SIEM receives information from a single platform and delivers it to a SOAR
Correct Answer: A
QUESTION 178
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
Refer to the exhibit. Which application protocol is in this PCAP file?
A. SSH
B. TCP
C. TLS
D. HTTP
Correct Answer: B
QUESTION 179
e
t ic
ac
Pr
Refer to the exhibit. What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is enabled?
am
A. insert TCP subdissectors
B. extract a file from a packet capture
x
C. disable TCP streams
tE
D. unfragment TCP
Correct Answer: D
es
QUESTION 180 :B
When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification.
Which information is available on the server certificate?

ay
A. server name, trusted subordinate CA, and private key

B. trusted subordinate CA, public key, and cipher suites
C. trusted CA name, cipher suites, and private key
Eb
D. server name, trusted CA, and public key
Correct Answer: D
QUESTION 181 During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve
its integrity?
A. examination
B. investigation
C. collection
D. reporting
Correct Answer: C
QUESTION 182
Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies?
A. CSIRT
B. PSIRT
C. public affairs
D. management
e
ic
Correct Answer: D
t
ac
QUESTION 183 An engineer receives a security alert that traffic with a known TOR exit node has occurred
on the network.
Pr
What is the impact of this traffic?
am
A. ransomware communicating after infection
B. users downloading copyrighted content
C. data exfiltration
x
D. user circumvention of the firewall
tE
Correct Answer: D
es
QUESTION 54 How is attacking a
:B
vulnerability categorized?
A. action on objectives
ay
B. delivery
C. exploitation
D. installation
Eb
Correct Answer: C
QUESTION 185
A system administrator is ensuring that specific registry information is accurate.
Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?
A. file extension associations

B. hardware, software, and security settings for the system
C. currently logged in users, including folders and control panel settings
D. all users on the system, including visual settings
Correct Answer: B
QUESTION 186 What is the difference between statistical detection and rule-based
detection models?
e
ic
A. Rule-based detection involves the collection of data in relation to the behavior of legitimate users over a period of time
B. Statistical detection defines legitimate data of users over a period of time and rule-based detection defines it on an IF/THEN basis
t
C. Statistical detection involves the evaluation of an object on its intended actions before it executes that behavior
ac
D. Rule-based detection defines legitimate data of users over a period of time and statistical detection defines it on an IF/THEN basis
Correct Answer: B
Pr
am
QUESTION 187 Which step in the incident response process researches an attacking host through
logs in a SIEM?
x
A. detection and analysis
tE
B. preparation
C. eradication
D. containment
es
Correct Answer: A :B
ay
QUESTION 188 What is the difference between a
threat and a risk?
Eb
A. Threat represents a potential danger that could take advantage of a weakness in a system
B. Risk represents the known and identified loss or danger in the system
C. Risk represents the nonintentional interaction with uncertainty in the system
D. Threat represents a state of being exposed to an attack or a compromise either physically or logically
Correct Answer: A
QUESTION 189 Which signature impacts network traffic by causing legitimate traffic
to be blocked?
A. false negative
B. true positive
C. true negative
D. false positive
Correct Answer: D
QUESTION 190 Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with
the same key?
e
A. forgery attack
ic
B. plaintext-only attack
t
C. ciphertext-only attack
ac
D. meet-in-the-middle attack
Correct Answer: C
Pr
am
QUESTION 191 What causes events on a Windows system to show Event Code 4625 in the
log messages?
x
A. The system detected an XSS attack
tE
B. Someone is trying a brute force attack on the network
C. Another device is gaining root access to the system
D. A privileged user successfully logged into the system
es
Correct Answer: B :B
QUESTION 192
ay
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources?
A. resource exhaustion
Eb
B. tunneling
C. traffic fragmentation
D. timing attack
Correct Answer: A
QUESTION 193
Refer to the exhibit. What does the message indicate?
A. an access attempt was made from the Mosaic web browser

B. a successful access attempt was made to retrieve the password file
C. a successful access attempt was made to retrieve the root of the website
D. a denied access attempt was made to retrieve the password file
e
Correct Answer: C
ic
t
ac
QUESTION 194 What are two social engineering
techniques? (Choose two.)
Pr
A. privilege escalation
B. DDoS attack
am
C. phishing
D. man-in-the-middle
E. pharming
x
Correct Answer: CE
tE
es
QUESTION 195
:B
ay
Eb
Refer to the exhibit. What does the output indicate about the server with the IP address 172.18.104.139?
A. open ports of a web server
B. open port of an FTP server
C. open ports of an email server
D. running processes of the server
Correct Answer: C
QUESTION 196
e
Refer to the exhibit. This request was sent to a web application server driven by a database.
ic
Which type of web server attack is represented?
t
ac
A. parameter manipulation
B. heap memory corruption
Pr
D. blind SQL injection
Correct Answer: D
x am
QUESTION 197 What is the difference between mandatory access control (MAC) and discretionary access
tE
control (DAC)?
A. MAC is controlled by the discretion of the owner and DAC is controlled by an administrator
es
B. MAC is the strictest of all levels of control and DAC is object-based access
C. DAC is controlled by the operating system and MAC is controlled by an administrator
D. DAC is the strictest of all levels of control and MAC is object-based access
:B
Correct Answer: B
ay
Eb
QUESTION 198 A SOC analyst is investigating an incident that involves a Linux system that is identifying
specific sessions.
Which identifier tracks an active program?
A. application identification number

B. active process identification number
C. runtime identification number
D. process identification number
Correct Answer: D
QUESTION 199 A malicious file has been identified in a
sandbox analysis tool.
Which piece of information is needed to search for additional downloads of this file by other hosts?
A. file type
B. file size
C. file name
D. file hash value
Correct Answer: D
QUESTION 200
Which two elements of the incident response process are stated in NIST Special Publication 800-61 r2? (Choose two.)
e
ic
B. post-incident activity
t
ac
Pr
x am
tE
es
:B
ay
Eb
C. vulnerability management
D. risk assessment
E. vulnerability scoring
Correct Answer: AB
QUESTION 201 Which two elements are used for profiling a network?
(Choose two.)
A. session duration
B. total throughput
C. running processes
D. listening ports
e
E. OS fingerprint
ic
Correct Answer: DE
t
ac
Pr
QUESTION 202 What does an attacker use to determine which network ports are listening on a
potential target device?
am
A. man-in-the-middle
B. port scanning
C. SQL injection
x
D. ping sweep
tE
es
:B
ay
Eb
Correct Answer: B
QUESTION 203 What is a purpose of a vulnerability

management framework?
A. identifies, removes, and mitigates system vulnerabilities

B. detects and removes vulnerabilities in source code
C. conducts vulnerability scans on the network
D. manages a list of reported vulnerabilities
Correct Answer: A
e
ic
QUESTION 204
t
ac
Pr
Refer to the exhibit. Which kind of attack method is depicted in this string?
am
A. cross-site scripting
C. SQL injection
x
Correct Answer: A
tE
es
QUESTION 205 :B
ay
Eb
Refer to the exhibit. Which packet contains a file that is extractable within Wireshark?
A. 2317
B. 1986
C. 2318
D. 2542
Correct Answer: D
QUESTION 206 How does certificate authority impact a

security system?
A. It authenticates client identity when requesting SSL certificate

B. It validates domain identity of a SSL certificate
e
C. It authenticates domain identity when requesting SSL certificate
D. It validates client identity when communicating with the server
ic
Correct Answer: B
t
ac
Pr
QUESTION 207 How is NetFlow different than
traffic mirroring?
am
A. NetFlow collects metadata and traffic mirroring clones data
B. Traffic mirroring impacts switch performance and NetFlow does not
C. Traffic mirroring costs less to operate than NetFlow
x
D. NetFlow generates more data than traffic mirroring
tE
Correct Answer: A
es
:B
QUESTION 208 What is the practice of giving employees only those permissions necessary to perform their specific role within an
organization?
A. least privilege
ay
B. need to know
C. integrity validation
D. due diligence
Eb
Correct Answer: A
QUESTION 209 Which type of data collection requires the largest amount of
storage space?
A. alert data
B. transaction data
C. session data
D. full packet capture
Correct Answer: D
QUESTION 210 Which HTTP header field is used in forensics to identify the type of
browser used?
e
A. referrer
ic
B. host
t
C. user-agent
ac
D. accept-language
Correct Answer: C
Pr
QUESTION 211
x am
tE
es
:B
ay
Eb
e
t ic
ac
Pr
x am
tE
es
:B
ay
Eb
Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?
A. Host 10.201.3.149 is sending data to 152.46.6.91 using TCP/443.

B. Host 152.46.6.91 is being identified as a watchlist country for data transfer.
C. Traffic to 152.46.6.149 is being denied by an Advanced Network Control policy.
D. Host 10.201.3.149 is receiving almost 19 times more data than is being sent to host 152.46.6.91.
Correct Answer: D
QUESTION 212
A security engineer deploys an enterprise-wide host/endpoint technology for all of the company's corporate PCs. Management requests the engineer to block a selected set of applications on all PCs.
Which technology should be used to accomplish this task?
A. application whitelisting/blacklisting
B. network NGFW
C. host-based IDS
D. antivirus/antispyware software
Correct Answer: A
QUESTION 213 What is the virtual address space for a

Windows process?
e
A. physical location of an object in memory
ic
B. set of pages that reside in the physical memory
C. system-level memory protection feature built into the operating system
t
D. set of virtual memory addresses that can be used
ac
Correct Answer: D
Pr
am
QUESTION 214 Which two pieces of information are collected from the IPv4 protocol
header? (Choose two.)
A. UDP port to which the traffic is destined
x
B. TCP port from which the traffic was sourced
tE
C. source IP address of the packet
D. destination IP address of the packet
E. UDP port from which the traffic is sourced
es
Correct Answer: CD :B
ay
QUESTION 215 In a SOC environment, what is a vulnerability
management metric?
Eb
A. code signing enforcement

B. full assets scan
C. internet exposed devices
D. single factor authentication
Correct Answer: C
QUESTION 216 Which category relates to improper use or
disclosure of PII data?
A. legal
B. compliance
C. regulated
D. contractual
Correct Answer: C
QUESTION 217 Which regex matches only on all

lowercase letters?
e
A. [a−z]+
ic
B. [^a−z]+
C. a−z+
t
ac
D. a*z+
Correct Answer: A
Pr
am
QUESTION 218 Which list identifies the information that the client sends to the server in the negotiation phase of the
TLS handshake?
x
A. ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
tE
B. ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods
C. ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods
D. ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
es
Correct Answer: C :B
QUESTION 219
ay
Which evasion technique is a function of ransomware?

Eb
A. extended sleep calls

B. encryption
C. resource exhaustion
D. encoding
Correct Answer: B
QUESTION 220 Which security technology allows only a set of pre-approved applications to
run on a system?
A. application-level blacklisting
B. host-based IPS
C. application-level whitelisting
D. antivirus
Correct Answer: C
QUESTION 221
A. IDS
B. proxy
C. NetFlow
e
D. sys
ic
Correct Answer: D
t
QUESTION 222
ac
Pr
x am
tE
es
:B
ay
Eb
e
ic
t
ac
Pr
Refer to the exhibit. Which two elements in the table are parts of the 5-tuple? (Choose two.)
am
A. First Packet
B. Initiator User
x
C. Ingress Security Zone
D. Source Port
tE
E. Initiator IP
es
Correct Answer: DE
:B
QUESTION 223 Which security principle is violated by running all processes as root or
administrator?
ay
A. principle of least privilege

B. role-based access control
Eb
D. trusted computing base
Correct Answer: A
QUESTION 224
What is the function of a command and control server?
A. It enumerates open ports on a network device
B. It drops secondary payload into malware
C. It is used to regain control of the network after a compromise
D. It sends instruction to a compromised system
Correct Answer: D
QUESTION 225 What is the difference between deep packet inspection and
stateful inspection?
A. Deep packet inspection is more secure than stateful inspection on Layer 4

B. Stateful inspection verifies contents at Layer 4 and deep packet inspection verifies connection at Layer 7
C. Stateful inspection is more secure than deep packet inspection on Layer 7
e
D. Deep packet inspection allows visibility on Layer 7 and stateful inspection allows visibility on Layer 4
ic
Correct Answer: D
t
ac
Pr
QUESTION 226
What is a difference between inline traffic interrogation and traffic mirroring?
am
A. Inline inspection acts on the original traffic data flow
B. Traffic mirroring passes live traffic to a tool for blocking
C. Traffic mirroring inspects live traffic for analysis and mitigation
D. Inline traffic copies packets for analysis and security
x
tE
Correct Answer: B
es
QUESTION 227
:B
DRAG DROP
Drag and drop the technology on the left onto the data type the technology provides on the right.
ay
Select and Place:

Eb
e
Correct Answer:
ic
t
ac
Pr
x am
tE
es
QUESTION 228 Which type of evidence supports a theory or an assumption that results
from initial evidence?
:B
A. probabilistic
ay
B. indirect
C. best
D. corroborative
Eb
Correct Answer: D
QUESTION 229 Which two elements are assets in the role of attribution in an
investigation? (Choose two.)
A. context
B. session
C. laptop
D. firewall logs
E. threat actor
Correct Answer: AE
QUESTION 230
At which layer is deep packet inspection investigated on a firewall?
A. internet
B. transport
C. application
D. data link
Correct Answer: C
e
QUESTION 231
ic
An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise.
t
ac
Which kind of evidence is this IP address?
A. best evidence
Pr
B. corroborative evidence
C. indirect evidence
D. forensic evidence
am
Correct Answer: B
x
tE
QUESTION 232
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.
es
Which type of evidence is this?
A. best evidence
B. prima facie evidence
:B
D. physical evidence
ay
Correct Answer: C
Eb
QUESTION 233
Which attack method intercepts traffic on a switched

network?
A. denial of service
B. ARP cache poisoning
C. DHCP snooping
D. command and control
Correct Answer: C
QUESTION 234 Which utility blocks a

host portscan?
A. HIDS
B. sandboxing
C. host-based firewall
D. antimalware
Correct Answer: C
QUESTION 235 Which event is

user interaction?
A. gaining root access

B. executing remote code
C. reading and writing file permission
e
D. opening a malicious file
ic
Correct Answer: D
t
ac
QUESTION 236
Pr
An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked the user to engage with a link in an email. When the fink launched, it infected
machines and the intruder was able to access the corporate network.
am
Which testing method did the intruder use?
A. social engineering
B. eavesdropping
x
C. piggybacking
tE
D. tailgating
es
Correct Answer: A
QUESTION 237 :B
ay
Eb
Refer to the exhibit. What information is depicted?
A. IIS data
B. NetFlow data
C. network discovery event
D. IPS event data
e
Correct Answer: B
ic
t
ac
QUESTION 238
Which URI string is used to create a policy that takes precedence over other applicable policies that are configured on Cisco Stealthwatch?
Pr
A. /tenants/{tenantId}/policy/system/host-policy
B. /tenants/{tenantId}/policy/system/role-policy
C. /tenants/{tenantId}/policy/system
am
D. /tenants/{tenantId}/policy/system/{policyId}
Correct Answer: A
x
tE
es
:B
ay
Eb
QUESTION 239
DRAG DROP
Drag and drop the code to complete the curl query to the Cisco Umbrella Investigate API for the Latest Malicious Domains for the IP address 10.10.20.50. Not all options are used.
Select and Place:
e
t ic
ac
Pr
am
Correct Answer:
x
tE
es
:B
ay
Eb
QUESTION 240
Refer to the exhibit. A Python function named "query" has been developed and the goal is to use it to query the service "com.cisco.ise.session" via Cisco pxGrid 2.0 APIs. How is the function called, if the goal is to identify the sessions that
are associated with the IP address 10.0.0.50?
A. query(config, secret, "getSessionByIpAddress/10.0.0.50", "ipAddress")

B. query(config, "10.0.0.50", url, payload)
C. query(config, secret, url, "10.0.0.50")
D. query(config, secret, url, '{"ipAddress": "10.0.0.50"}')
Correct Answer: D
e
QUESTION 241 Which two API capabilities are available on Cisco Identity Services Engine? (Choose two.)
ic
A. Platform Configuration APIs
B. Monitoring REST APIs
t
ac
Pr
x am
tE
es
:B
ay
Eb
C. Performance Management REST APIs
D. External RESTful Services APIs
E. Internal RESTful Services APIs
Correct Answer: BD
QUESTION 242
DRAG DROP
e
t ic
ac
Pr
x am
Refer to the exhibit. A Python function named "query" has been developed, and will be used to query the service "com.cisco.ise.session" via Cisco pxGrid 2.0 APIs. Drag and drop the code to construct a Python call to the "query" function to
tE
identify the user groups that are associated with the user "fred". Not all options are used. Select and Place:
es
:B
ay
Eb
Correct Answer:
e
t ic
ac
QUESTION 243 Which API capability is available on Cisco Firepower devices?
A. Firepower Management Center - Sockets API
Pr
B. Firepower Management Center - eStreamer API
C. Firepower Management Center - Camera API
am
D. Firepower Management Center - Host Output API
Correct Answer: B
x
tE
QUESTION 244
es
If the goal is to create an access policy with the default action of blocking traffic, using Cisco Firepower Management Center REST APIs, which snippet is used?
A.
:B
ay
Eb
B.
e
ic
t
ac
Pr
C.
x am
tE
es
:B
ay
Eb
D.
e
ic
t
ac
Correct Answer: D
Pr
am
QUESTION 245
x
tE
es
:B
ay
Eb
Refer to the exhibit. A network operator wants to add a certain IP to a DMZ tag.
Which code segment completes the script and achieves the goal?
A.
B.
e
ic
C.
t
ac
Pr
am
D.
x
tE
es
Correct Answer: A
:B
QUESTION 246 Which API is designed to give technology partners the ability to send security events from their platform/service/appliance within a mutual customer's environment to the Umbrella cloud for enforcement?
ay
A. Cisco Umbrella Management API
B. Cisco Umbrella Security Events API
C. Cisco Umbrella Enforcement API
Eb
D. Cisco Umbrella Reporting API
Correct Answer: C
QUESTION 247 Which two event types can the eStreamer server transmit to the requesting client from a managed device and a management center? (Choose two.)
A. user activity events

B. intrusion events
C. file events
D. intrusion event extra data
E. malware events
Correct Answer: BD
QUESTION 248 A security network engineer must implement intrusion policies using the Cisco Firepower Management Center API.
Which action does the engineer take to achieve the goal?
A. Make a PATCH request to the URI /api/fmc_config/v1/domain/{DOMAIN_UUID}/policy/intrusionpolicies.

B. Make a POST request to the URI /api/fmc_config/v1/domain/{DOMAIN_UUID}/policy/intrusionpolicies.
C. Intrusion policies can be read but not configured using the Cisco Firepower Management Center API.
e
D. Make a PUT request to the URI /api/fmc_config/v1/domain/{DOMAIN_UUID}/policy/intrusionpolicies.
ic
Correct Answer: C
t
ac
Pr
QUESTION 249 Which curl command lists all tags (host groups) that are associated with a tenant using the Cisco Stealthwatch Enterprise API?
A. curl -X PUT"Cookie:{Cookie Data}"https://{stealthwatch_host}/smc-configuration/rest/v1/tenants/{tenant_id}/tags
am
B. curl -X POST -H"Cookie:{Cookie Data}"https://{stealthwatch_host}/smc-configuration/rest/v1/tenants/tags
C. curl -X GET -H"Cookie:{Cookie Data}"https://{stealthwatch_host}/smc-configuration/rest/v1/tenants/{tenant_id}/tags
D. curl -X GET -H"Cookie:{Cookie Data}"https://{stealthwatch_host}/smc- configuration/rest/v1/tenants/tags
x
tE
Correct Answer: C
QUESTION 250
DRAG DROP
es
Drag and drop the code to complete the curl query to the Umbrella Reporting API that provides a detailed report of blocked security activity events from the organization with an organizationId of "12345678" for the last 24 hours. Not all
options are used.
:B
Select and Place:
ay
Eb
e
t ic
Correct Answer:
ac
Pr
x am
tE
es
:B
ay
Reference:
https://docs.umbrella.com/umbrella-api/docs/security-activity-report
Eb
QUESTION 251 When the URI "/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies" is used to make a POST request, what does "e276abec-e0f2-11e3-8169- 6d9ed49b625f" represent?
A. API token
B. domain UUID
C. access policy UUID
D. object UUID
Correct Answer: B
QUESTION 252 Which snippet is used to create an object for network 10.0.69.0/24 using Cisco Firepower Management Center REST APIs?
A.
e
t ic
ac
Pr
am
B.
x
tE
es
:B
ay
Eb
C.
D.
e
ic
Correct Answer: A
t
ac
QUESTION 253
Pr
DRAG DROP
Drag and drop the code to complete the curl command to query the Cisco Umbrella Investigate API for the umbrella popularity list. Not all options are used.
am
Select and Place:
x
tE
es
:B
ay
Eb
Correct Answer:
e
t ic
ac
QUESTION 254
DRAG DROP
Pr
Drag and drop the items to complete the ThreatGRID API call to return a curated feed of sinkholed-ip-dns in stix format. Not all options are used.
Select and Place:
x am
tE
es
:B
ay
Correct Answer:
Eb
e
t ic
ac
QUESTION 255
In Cisco AMP for Endpoints, which API queues to find the list of endpoints in the group "Finance Hosts," which has a GUID of 6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03?
Pr
A. https://api.amp.cisco.com/v1/endpoints?group[]=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03
B. https://api.amp.cisco.com/v1/computers?group_guid[]=6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03
am
C. https://api.amp.cisco.com/v1/computers?group_guid-6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03
D. https://api.amp.cisco.com/v1/endpoints?group-6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03
Correct Answer: B
x
tE
es
QUESTION 256 For which two programming languages does Cisco offer an SDK for Cisco pxGrid 1.0? (Choose two.)
A. Python
B. Perl
:B
C. Java
D. C
ay
E. JavaScript
Correct Answer: CD
Eb
QUESTION 257 Which two URI parameters are needed for the Cisco Stealthwatch Top Alarm Host v1 API? (Choose two.)
A. startAbsolute
B. externalGeos
C. tenantId
D. intervalLength
E. tagID
Correct Answer: CE
QUESTION 258
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Refer to the exhibit.

Eb
Which URL returned the data?
A. https://api.amp.cisco.com/v1/computers
B. https://api.amp.cisco.com/v0/computers
C. https://amp.cisco.com/api/v0/computers
D. https://amp.cisco.com/api/v1/computers
Correct Answer: A
QUESTION 259
After changes are made to the Cisco Firepower Threat Defense configuration using the Cisco Firepower Device Manager API, what must be done to ensure that the new policy is activated?
A. Submit a POST to the /api/fdm/latest/operational/deploy URI.

B. Submit a GET to the /api/fdm/latest/operational/deploy URI.
C. Submit a PUT to the /api/fdm/latest/devicesettings/pushpolicy URI.
D. Submit a POST to the /api/fdm/latest/devicesettings/pushpolicy URI.
Correct Answer: A
QUESTION 260
e
t ic
ac
Pr
x am
tE
es
:B
ay
Eb
e
t ic
Refer to the exhibit. The security administrator must temporarily disallow traffic that goes to a production web server using the Cisco FDM REST API. The administrator sends an API query as shown in the exhibit. What is the outcome of that
ac
action?
Pr
A. The given code does not execute because the mandatory parameters, source, destination, and services are missing.
B. The given code does not execute because it uses the HTTP method "PUT". It should use the HTTP method "POST".
am
C. The appropriate rule is updated with the source, destination, services, and other fields set to "Any" and the action set to "DENY". Traffic to the production web server is disallowed, as expected.
D. A new rule is created with the source, destination, services, and other fields set to "Any" and the action set to "DENY". Traffic to the production web server is disallowed, as expected.
Correct Answer: C
x
tE
QUESTION 261
es
FILL BLANK
Fill in the blank to complete the statement with the correct technology.
:B
Cisco Investigate provides access to data that pertains to DNS security events and correlations collected by the Cisco security team.
ay
Correct Answer: Umbrella
QUESTION 262
Eb
Refer to the exhibit. The script outputs too many results when it is queried against the Cisco Umbrella Reporting API. Which two configurations restrict the returned result to only 10 entries? (Choose two.)
A. Add params parameter in the get and assign in the {"return": "10"} value.
B. Add ?limit=10 to the end of the URL string.
C. Add params parameter in the get and assign in the {"limit": "10"} value.
D. Add ?find=10 to the end of the URL string.
E. Add ?return=10 to the end of the URL string.
Correct Answer: BC
QUESTION 263
DRAG DROP
e
A Python script is being developed to return the top 10 identities in an organization that have made a DNS request to "www.cisco.com". Drag and drop the code to complete the Cisco Umbrella Reporting API query to return the top identities.
ic
Not all options are used.
t
ac
Select and Place:
Pr
x am
tE
es
:B
ay
Eb
Correct Answer:
e
ic
t
ac
Pr
am
QUESTION 264 Which two destinations are supported by the Cisco Security Management Appliance reporting APIs? (Choose two.)
A. email
x
B. Microsoft Word file
tE
C. FTP
D. web
E. csv file
es
Correct Answer: AD :B
QUESTION 265 What are two capabilities of Cisco Firepower Management Center eStreamer? (Choose two.)
ay
A. eStreamer is used to get sources for intelligence services.

Eb
B. eStreamer is used to send malware event data.

C. eStreamer is used to get a list of access control policies.
D. eStreamer is used to send policy data.
E. eStreamer is used to send intrusion event data.
Correct Answer: BE
QUESTION 266
e
Refer to the exhibit. A security engineer created a script and successfully executed it to retrieve all currently open alerts. Which print command shows the first returned alert?
ic
A. print(response[data][0])
t
B. print(response[results][0])
ac
C. print(response.json()[data][0])
D. print(response.json()[results][0])
Pr
Correct Answer: A
am
QUESTION 267
x
tE
es
:B
ay
Eb
Refer to the exhibit. A network operator must create a Python script that makes an API request to Cisco Umbrella to do a pattern search and return all matched URLs with category information.
Which code completes the script?
A. URL = BASE_URL + "/find/exa\[a-z\]ple.com" PARAMS = { "categoryinclude" : "true"}
B. URL = BASE_URL + "/find/exa\[a-z\]ple.com" PARAMS = { "returncategory" : "true"}
C. URL = BASE_URL + "/find/exa\[a-z\]ple.com" PARAMS = { "includeCategory" : "true"}
D. URL = BASE_URL + "/find/exa\[a-z\]ple.com" PARAMS = { "returnCategory" : "true"}
Correct Answer: D
QUESTION 268 Which two statements describe the characteristics of API styles for REST and RPC? (Choose two.)
A. REST-based APIs function in a similar way to procedures.
e
B. REST-based APIs are used primarily for CRUD operations.
C. REST and RPC API styles are the same.
ic
D. RPC-based APIs function in a similar way to procedures.
t
E. RPC-based APIs are used primarily for CRUD operations.
ac
Correct Answer: BD
Pr
am
QUESTION 269 What are two benefits of Ansible when managing security platforms? (Choose two.)
A. End users can be identified and tracked across a network.

B. Network performance issues can be identified and automatically remediated.
x
C. Policies can be updated on multiple devices concurrently, which reduces outage windows.
tE
D. Anomalous network traffic can be detected and correlated.
E. The time that is needed to deploy a change is reduced, compared to manually applying the change.
es
Correct Answer: CE
QUESTION 270
:B
ay
Eb
e
ic
What must be present in a Cisco Web Security Appliance before the script is run?
t
ac
A. reporting group with the name web_malware_category_malware_name_user_detail
B. data for specified dates
C. reporting group with the name blocked_malware
Pr
D. data in the queried category
Correct Answer: A
x am
QUESTION 271
tE
The Cisco Security Management Appliance API is used to make a GET call using the URI /sma/api/v2.0/reporting/mail_incoming_traffic_summary/detected_amp?startDate=2016-09-10T19:00:00.000Z&endDate=2018-
0924T23:00:00.000Z&device_type=esa&device_name=esa01.
es
What does this GET call return?
A. values of all counters of a counter group, with the device group name and device type for web
B. value of a specific counter from a counter group, with the device name and type for email
:B
C. value of a specific counter from a counter group, with the device name and type for web
D. values of all counters of a counter group, with the device group name and device type for email
ay
Correct Answer: D
Eb
QUESTION 272 Which two APIs are available from Cisco ThreatGRID? (Choose two.)
A. Access
B. User Scope
C. Data
D. Domains
E. Curated Feeds
Correct Answer: CE
QUESTION 273
DRAG DROP
Drag and drop the code to complete the Cisco Umbrella Investigate WHOIS query that returns a list of domains that are associated with the email address "[email protected]". Not all options are used.
Select and Place:
e
t ic
ac
Pr
Correct Answer:
x am
tE
es
:B
ay
Eb
QUESTION 274 Which two commands create a new local source code branch? (Choose two.)
A. git checkout -b new_branch

B. git branch -b new_branch
C. git checkout -f new_branch
D. git branch new_branch
E. git branch -m new_branch
Correct Answer: AD
QUESTION 275 Which header set should be sent with all API calls to the Cisco Stealthwatch Cloud API?
A.
e
ic
B.
t
ac
Pr
C.
x am
tE
es
D. :B
ay
Eb
Correct Answer: B
QUESTION 276 Which API is used to query if the domain “example.com” has been flagged as malicious by the Cisco Security Labs team?
A. https://s-platform.api.opendns.com/1.0/events?example.com
B. https://investigate.api.umbrella.com/domains/categorization/example.com
C. https://investigate.api.umbrella.com/domains/volume/example.com
D. https://s-platform.api.opendns.com/1.0/domains?example.com
Correct Answer: B
QUESTION 277
Which snippet describes the way to create an URL object in Cisco FDM using FDM REST APIs with curl?
A.
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
B.
e
ic
t
ac
C.
Pr
x am
tE
es
:B
ay
D.
Eb
Correct Answer: B
QUESTION 278 Which request searches for a process window in Cisco ThreatGRID that contains the word “secret”?
A. /api/v2/search/submissions?term=processwindow&title=secret
B. /api/v2/search/submissions?term=processwindow&q=secret
C. /api/v2/search/submissions?term=window&title=secret
D. /api/v2/search/submissions?term=process&q=secret
Correct Answer: D
QUESTION 279
Refer to the exhibit. A network operator wrote a Python script to retrieve events from Cisco AMP.
e
t ic
ac
Pr
Against which API gateway must the operator make the request?
A. BASE_URL = “https://api.amp.cisco.com”
am
B. BASE_URL = “https://amp.cisco.com/api”
C. BASE_URL = “https://amp.cisco.com/api/”
D. BASE_URL = “https://api.amp.cisco.com/”
x
Correct Answer: A
tE
QUESTION 280 What is the purpose of the snapshot APIs exposed by Cisco Stealthwatch Cloud?
es
A. Report on flow data during a customizable time period.
B. Operate and return alerts discovered from infrastructure observations. :B
C. Return current configuration data of Cisco Stealthwatch Cloud infrastructure.
D. Create snapshots of supported Cisco Stealthwatch Cloud infrastructure.
ay
Correct Answer: B
QUESTION 281
Eb
DRAG DROP
Drag and drop the items to complete the pxGrid script to retrieve all Adaptive Network Control policies. Assume that username, password, and base URL are correct. Not all options are used.
Select and Place:
e
ic
t
ac
Pr
x am
tE
es
Correct Answer:
:B
ay
Eb
e
ic
t
ac
Pr
x am
tE
es
:B
ay
QUESTION 282
Eb
What is the purpose of the API represented by this URL?
A. Getting or setting intrusion policies in FMC

B. Creating an intrusion policy in FDM
C. Updating access policies
D. Getting the list of intrusion policies configured in FDM
Correct Answer: D
QUESTION 283 Which query parameter is required when using the reporting API of Cisco Security Management Appliances?
A. device_type
B. query_type
C. filterValue
D. startDate + endDate
Correct Answer: D
QUESTION 284
Which step is required by Cisco pxGrid providers to expose functionality to consumer applications that are written in Python?
A. Look up the existing service using the /pxgrid/control/ServiceLookup endpoint.
B. Register the service using the /pxgrid/control/ServiceRegister endpoint.
e
C. Configure the service using the /pxgrid/ise/config/profiler endpoint.
ic
D. Expose the service using the /pxgrid/ise/pubsub endpoint.
t
Correct Answer: D
ac
Pr
QUESTION 285
am
DRAG DROP
Drag and drop the items to complete the curl request to the ThreatGRID API. The API call should request the first 10 IP addresses that ThreatGRID saw samples communicate with during analysis, in the first two hours of January 18 th (UTC
time), where those communications triggered a Behavior Indicator that had a confidence equal to or higher than 75 and a severity equal to or higher than 95.
x
Select and Place:
tE
es
:B
ay
Eb
Correct Answer: Ebay: BestExamPractice

e
t ic
ac
Pr
x am
tE
es
QUESTION 286
DRAG DROP :B
Drag and drop the code to complete the URL for the Cisco AMP for Endpoints API POST request so that it will add a sha256 to a given file_list using file_list_guid.
Select and Place:

ay
Eb
Correct Answer:
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
QUESTION 287
e
ic
Which expression prints the text "802.1x"?
t
A. print(quiz[0]['choices']['b'])
ac
B. print(quiz['choices']['b'])
C. print(quiz[0]['choices']['b']['802.1x'])
Pr
D. print(quiz[0]['question']['choices']['b'])
Correct Answer: A
x am
QUESTION 288
tE
DRAG DROP
es
:B
ay
Eb
e
ic
t
ac
Pr
Drag and drop the elements from the left onto the script on the right that queries Cisco ThreatGRID for indications of compromise.
Select and Place:
x am
tE
es
:B
ay
Eb
Correct Answer:
e
t ic
ac
QUESTION 289 What are two advantages of Python virtual environments? (Choose two.)
Pr
A. Virtual environments can move compiled modules between different platforms.
am
B. Virtual environments permit non-administrative users to install packages.
C. The application code is run in an environment that is destroyed upon exit.
D. Virtual environments allow for stateful high availability.
E. Virtual environments prevent packaging conflicts between multiple Python projects.
x
tE
Correct Answer: CE
QUESTION 290
es
Which description of synchronous calls to an API is true? :B
A. They can be used only within single-threaded processes.
B. They pause execution and wait for the response.
C. They always successfully return within a fixed time.
ay
D. They can be used only for small requests.
Correct Answer: B
Eb
QUESTION 291
DRAG DROP
Drag and drop the code to complete the script to search Cisco ThreatGRID and return all public submission records associated with cisco.com. Not all options are used.
Select and Place:
e
ic
t
ac
Pr
am
Correct Answer:
x
tE
es
:B
ay
Eb
e
ic
t
ac
Pr
x am
tE
QUESTION 292
es
:B
ay
Eb
What does the response from the API contain when this code is executed?
A. error message and status code of 403

B. newly created domains in Cisco Umbrella Investigate
C. updated domains in Cisco Umbrella Investigate
D. status and security details for the domains
Correct Answer: D
QUESTION 293
e
t ic
Refer to the exhibit. A security engineer attempts to query the Cisco Security Management appliance to retrieve details of a specific message. What must be added to the script to achieve the desired result?
ac
A. Add message ID information to the URL string as a URI.
B. Run the script and parse through the returned data to find the desired message.
Pr
C. Add message ID information to the URL string as a parameter.
D. Add message ID information to the headers.
am
Correct Answer: C
x
tE
QUESTION 294
DRAG DROP
es
Drag and drop the code to complete the API call to query all Cisco Stealthwatch Cloud observations. Not all options are used.
Select and Place:

:B
ay
Eb
Correct Answer:
e
t ic
ac
QUESTION 295
Pr
x am
tE
es
:B
ay
Eb
Refer to the exhibit. A network operator must generate a daily flow report and learn how to act on or manipulate returned data. When the operator runs the script, it returns an enormous amount of information. Which two actions enable the
operator to limit returned data? (Choose two.)
A. Add recordLimit. followed by an integer (key:value) to the flow_data.

B. Add a for loop at the end of the script, and print each key value pair separately.
C. Add flowLimit, followed by an integer (key:value) to the flow_data.
D. Change the startDateTime and endDateTime values to include smaller time intervals.
E. Change the startDate and endDate values to include smaller date intervals.
Correct Answer: AB
QUESTION 296 Which attack is the network vulnerable to when a stream cipher like RC4 is used twice with
the same key?
A. forgery attack
B. plaintext-only attack
C. ciphertext-only attack
D. meet-in-the-middle attack
e
Correct Answer: C
t ic
ac
QUESTION 297 What causes events on a Windows system to show Event Code 4625 in the
log messages?
Pr
A. The system detected an XSS attack
B. Someone is trying a brute force attack on the network
am
C. Another device is gaining root access to the system
D. A privileged user successfully logged into the system
Correct Answer: B
x
tE
QUESTION 298
es
Which evasion technique is indicated when an intrusion detection system begins receiving an abnormally high volume of scanning from numerous sources?
A. resource exhaustion
:B
B. tunneling
C. traffic fragmentation
D. timing attack
ay
Correct Answer: A
Eb
QUESTION 299
Refer to the exhibit. What does the message indicate?
A. an access attempt was made from the Mosaic web browser

B. a successful access attempt was made to retrieve the password file
C. a successful access attempt was made to retrieve the root of the website
e
D. a denied access attempt was made to retrieve the password file
ic
Correct Answer: C
t
ac
QUESTION 300 An MDM provides which two advantages to an organization with regards to
devicemanagement? (Choose two.)
Pr
A. asset inventory management
B. allowed application management
C. Active Directory group policy management
am
D. network device management
E. critical device management
x
Correct Answer: AB
tE
QUESTION 301 Which two capabilities does TAXII
support? (Choose two.)
es
A. exchange
B. pull messaging :B
C. binding
D. correlation
E. mitigating
ay
Correct Answer: BC
Eb
QUESTION 302 Which policy represents a shared set of features or parameters that define the aspects of a managed device that are likely to be similar to other managed devices in
a deployment?
A. group policy
B. access control policy
C. device management policy
D. platform service policy
Correct Answer: D
QUESTION 303
A security engineer has a video of a suspect entering a data center that was captured on the same day that files in the same data center were transferred to a competitor.
Which type of evidence is this?

A. best evidence
B. prima facie evidence
D. physical evidence
Correct Answer: C
QUESTION 304
Which attack method intercepts traffic on a switched

network?
A. denial of service
e
B. ARP cache poisoning
ic
C. DHCP snooping
D. command and control
t
ac
Correct Answer: C
Pr
QUESTION 305 Which utility blocks a
host portscan?
am
A. HIDS
B. sandboxing
C. host-based firewall
x
D. antimalware
tE
Correct Answer: C
es
QUESTION 306 Which event is
:B
user interaction?
A. gaining root access

ay
B. executing remote code

C. reading and writing file permission
Eb
D. opening a malicious file
Correct Answer: D
QUESTION 307
An intruder attempted malicious activity and exchanged emails with a user and received corporate information, including email distribution lists. The intruder asked the user to engage with a link in an email. When the fink launched, it infected
machines and the intruder was able to access the corporate network.
Which testing method did the intruder use?
A. social engineering
B. eavesdropping
C. piggybacking
D. tailgating
Correct Answer: A
QUESTION 308
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
Refer to the exhibit. What information is depicted?
A. IIS data
B. NetFlow data
C. network discovery event
D. IPS event data
e
Correct Answer: B
ic
t
ac
QUESTION 309 Which type of evidence supports a theory or an assumption that results from
initial evidence?
Pr
A. probabilistic
B. indirect
am
C. best
D. corroborative
x
Correct Answer: D
tE
es
QUESTION 310 Which two elements are assets in the role of attribution in an
investigation? (Choose two.) :B
A. context
B. session
C. laptop
ay
D. firewall logs
E. threat actor
Eb
Correct Answer: AE
QUESTION 311
Which regular expression matches "color" and "colour"?
A. colo?ur
B. col[0−8]+our
C. colou?r
D. col[0−9]+our
Correct Answer: C
QUESTION 312 A user received a malicious attachment

but did not run it.
Which category classifies the intrusion?
A. weaponization
B. reconnaissance
e
C. installation
D. delivery
ic
Correct Answer: D
t
ac
Pr
QUESTION 313 Which process is used when IPS events are removed to
improve data integrity?
am
A. data availability
B. data normalization
C. data signature
x
D. data protection
tE
Correct Answer: B
es
QUESTION 314 An investigator is examining a copy of an ISO file that is stored
in CDFS format.
:B
What type of evidence is this file?
ay
A. data from a CD copied using Mac-based system

B. data from a CD copied using Linux system
Eb
C. data from a DVD copied using Windows system

D. data from a CD copied using Windows
Correct Answer: B
QUESTION 315 Which piece of information is needed for attribution in
an investigation?
A. proxy logs showing the source RFC 1918 IP addresses

B. RDP allowed from the Internet
C. known threat actor behavior
D. 802.1x RADIUS authentication pass arid fail logs
Correct Answer: C
QUESTION 316
e
ic
t
ac
Pr
Refer to the exhibit. In which Linux log file is this output found?
am
A. /var/log/authorization.log
B. /var/log/dmesg
C. var/log/var.log
x
D. /var/log/auth.log
tE
Correct Answer: D
es
QUESTION 317 What is the difference between the ACK flag and the RST flag in the NetFlow
log session?
:B
A. The RST flag confirms the beginning of the TCP connection, and the ACK flag responds when the data for the payload is complete
ay
B. The ACK flag confirms the beginning of the TCP connection, and the RST flag responds when the data for the payload is complete
C. The RST flag confirms the receipt of the prior segment, and the ACK flag allows for the spontaneous termination of a connection
D. The ACK flag confirms the receipt of the prior segment, and the RST flag allows for the spontaneous termination of a connection
Eb
Correct Answer: D
QUESTION 318 An analyst is investigating an incident in a

SOC environment.
Which method is used to identify a session from a group of logs?
A. sequence numbers
B. IP identifier
C. 5-tuple
D. timestamps
Correct Answer: C
QUESTION 319
e
ic
A. proxy
t
B. NetFlow
ac
C. IDS
D. sys
Pr
Correct Answer: B
am
QUESTION 320
What should a security analyst consider when comparing inline traffic interrogation with traffic tapping to determine which approach to use in the network?
x
A. Tapping interrogation replicates signals to a separate port for analyzing traffic
tE
B. Tapping interrogations detect and block malicious traffic
C. Inline interrogation enables viewing a copy of traffic to ensure traffic is in compliance with security policies
es
D. Inline interrogation detects malicious traffic but does not block the traffic
ay
QUESTION 321 Which two components reduce the attack surface on an endpoint?
(Choose two.)
Eb
A. secure boot
B. load balancing
C. increased audit log levels
D. restricting USB ports
E. full packet captures at the endpoint
Correct Answer: AD
QUESTION 322 An analyst discovers that a legitimate security alert has
been dismissed.
Which signature caused this impact on network traffic?
A. true negative
B. false negative
C. false positive
D. true positive
Correct Answer: B
e
ic
QUESTION 323
t
DRAG DROP
ac
Drag and drop the security concept on the left onto the example of that concept on the right.
Pr
Select and Place:
x am
tE
es
:B
Correct Answer:
ay
Eb
QUESTION 324 Which event artifact is used to identity HTTP GET requests
for a specific file?
A. destination IP address
B. TCP ACK
C. HTTP status code
D. URI
Correct Answer: D
e
ic
QUESTION 325 Which security principle requires more than one person is required to
t
perform a critical task?
ac
A. least privilege
B. need to know
Pr
D. due diligence
am
Correct Answer: C
x
tE
QUESTION 326 What are two differences in how tampered and untampered disk images affect a security
incident? (Choose two.)
es
A. Untampered images are used in the security investigation process
B. Tampered images are used in the security investigation process :B
C. The image is tampered if the stored hash and the computed hash match
D. Tampered images are used in the incident recovery process
E. The image is untampered if the stored hash and the computed hash match
ay
Correct Answer: BE
Eb
QUESTION 327 What makes HTTPS traffic

difficult to monitor?
A. SSL interception
B. packet header size
C. signature detection time
D. encryption
Correct Answer: D
QUESTION 328
DRAG DROP
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
Refer to the exhibit. Drag and drop the element name from the left onto the correct piece of the PCAP file on the right.
Select and Place:
e
ic
t
ac
Pr
am
Correct Answer:
x
tE
es
:B
ay
Eb
QUESTION 329
e
t ic
ac
Pr
x am
tE
es
An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture the analyst cannot determine the technique and payload used for the
communication.
:B
Which obfuscation technique is the attacker using?
ay
A. Base64 encoding
B. transport layer security encryption
C. SHA-256 hashing
Eb
D. ROT13 encryption
Correct Answer: B
QUESTION 330
While viewing packet capture data, an analyst sees that one IP is sending and receiving traffic for multiple devices by modifying the IP header.
Which technology makes this behavior possible?
A. encapsulation
B. TOR
C. tunneling
D. NAT
Correct Answer: D
QUESTION 331 How does an attacker observe network traffic exchanged

between two users?
A. port scanning
e
Correct Answer: B
t ic
ac
QUESTION 332
Pr
Refer to the exhibit. Which event is occurring?
am
A. A binary named "submit" is running on VM cuckoo1.
B. A binary is being submitted to run on VM cuckoo1
x
C. A binary on VM cuckoo1 is being submitted for evaluation
D. A URL is being evaluated to see if it has a malicious binary
tE
Correct Answer: C
es
:B
QUESTION 333 What is a benefit of agent-based protection when compared to
agentless protection?
ay
A. It lowers maintenance costs

B. It provides a centralized platform
C. It collects and detects all traffic locally
Eb
D. It manages numerous devices simultaneously
Correct Answer: B
QUESTION 334
Which principle is being followed when an analyst gathers information relevant to a security incident to determine the appropriate course of action?
A. decision making
B. rapid response
C. data mining
D. due diligence
Correct Answer: A
QUESTION 335
An engineer runs a suspicious file in a sandbox analysis tool to see the outcome. The analysis report shows that outbound callouts were made post infection.
Which two pieces of information from the analysis report are needed to investigate the callouts? (Choose two.)
A. signatures
e
B. host IP addresses
ic
C. file size
D. dropped files
t
E. domain names
ac
Correct Answer: BE
Pr
am
QUESTION 336 An analyst is exploring the functionality of different
operating systems.
What is a feature of Windows Management Instrumentation that must be considered when deciding on an operating system?
x
tE
A. queries Linux devices that have Microsoft Services for Linux installed
B. deploys Windows Operating Systems in an automated fashion
C. is an efficient tool for working with Active Directory
es
D. has a Common Information Model, which describes installed hardware and software
Correct Answer: D
:B
ay
QUESTION 337 One of the objectives of information security is to protect the CIA of
information and systems.
Eb
What does CIA mean in this context?
A. confidentiality, identity, and authorization

B. confidentiality, integrity, and authorization
C. confidentiality, identity, and availability
D. confidentiality, integrity, and availability
Correct Answer: D
QUESTION 338 What is rule-based detection when compared to
statistical detection?
A. proof of a user's identity

B. proof of a user's action
C. likelihood of user's action
D. falsification of a user's identity
Correct Answer: B
e
ic
QUESTION 339 What is personally identifiable information that must be safeguarded from
t
unauthorized access?
ac
A. date of birth
B. driver's license number
Pr
C. gender
D. zip code
am
Correct Answer: B
x
tE
QUESTION 340 What does cyber attribution identity in an
investigation?
es
A. cause of an attack
B. exploit of an attack :B
C. vulnerabilities exploited
D. threat actors of an attack
Correct Answer: D
ay
Eb
QUESTION 341
Which type of data consists of connection level, application-specific records generated from network traffic?
A. transaction data
B. location data
C. statistical data
D. alert data
Correct Answer: A
QUESTION 342
How does an SSL certificate impact security between the client and the server?
A. by enabling an authenticated channel between the client and the server

B. by creating an integrated channel between the client and the server
C. by enabling an authorized channel between the client and the server
D. by creating an encrypted channel between the client and the server
Correct Answer: D
e
ic
QUESTION 343 Which open-sourced packet capture tool uses Linux and Mac OS X
t
ac
operating systems?
A. NetScout
Pr
B. tcpdump
C. SolarWinds
D. netsh
am
Correct Answer: B
x
tE
QUESTION 344
DRAG DROP
es
Drag and drop the access control models from the left onto the correct descriptions on the right.
Select and Place: :B

ay
Eb
Correct Answer:
e
ic
QUESTION 345 An organization has recently adjusted its security stance in response to online threats made by a known
hacktivist group.
t
ac
What is the initial event called in the NIST SP800-61?
A. online assault
Pr
B. precursor
C. trigger
am
D. instigator
Correct Answer: B
x
tE
QUESTION 346 What is an attack surface as compared
es
to a vulnerability?
A. any potential danger to an asset :B

B. the sum of all paths for data into and out of the application
C. an exploitable weakness in a system or its design
D. the individuals who perform an attack
ay
Correct Answer: B
Eb
QUESTION 347
What is a difference between SOAR and SIEM?
A. SOAR platforms are used for threat and vulnerability management, but SIEM applications are not
B. SIEM applications are used for threat and vulnerability management, but SOAR platforms are not
C. SOAR receives information from a single platform and delivers it to a SIEM
D. SIEM receives information from a single platform and delivers it to a SOAR
Correct Answer: A
QUESTION 348
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
Refer to the exhibit. Which application protocol is in this PCAP file?
A. SSH
B. TCP
C. TLS
D. HTTP
Correct Answer: B
QUESTION 349
e
t ic
ac
Pr
Refer to the exhibit. What is the expected result when the "Allow subdissector to reassemble TCP streams" feature is enabled?
am
A. insert TCP subdissectors
B. extract a file from a packet capture
C. disable TCP streams
x
D. unfragment TCP
tE
Correct Answer: D
es
QUESTION 350
:B
When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification.
ay
Which information is available on the server certificate?
A. server name, trusted subordinate CA, and private key

Eb
B. trusted subordinate CA, public key, and cipher suites

C. trusted CA name, cipher suites, and private key
D. server name, trusted CA, and public key
Correct Answer: D
QUESTION 351 During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve
its integrity?
A. examination
B. investigation
C. collection
D. reporting
Correct Answer: C
QUESTION 352
Which NIST IR category stakeholder is responsible for coordinating incident response among various business units, minimizing damage, and reporting to regulatory agencies?
A. CSIRT
B. PSIRT
C. public affairs
D. management
e
Correct Answer: D
t ic
ac
QUESTION 353 An engineer receives a security alert that traffic with a known TOR exit node has occurred
on the network.
Pr
What is the impact of this traffic?
am
A. ransomware communicating after infection
B. users downloading copyrighted content
C. data exfiltration
D. user circumvention of the firewall
x
tE
Correct Answer: D
es
QUESTION 354 How is attacking a
vulnerability categorized? :B
A. action on objectives
B. delivery
C. exploitation
ay
D. installation
Eb
Correct Answer: C
QUESTION 355
A system administrator is ensuring that specific registry information is accurate.
Which type of configuration information does the HKEY_LOCAL_MACHINE hive contain?
A. file extension associations

B. hardware, software, and security settings for the system
C. currently logged in users, including folders and control panel settings
D. all users on the system, including visual settings
Correct Answer: B
QUESTION 356 What is the difference between statistical detection and rule-based
detection models?
e
A. Rule-based detection involves the collection of data in relation to the behavior of legitimate users over a period of time
ic
B. Statistical detection defines legitimate data of users over a period of time and rule-based detection defines it on an IF/THEN basis
t
C. Statistical detection involves the evaluation of an object on its intended actions before it executes that behavior
ac
D. Rule-based detection defines legitimate data of users over a period of time and statistical detection defines it on an IF/THEN basis
Correct Answer: B
Pr
am
QUESTION 357 Which step in the incident response process researches an attacking host through
logs in a SIEM?
x
tE
B. preparation
C. eradication
D. containment
es
QUESTION 358 What is the difference between a
ay
threat and a risk?
A. Threat represents a potential danger that could take advantage of a weakness in a system
Eb
B. Risk represents the known and identified loss or danger in the system
C. Risk represents the nonintentional interaction with uncertainty in the system
D. Threat represents a state of being exposed to an attack or a compromise either physically or logically
Correct Answer: A
QUESTION 359 Which signature impacts network traffic by causing legitimate traffic
to be blocked?
A. false negative
B. true positive
C. true negative
D. false positive
Correct Answer: D
QUESTION 360 Which proxy mode must be used on Cisco WSA to redirect
TCPtraffic with WCCP?
e
A. transparent
ic
B. redirection
C. forward
t
D. proxy gateway
ac
Correct Answer: A
Pr
QUESTION 361
am
Which feature requires a network discovery policy on the Cisco Firepower Next Generation Intrusion Prevention System?
x
A. security intelligence
B. impact flags
tE
C. health monitoring
D. URL filtering
es
Correct Answer: A
:B
QUESTION 362
ay
Eb
Refer to the exhibit. Which statement about the authentication protocol used in the configuration is true?
A. The authentication request contains only a password

B. The authentication request contains only a username
C. The authentication and authorization requests are grouped in a single packet.
D. There are separate authentication and authorization request packets.
Correct Answer: C
QUESTION 363 Which two preventive measures are used to control cross-
sitescripting? (Choose two.)
A. Enable client-side scripts on a per-domain basis.
B. Incorporate contextual output encoding/escaping.
C. Disable cookie inspection in the HTML inspection engine.
D. Run untrusted HTML input through an HTML sanitization engine.
E. SameSite cookie attribute should not be used.
Correct Answer: AB
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
QUESTION 364 Which solution combines Cisco IOS and IOS XE components to enable administrators to recognize applications, collect and send network metrics to Cisco Prime and other third-party management tools, and
prioritizeapplication traffic?
A. Cisco Security Intelligence

B. Cisco Application Visibility and Control
C. Cisco Model Driven Telemetry
D. Cisco DNA Center
Correct Answer: B
e
QUESTION 365
ic
Which two endpoint measures are used to minimize the chances of falling victim to phishing and social engineering attacks? (Choose two.)
t
A. Patch for cross-site scripting.
ac
B. Perform backups to the private cloud.
C. Protect against input validation and character escapes in the endpoint.
Pr
D. Install a spam and virus email filter.
E. Protect systems with an up-to-date antimalware program.
am
Correct Answer: DE
x
QUESTION 366
tE
An engineer used a posture check on a Microsoft Windows endpoint and discovered that the MS17-010 patch was not installed, which left the endpoint vulnerable to WannaCry ransomware. Which two solutions mitigate the risk of this
ransomware infection? (Choose two.)
es
A. Configure a posture policy in Cisco Identity Services Engine to install the MS17-010 patch before allowing access on thenetwork.
B. Set up a profiling policy in Cisco Identity Service Engine to check and endpoint patch level before allowing access on thenetwork.
:B
C. Configure a posture policy in Cisco Identity Services Engine to check that an endpoint patch level is met before allowing access on the network.
D. Configure endpoint firewall policies to stop the exploit traffic from being allowed to run and replicate throughout the network.
E. Set up a well-defined endpoint patching strategy to ensure that endpoints have critical vulnerabilities patched in a timely fashion.
ay
Correct Answer: AC
Eb
QUESTION 367
Which security zone is automatically defined by the system?

A . The source zone
B . The self zone
C . The destination zone
D . The inside zone
Correct Answer: B
QUESTION 368 Why would a user choose an on-premises ESA

versusthe CES solution?
A. Sensitive data must remain onsite.

B. Demand is unpredictable.
C. The server team wants to outsource this service.
D. ESA is deployed inline.
Correct Answer: A
QUESTION 369
Which technology must be used to implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity?
A. DMVPN
B. FlexVPN
C. IPsec DVTI
e
D. GET VPN
ic
Correct Answer: D
t
ac
QUESTION 370 Which Cisco solution does Cisco Umbrella integrate with to determine if
Pr
aURL is malicious?
A. AMP
am
B. AnyConnect
C. DynDNS
D. Talos
x
Correct Answer: D
tE
es
QUESTION 371 What is the purpose of the Decrypt for Application Detection feature within the
WSADecryption options? :B
ay
Eb
A. It decrypts HTTPS application traffic for unauthenticated users.
B. It alerts users when the WSA decrypts their traffic.
C. It decrypts HTTPS application traffic for authenticated users.
D. It provides enhanced HTTPS application detection for AsyncOS.
Correct Answer: D
QUESTION 372 What is the primary role of the Cisco

EmailSecurity Appliance?
A. Mail Submission Agent

B. Mail Transfer Agent
e
C. Mail Delivery Agent
ic
D. Mail User Agent
t
Correct Answer: B
ac
Pr
QUESTION 373 Which two features of Cisco DNA Center are used in a Software Defined
Networksolution? (Choose two.)
am
A. accounting
B. assurance
C. automation
x
D. authentication
tE
E. encryption
es
Correct Answer: BC
:B
QUESTION 374
Which cloud service model offers an environment for cloud consumers to develop and deploy applications without needing to manage or maintain the underlying cloud infrastructure?
ay
A. PaaS
B. XaaS
C. IaaS
Eb
D. SaaS
Correct Answer: A
QUESTION 375 What is a required prerequisite to enable malware file scanning for the
SecureInternet Gateway?
A. Enable IP Layer enforcement.

B. Activate the Advanced Malware Protection license
C. Activate SSL decryption.
D. Enable Intelligent Proxy.
Correct Answer: D
QUESTION 376 Which two features are used to configure Cisco ESA with a multilayer approach to fight viruses and
malware?(Choose two.)
e
A. Sophos engine
ic
B. white list
t
C. RAT
ac
D. outbreak filters
E. DLP
Pr
Correct Answer: AD
am
QUESTION 377 How is Cisco Umbrella configured to log
onlysecurity events?
x
tE
A. per policy
B. in the Reporting settings
C. in the Security Settings section
es
D. per network in the Deployments section
Correct Answer: A
:B
ay
QUESTION 378
What is the primary difference between an Endpoint Protection Platform and an Endpoint Detection and Response?
Eb
A. EPP focuses on prevention, and EDR focuses on advanced threats that evade perimeter defenses.
B. EDR focuses on prevention, and EPP focuses on advanced threats that evade perimeter defenses.
C. EPP focuses on network security, and EDR focuses on device security.
D. EDR focuses on network security, and EPP focuses on device security.
Correct Answer: A
QUESTION 379 On which part of the IT environment
doesDevSecOps focus?
A. application development
B. wireless network
C. data center
D. perimeter network
Correct Answer: A
e
QUESTION 380 Which functions of an SDN architecture require southbound APIs to
ic
enablecommunication?
t
A. SDN controller and the network elements
ac
B. management console and the SDN controller
C. management console and the cloud
Pr
D. SDN controller and the cloud
Correct Answer: A
x am
QUESTION 381 What is a characteristic of traffic
stormcontrol behavior?
tE
A. Traffic storm control drops all broadcast and multicast traffic if the combined traffic exceeds the level within the interval.
es
B. Traffic storm control cannot determine if the packet is unicast or broadcast.
C. Traffic storm control monitors incoming traffic levels over a 10-second traffic storm control interval.
D. Traffic storm control uses the Individual/Group bit in the packet source address to determine if the packet is unicast or broadcast.
:B
Correct Answer: A
ay
QUESTION 382 Which two request of REST API are valid on the Cisco ASA
Eb
Platform?(Choose two.)
A. put
B. options
C. get
D. push
E. connect
Correct Answer: AC
QUESTION 383 In a PaaS model, which layer is the tenant responsible

formaintaining and patching?
A. hypervisor
B. virtual machine
C. network
D. application
Correct Answer: D
e
ic
QUESTION 384
t
An engineer is configuring AMP for endpoints and wants to block certain files from executing. Which outbreak control method is used to accomplish this task?
ac
A. device flow correlation
Pr
B. simple detections
C. application blocking list
D. advanced custom detections
am
Correct Answer: C
x
tE
QUESTION 385
Which ASA deployment mode can provide separation of management on a shared appliance?
es
A. DMZ multiple zone mode
B. transparent firewall mode
C. multiple context mode
:B
D. routed mode
Correct Answer: C
ay
QUESTION 386 Which two deployment model configurations are supported for Cisco FTDv in
Eb
AWS?(Choose two.)
A. Cisco FTDv configured in routed mode and managed by an FMCv installed in AWS
B. Cisco FTDv with one management interface and two traffic interfaces configured
C. Cisco FTDv configured in routed mode and managed by a physical FMC appliance on premises
D. Cisco FTDv with two management interfaces and one traffic interface configured
E. Cisco FTDv configured in routed mode and IPv6 configured
Correct Answer: AC
QUESTION 387
What can be integrated with Cisco Threat Intelligence Director to provide information about security threats, which allows the SOC to proactively automate responses to those threats?
A. Cisco Umbrella
B. External Threat Feeds
C. Cisco Threat Grid
D. Cisco Stealthwatch
e
Correct Answer: C
t ic
ac
QUESTION 388 What provides visibility and awareness into what is currently
occurringon the network?
Pr
A. CMX
B. WMI
am
C. Prime Infrastructure
D. Telemetry
Correct Answer: C
x
tE
es
QUESTION 389 Which attack is commonly associated with C and
C++programming languages?
A. cross-site scripting
:B
B. water holing
C. DDoS
ay
D. buffer overflow
Correct Answer: D
Eb
QUESTION 390 An engineer must force an endpoint to re-authenticate an already authenticated session without disrupting the endpoint to apply a new or updated policy from ISE. Which CoA
typeachieves this goal?
A. Port Bounce
B. CoA Terminate
C. CoA Reauth
D. CoA Session Query
Correct Answer: C
QUESTION 391
e
ic
t
ac
Pr
x am
Refer to the exhibit. Which command was used to display this output?
tE
A. show dot1x all
B. show dot1x
es
C. show dot1x all
summary :B
D. show dot1x interface
gi1/0/12
Correct Answer: A
ay
Eb
QUESTION 392
Which two prevention techniques are used to mitigate SQL injection attacks? (Choose two.)
A. Check integer, float, or Boolean string parameters to ensure accurate values.
B. Use prepared statements and parameterized queries.
C. Secure the connection between the web and the app tier.
D. Write SQL code instead of using object-relational mapping libraries.
E. Block SQL code execution in the web application database login.
Correct Answer: AB
QUESTION 393 How does Cisco Stealthwatch Cloud provide security for
cloudenvironments?
A. It delivers visibility and threat detection.

B. It prevents exfiltration of sensitive data.
C. It assigns Internet-based DNS protection for clients and servers.
D. It facilitates secure connectivity between public and private networks.
Correct Answer: A
e
ic
QUESTION 394 Which two application layer preprocessors are used by Firepower Next Generation Intrusion
PreventionSystem? (Choose two.)
t
ac
A. SIP
B. inline normalization
Pr
C. SSL
D. packet decoder
E. modbus
am
Correct Answer: AC
x
tE
QUESTION 395 Which feature is configured for managed devices in the device platform settings of the
FirepowerManagement Center?
es
A. quality of service
B. time synchronization
C. network address translations
:B
D. intrusion policy
ay
Correct Answer: B
Eb
QUESTION 396 The main function of northbound APIs in the SDN architecture is to enable communication between which
twoareas of a network?
A. SDN controller and the cloud

B. management console and the SDN controllerC. management console and the cloud
D. SDN controller and the management solution
Correct Answer: D
QUESTION 397
e
ic
t
ac
Pr
Refer to the exhibit. What is a result of the configuration?
am
A. Traffic from the DMZ network is redirected.
B. Traffic from the inside network is redirected.
C. All TCP traffic is redirected.
x
D. Traffic from the inside and DMZ networks is redirected.
tE
Correct Answer: D
es
QUESTION 398
:B
Which information is required when adding a device to Firepower Management Center?
ay
A. username and password
B. encryption method
C. device serial number
Eb
D. registration key
Correct Answer: D
QUESTION 399 Which two services must remain as on-premises equipment when a hybrid email solution
isdeployed? (Choose two.)
A. DDoS
B. antispam
C. antivirus
D. encryption
E. DLP
Correct Answer: DE
e
QUESTION 400 What is a characteristic of Cisco ASA Netflow v9 Secure
Event Logging?
ic
A. It tracks flow-create, flow-teardown, and flow-denied events.
t
ac
B. It provides stateless IP flow tracking that exports all records of a specific flow.
C. It tracks the flow continuously and provides updates every 10 seconds.
D. Its events match all traffic classes in parallel.
Pr
Correct Answer: A
am
QUESTION 401
Which feature is supported when deploying Cisco ASAv within AWS public cloud?
x
A. multiple context mode
tE
B. user deployment of Layer 3 networks
C. IPv6
D. clustering
es
QUESTION 402 Which Talos reputation center allows you to track the reputation of IP addresses for
emailand web traffic?
A. IP Blacklist Center
ay
B. File Reputation Center

C. AMP Reputation Center
Eb
D. IP and Domain Reputation Center
Correct Answer: D
QUESTION 403 Under which two circumstances is a

CoAissued? (Choose two.)
A. A new authentication rule was added to the policy on the Policy Service node.
B. An endpoint is deleted on the Identity Service Engine server.
C. A new Identity Source Sequence is created and referenced in the authentication policy.
D. An endpoint is profiled for the first time.
E. A new Identity Service Engine server is added to the deployment with the Administration persona.
Correct Answer: BD
QUESTION 404 Which policy is used to capture host information on the Cisco Firepower Next Generation
IntrusionPrevention System?
A. correlation
B. intrusion
C. access control
D. network discovery
Correct Answer: D
QUESTION 405
e
t ic
ac
Pr
am
Refer to the exhibit. Which command was used to generate this output and to show which ports are authenticating with dot1x or mab?
x
A. show authentication registrations
tE
B. show authentication method
C. show dot1x all
D. show authentication sessions
es
ay
QUESTION 406
An engineer is configuring a Cisco ESA and wants to control whether to accept or reject email messages to a recipient address. Which list contains the allowed recipient addresses?
Eb
A. SAT
B. BAT
C. HAT
D. RAT
Correct Answer: D
QUESTION 407 Which feature within Cisco Umbrella allows for the ability to
inspectsecure HTTP traffic?
A. File Analysis
B. SafeSearch
C. SSL Decryption
D. Destination Lists
Correct Answer: C
QUESTION 408 Which two kinds of attacks are prevented by multifactor

authentication? (Choose two.)
A. phishing
e
B. brute force
ic
C. man-in-the-middle
D. DDOS
t
E. tear drop
ac
Correct Answer: BC
Pr
am
QUESTION 409
An administrator wants to ensure that all endpoints are compliant before users are allowed access on the corporate network. The endpoints must have the corporate antivirus application installed and be running the latest build of Windows
10. What must the administrator implement to ensure that all devices are compliant before they are allowed on the network?
x
A. Cisco Identity Services Engine and AnyConnect Posture module
tE
B. Cisco Stealthwatch and Cisco Identity Services Engine integration
C. Cisco ASA firewall with Dynamic Access Policies configured
D. Cisco Identity Services Engine with PxGrid services enabled
es
QUESTION 410 What is the difference between deceptive phishing
andspear phishing?
ay
A. Deceptive phishing is an attacked aimed at a specific user in the organization who holds a C-level role.
B. A spear phishing campaign is aimed at a specific person versus a group of people.
Eb
C. Spear phishing is when the attack is aimed at the C-level executives of an organization.
D. Deceptive phishing hijacks and manipulates the DNS server of the victim and redirects the user to a false webpage.
Correct Answer: B
QUESTION 411
An engineer needs a solution for TACACS+ authentication and authorization for device administration. The engineer also wants to enhance wired and wireless network security by requiring users and endpoints to use 802.1X, MAB, or
WebAuth. Which product meets all of these requirements?
A. Cisco Prime Infrastructure

B. Cisco Identity Services Engine
C. Cisco Stealthwatch
D. Cisco AMP for Endpoints
Correct Answer: B Ebay: BestExamPractice

QUESTION 412
When wired 802.1X authentication is implemented, which two components are required? (Choose two.)
A. authentication server: Cisco Identity Service Engine
B. supplicant: Cisco AnyConnect ISE Posture module
C. authenticator: Cisco Catalyst switch
D. authenticator: Cisco Identity Services Engine
e
ic
t
ac
Pr
x am
tE
es
:B
ay
Eb
E. authentication server: Cisco Prime Infrastructure
Correct Answer: AC
QUESTION 413
The Cisco ASA must support TLS proxy for encrypted Cisco Unified Communications traffic. Where must the ASA be added on the Cisco UC Manager platform?
A. Certificate Trust List

B. Endpoint Trust List
C. Enterprise Proxy Service
D. Secured Collaboration Proxy
e
Correct Answer: A
t ic
ac
QUESTION 414 Which API is used
forContent Security?
Pr
A. NX-OS API
B. IOS XR API
am
C. OpenVuln API
D. AsyncOS API
Correct Answer: D
x
tE
es
QUESTION 415 Which two behavioral patterns characterize a ping of
deathattack? (Choose two.)
A. The attack is fragmented into groups of 16 octets before transmission.

:B
B. The attack is fragmented into groups of 8 octets before transmission.
C. Short synchronized bursts of traffic are used to disrupt TCP connections.
ay
D. Malformed packets are used to crash systems.
E. Publicly accessible DNS servers are typically used to execute the attack.
Eb
Correct Answer: BD
QUESTION 416 Which two mechanisms are used to control

phishingattacks? (Choose two.)
A. Enable browser alerts for fraudulent websites.
B. Define security group memberships.
C. Revoke expired CRL of the websites.
D. Use antispyware software.
E. Implement email filtering techniques.
Correct Answer: AE
QUESTION 417 Which VPN technology can support a multivendor environment and secure
trafficbetween sites?
A. SSL VPN
e
B. GET VPN
ic
C. FlexVPN
D. DMVPN
t
ac
Correct Answer: C
Pr
QUESTION 418 Which SNMPv3 configuration must be used to support the strongest security possible?
am
A. asa-host(config)#snmp-server group myv3 v3 priv asa-host(config)#snmp-server user andy myv3 auth sha cisco priv des ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
B. asa-host(config)#snmp-server group myv3 v3 noauth asa- host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa- host(config)#snmp-server host inside 10.255.254.1 version 3 andy
C. asa-host(config)#snmp- server group myv3 v3 noauth asa-host(config)#snmp-server user andy myv3 auth sha cisco priv 3des ciscXXXXXXXX
x
asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
D. asa- host(config)#snmp-server group myv3 v3 priv asa-host(config)#snmp-server user andy myv3 auth sha cisco priv aes 256 ciscXXXXXXXX asa-host(config)#snmp-server host inside 10.255.254.1 version 3 andy
tE
Correct Answer: D
es
QUESTION 419 How is ICMP used
:B
anexfiltration technique?
ay
A. by flooding the destination host with unreachable packets
B. by sending large numbers of ICMP packets with a targeted hosts source IP address using an IP broadcast address
C. by encrypting the payload in an ICMP packet to carry out command and control tasks on a compromised host
Eb
D. by overwhelming a targeted host with ICMP echo-request packets
Correct Answer: C
QUESTION 420 What is the function of Cisco

Cloudlockfor data security?
A. data loss prevention

B. controls malicious cloud apps
C. detects anomalies
D. user and entity behavior analytics
Correct Answer: A
QUESTION 421 For which two conditions can an endpoint be checked using ISE
postureassessment? (Choose two.)
A. computer identity
B. Windows service
C. user identity
D. Windows firewall
E. default browser
Correct Answer: BC
e
ic
QUESTION 422 What is a characteristic of
Dynamic ARP Inspection?
t
ac
A. DAI determines the validity of an ARP packet based on valid IP to MAC address bindings from the DHCP snooping binding database.
B. In a typical network, make all ports as trusted except for the ports connecting to switches, which are untrusted.
Pr
C. DAI associates a trust state with each switch.
D. DAI intercepts all ARP requests and responses on trusted ports only.
am
Correct Answer: A
x
tE
QUESTION 423 Which Cisco product provides proactive endpoint protection and allows administrators to centrally
managethe deployment?
es
A. NGFW
B. AMP
C. WSA
D. ESA
:B
Correct Answer: B
ay
Eb
QUESTION 424
How does a zone-based firewall implementation handle traffic between interfaces in the same zone?
A . Traffic between two interfaces in the same zone is allowed by default.
B . Traffic between interfaces in the same zone is blocked unless you configure the same-security permit command.
C . Traffic between interfaces in the same zone is always blocked.
D . Traffic between interfaces in the same zone is blocked unless you apply a service policy to the zone pair.
Correct Answer: A
QUESTION 425 Where are individual sites specified to be blacklisted
inCisco Umbrella?
A. application settings
B. content categories
C. security settings
D. destination lists
Correct Answer: D
e
ic
QUESTION 426 Which statement about IOS zone-
t
basedfirewalls is true?
ac
A. An unassigned interface can communicate with assigned interfaces
B. Only one interface can be assigned to a zone.
Pr
C. An interface can be assigned to multiple zones.
D. An interface can be assigned only to one zone.
am
Correct Answer: D
x
tE
QUESTION 427 Which two activities can be done using Cisco
DNACenter? (Choose two.)
es
A. DHCP
B. design :B
C. accounting
D. DNS
E. provision
ay
Correct Answer: BE
Eb
QUESTION 428 Which ID store requires that a shadow user be created on Cisco ISE for
theadmin login to work?
A. RSA SecureID
B. Internal Database
C. Active Directory
D. LDAP
Correct Answer: C
QUESTION 429 Which command enables 802.1X globally

ona Cisco switch?
A. dot1x system-auth-control
B. dot1x pae authenticator
C. authentication port-control auto
D. aaa new-model
e
ic
Correct Answer: A
t
ac
QUESTION 431 In which cloud services model is the tenant responsible for
virtualmachine OS patching?
Pr
A. IaaS
B. UCaaS
am
C. PaaS
D. SaaS
Correct Answer: A
x
tE
es
QUESTION 432 Which two descriptions of AES encryption
aretrue? (Choose two.) :B
A. AES is less secure than 3DES.
B. AES is more secure than 3DES.
C. AES can use a 168-bit key for encryption.
ay
D. AES can use a 256-bit key for encryption.

E. AES encrypts and decrypts a key three times in sequence.
Eb
Correct Answer: BD
QUESTION 433 Which technology is used to improve web traffic performance
byproxy caching?
A. WSA
B. Firepower
C. FireSIGHT
D. ASA
Correct Answer: A
QUESTION 434 Which statement about the configuration of Cisco ASA NetFlow v9 Secure
EventLogging is true?
e
A. To view bandwidth usage for NetFlow records, the QoS feature must be enabled.
ic
B. A sysopt command can be used to enable NSEL on a specific interface.
t
C. NSEL can be used without a collector configured.
ac
D. A flow-export event type must be defined under a policy.
Correct Answer: D
Pr
am
QUESTION 435 Which benefit does endpoint security provide the overall security posture
ofan organization?
x
A. It streamlines the incident response process to automatically perform digital forensics on the endpoint.
tE
B. It allows the organization to mitigate web-based attacks as long as the user is active in the domain.
C. It allows the organization to detect and respond to threats at the edge of the network.
D. It allows the organization to detect and mitigate threats that the perimeter security devices do not detect.
es
Correct Answer: D :B
QUESTION 436
ay
An engineer configured a new network identity in Cisco Umbrella but must verify that traffic is being routed through the Cisco Umbrella network. Which action tests the routing?
A. Ensure that the client computers are pointing to the on-premises DNS servers.
Eb
B. Enable the Intelligent Proxy to validate that traffic is being routed correctly.
C. Add the public IP address that the client computers are behind to a Core Identity.
D. Browse to http://welcome.umbrella.com/ to validate that the new identity isworking.
Correct Answer: B
QUESTION 437
What is a language format designed to exchange threat intelligence that can be transported over the TAXII protocol?
A. STIX
B. XMPP
C. pxGrid
D. SMTP
Correct Answer: A
QUESTION 438 What are two list types within AMP for Endpoints
OutbreakControl? (Choose two.)
e
A. blocked ports
ic
B. simple custom detections
C. command and control
t
ac
D. allowed applications
E. URL
Pr
Correct Answer: BD
am
QUESTION 439 Which two key and block sizes are valid
forAES? (Choose two.)
x
A. 64-bit block size, 112-bit key length
tE
es
:B
ay
Eb
B. 64-bit block size, 168-bit key length
C. 128-bit block size, 192-bit key lengthD. 128-bit block size, 256-bit key length
E. 192-bit block size, 256-bit key length
Correct Answer: CD
QUESTION 440How does Cisco Umbrella archive logs to an

enterprise-owned storage?
A. by using the Application Programming Interface to fetch the logs

B. by sending logs via syslog to an on-premises or cloud-based syslog server
C. by the system administrator downloading the logs from the Cisco Umbrella web portal
D. by being configured to send logs to a self-managed AWS S3 bucket
e
ic
Correct Answer: D
t
ac
QUESTION 441 In which form of attack is alternate encoding, such as hexadecimal representation,
mostoften observed?
Pr
A. smurf
B. distributed denial of service
am
C. cross-site scripting
D. rootkit exploit
Correct Answer: C
x
tE
es
QUESTION 442 Which two conditions are prerequisites for stateful failover
forIPsec? (Choose two.) :B
A. Only the IKE configuration that is set up on the active device must be duplicated on the standby device; the IPsec configuration is copied automatically.
B. The active and standby devices can run different versions of the Cisco IOS software but must be the same type of device.
C. The IPsec configuration that is set up on the active device must be duplicated on the standby device.
ay
D. Only the IPsec configuration that is set up on the active device must be duplicated on the standby device; the IKE configuration is copied automatically.
E. The active and standby devices must run the same version of the Cisco IOS software and must be the same type of device.
Eb
Correct Answer: BC
QUESTION 443
When web policies are configured in Cisco Umbrella, what provides the ability to ensure that domains are blocked when they host malware, command and control, phishing, and more threats?
A. Application Control
B. Security Category Blocking
C. Content Category Blocking
D. File Analysis
Correct Answer: B
QUESTION 444
What two mechanisms are used to redirect users to a web portal to authenticate to ISE for guest services? (Choose two.)
A. TACACS+
B. central web auth
C. single sign-on
D. multiple factor auth
E. local web auth
Correct Answer: BE
QUESTION 445 Which flaw does an attacker leverage when exploiting SQL
injectionvulnerabilities?
e
A. user input validation in a web page or web application
ic
B. Linux and Windows operating systems
C. database
t
D. web page images
ac
Correct Answer: C
Pr
QUESTION 446 Which deployment model is the most secure when considering risks
am
tocloud adoption?
A. public cloud
x
B. hybrid cloud
C. community cloud
tE
D. private cloud
es
Correct Answer: D
:B
QUESTION 447 What does the Cloudlock Apps Firewall do to mitigate security concerns from
anapplication perspective?
ay
A. It allows the administrator to quarantine malicious files so that the application can function, just not maliciously.
B. It discovers and controls cloud apps that are connected to a company’s corporate environment.
Eb
C. It deletes any application that does not belong in the network.

D. It sends the application information to an administrator to act on.
Correct Answer: B
QUESTION 448 Which exfiltration method does an attacker use to hide and encode data inside DNS
requests and queries?
A. DNS tunneling
B. DNSCrypt
C. DNS security
D. DNSSEC
Correct Answer: A
QUESTION 449 Which algorithm provides encryption and authentication for data plane
communication?
e
A. AES-GCM
ic
B. SHA-96
t
C. AES-256
ac
D. SHA-384
Correct Answer: A
Pr
QUESTION 450 Which technology reduces data loss by identifying sensitive information stored in public computing
environments?
am
A. Cisco SDA
B. Cisco Firepower
C. Cisco HyperFlex
x
D. Cisco Cloudlock
tE
Correct Answer: D
es
QUESTION 451
Refer to the exhibit. A threat actor behind a single computer exploited a cloud-based application by sending multiple concurrent API requests. These requests made the application unresponsive. Which solution protects
:B
the application from being overloaded and ensures more equitable application access across the end-user community?
ay
Eb
A. Limit the number of API calls that a single client is allowed to make
B. Add restrictions on the edge router on how often a single client can access the API
C. Reduce the amount of data that can be fetched from the total pool of active clients that call the API
D. Increase the application cache of the total pool of active clients that call the API
Correct Answer: A
QUESTION 452
DRAG DROP
An organization lost connectivity to critical servers, and users cannot access business applications and internal websites. An engineer checks the network devices to investigate the outage and determines that all devices
are functioning. Drag and drop the steps from the left into the sequence on the right to continue investigating this issue. Not all options are used.
Select and Place:
e
t ic
ac
Pr
x am
tE
es
Correct Answer:
:B
ay
Eb
QUESTION 453
A threat actor attacked an organization’s Active Directory server from a remote location, and in a thirty-minute timeframe, stole the password for the administrator account and attempted to access 3 company servers. The
threat actor successfully accessed the first server that contained sales data, but no files were downloaded. A second server was also accessed that contained marketing information and 11 files were downloaded. When
the threat actor accessed the third server that contained corporate financial data, the session was disconnected, and the administrator’s account was disabled. Which activity triggered the behavior analytics tool?
A. accessing the Active Directory server

B. accessing the server with financial data
C. accessing multiple servers
D. downloading more than 10 files
e
t ic
ac
Pr
x am
tE
es
:B
ay
Eb
Correct Answer: C
QUESTION 454
Refer to the exhibit. A security analyst needs to investigate a security incident involving several suspicious connections with a possible attacker. Which tool should the analyst use to identify the source IP of the offender?
e
t ic
ac
Pr
x am
tE
A. packet sniffer
es
B. malware analysis
C. SIEM
D. firewall manager
:B
Correct Answer: A
ay
QUESTION 455
Eb
e
t ic
ac
Pr
x am
tE
Refer to the exhibit. Cisco Advanced Malware Protection installed on an end-user desktop has automatically submitted a low prevalence file to the Threat Grid analysis engine for further analysis. What should be
es
concluded from this report?
A. The prioritized behavioral indicators of compromise do not justify the execution of the “ransomware” because the scores do not indicate the likelihood of malicious ransomware.
B. The
:B
prioritized behavioral indicators of compromise do not justify the execution of the “ransomware” because the scores are high and do not indicate the likelihood of malicious ransomware.
C. The prioritized behavioral indicators of compromise justify the execution of the “ransomware” because the scores are high and indicate the likelihood that malicious ransomware has been detected.
D. The prioritized behavioral indicators of compromise justify the execution of the “ransomware” because the scores are low and indicate the likelihood that malicious ransomware has been detected.
ay
Correct Answer: C
Eb
QUESTION 456
The physical security department received a report that an unauthorized person followed an authorized individual to enter a secured premise. The incident was documented and given to a security specialist to analyze.
Which step should be taken at this stage?
A. Determine the assets to which the attacker has access

B. Identify assets the attacker handled or acquired
C. Change access controls to high risk assets in the enterprise
D. Identify movement of the attacker in the enterprise
Correct Answer: D
QUESTION 457
A new malware variant is discovered hidden in pirated software that is distributed on the Internet. Executives have asked for an organizational risk assessment. The security officer is given a list of all assets. According to
NIST, which two elements are missing to calculate the risk assessment? (Choose two.)
A. incident response playbooks

B. asset vulnerability assessment
C. report of staff members with asset relations
D. key assets and executives
E. malware analysis report
Correct Answer: BE
e
t ic
ac
QUESTION 458
Pr
x am
tE
Refer to the exhibit. At which stage of the threat kill chain is an attacker, based on these URIs of inbound web requests from known malicious Internet scanners?
es
A. exploitation
B. actions on objectives
C. delivery
:B
D. reconnaissance
Correct Answer: C
ay
Eb
QUESTION 459
e
t ic
ac
Pr
am
Refer to the exhibit. How must these advisories be prioritized for handling?
x
A. The highest priority for handling depends on the type of institution deploying the devices
tE
B. Vulnerability #2 is the highest priority for every type of institution
C. Vulnerability #1 and vulnerability #2 have the same priority
es
D. Vulnerability #1 is the highest priority for every type of institution
Correct Answer: D
:B
ay
Eb
---------------------------------------------------------------
End of Document

350 701 459qa

Uploaded by

Copyright:

Available Formats

350 701 459qa

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

350 701 459qa

Uploaded by

Copyright:

Available Formats

e

A. privilege level for an authorized user to this router

A. ARP Spoofing Ebay: BestExamPractice

A. Create an ACL on the firewall to allow only TLS 1.3

A. Perform a vulnerability assessment

A. Host a discovery meeting and define configuration and policy updates

A. Conduct a risk assessment of systems and applications

B. Isolate the infected host from the rest of the subnet

D. Analyze network traffic on the host’s subnet

Select and Place:

technique should the engineer use to accomplish this task?

A. Assess the network for unexpected behavior

A. Determine the systems involved and deploy available patches

D. A list of domains as seeds is blocked

Select and Place:

Refer to the exhibit. Which data format is being used?

A. Use command ip verify reverse-path interface

B. Use global configuration command service tcp-keepalives-out

D. Use logging trap 6

Correct Answer: C Ebay: BestExamPractice

A. Create a rule triggered by 3 failed VPN connection attempts in an 8-hour period

A. NetFlow and event data

A. Modify the alert rule to “output alert_syslog: output log”

A. with a key log file using per-session secrets

C. validate the restrictions, def validate_user(username, minlen)

QUESTION 59 What is a principle of Infrastructure as Code?

A. System maintenance is delegated to software systems

Select and Place:

A. domain belongs to a competitor

D. log in from a first-seen country

QUESTION 65 How is a SIEM tool used?

Select and Place:

A. website redirecting traffic to ransomware server

QUESTION 76 What is a benefit of key risk indicators?

A. clear perspective into the risk position of an organization

A. Remove the shortcut files

A. Run the program through a debugger to see the sequential actions

A. Command and Control, Application Layer Protocol, Duqu

Select and Place:

A. Run the sudo sysdiagnose command

A. No database files were disclosed

Select and Place:

QUESTION 96 What is the purpose of hardening systems?

A. to securely configure machines to limit the attack surface

A. Mask PAN numbers

A. aligning access control policies

• A. high risk level, anomalous periodic communication, quarantine with antivirus

QUESTION 102 Ebay: BestExamPractice

• A. blocked by a configured access policy rule

• A. Verify hash integrity.

• A. analysis of key performance indicators

• A. post-authorization by non-issuing entities if there is a documented business justification

A. Determine if there is internal knowledge of this incident.

• A. Disable memory limit.

• C. Escalate to contractor‫ג‬€™s manager.

• A. Disconnect the affected server from the network.

QUESTION 118 Ebay: BestExamPractice

• A. eradication and recovery

• A. the assurance of system uniformity throughout the whole delivery process