Cisco 200-201 Online Practice Questions and Exam Preparation

Cisco 200-201 Online Questions & Answers

• Question 231:

  Refer to the exhibit.

  

  Which type of log is displayed?

  A. IDS
  B. proxy
  C. NetFlow
  D. sys
  A. IDS

  ---

  Explanation

  You also see the 5-tuple in IPS events, NetFlow records, and other event data. In fact, on the exam you may need to differentiate between a firewall log versus a traditional IPS or IDS event. One of the things to remember is that traditional IDS and IPS use signatures, so an easy way to differentiate is by looking for a signature ID (SigID). If you see a signature ID, then most definitely the event is a traditional IPS or IDS event.

• Question 232:

  An engineer needs to fetch logs from a proxy server and generate actual events according to the data received.

  Which technology should the engineer use to accomplish this task?

  A. Firepower
  B. Email Security Appliance
  C. Web Security Appliance
  D. Stealthwatch
  D. Stealthwatch

• Question 233:

  An offline audit log contains the source IP address of a session suspected to have exploited a vulnerability resulting in system compromise.

  Which kind of evidence is this IP address?

  A. best evidence
  B. corroborative evidence
  C. indirect evidence
  D. forensic evidence
  B. corroborative evidence

• Question 234:

  Refer to the exhibit.

  

  An analyst receives an IDS alert pertaining to a possible data exfiltration attempt. An additional set of logs is collected from different systems and analyzed.

  Which type of evidence do the logs provide in relation to the primary alert from the IDS?

  A. corroborative evidence
  B. primary evidence
  C. circumstantial evidence
  D. secondary evidence
  A. corroborative evidence

  ---

  Explanation

  In cybersecurity operations, evidence classification is critical for incident investigation and validation. An Intrusion Detection System (IDS) alert serves as the initial indicator of suspicious activity, such as potential data exfiltration. However, IDS alerts alone are often insufficient to confirm malicious behavior, as they may produce false positives or incomplete context. The additional logs collected-such as firewall logs, authentication logs, system event logs, and network traffic logs-are used to support, validate, and confirm the original alert. These logs show related activity from the same source IP, including successful authentication, failed login attempts, and observed data transfers over HTTP. When multiple independent data sources align with the original IDS alert, they strengthen the confidence that the activity is real and malicious.

  This type of supporting information is known as corroborative evidence. Corroborative evidence does not stand alone as the initial detection but reinforces the validity of primary evidence by confirming the same behavior across different systems and logs. Cybersecurity operations documentation emphasizes log correlation as a foundational SOC function precisely for this reason. Primary evidence would be the original IDS alert itself, as it directly detected the suspicious activity. Circumstantial evidence implies indirect inference without direct linkage, which is not the case here because the logs clearly relate to the same host and timeline. Secondary evidence typically refers to derivative or summarized data rather than direct system-generated records. By correlating IDS alerts with firewall, authentication, and network logs, analysts build a reliable incident narrative and reduce false positives. Therefore, the logs collected provide corroborative evidence, making Option A the correct answer.

• Question 235:

  Which of these describes volatile evidence?

  A. logs
  B. registers and cache
  C. disk and removable drives
  D. usernames
  B. registers and cache

  ---

  Explanation

  Caches and Registers-Data in memory is the most volatile. This includes data in centralprocessor unit (CPU) registers, caches, and system random access memory(RAM).- The data in cache and CPU registers is the most volatile, mostlybecause the storage space is so small.

  https://blogs.getcertifiedgetahead.com/cfr-and-order-of-volatility/#:~:text=Caches%20and%20Registers,storage%20space%20is%20so%20small.

• Question 236:

  What is the difference between inline traffic interrogation and traffic mirroring?

  A. Inline interrogation is less complex as traffic mirroring applies additional tags to data.
  B. Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools
  C. Inline replicates the traffic to preserve integrity rather than modifying packets before sending them to other analysis tools.
  D. Traffic mirroring results in faster traffic analysis and inline is considerably slower due to latency.
  B. Traffic mirroring copies the traffic rather than forwarding it directly to the analysis tools

  ---

  Explanation

  Inline inspection - Inline traffic interrogation is a technique in which traffic flows through a device that inspects the traffic and makes decisions about how to handle it. The inspection takes place in real-time and in-line with the traffic flow.

  Traffic mirroring - Traffic mirroring, also known as port mirroring or SPAN (Switched Port Analyzer), is a technique for forwarding a copy of network traffic to a monitoring device. The copy of the traffic is sent to a separate tool for analysis, security or other purposes.

• Question 237:

  Refer to the exhibit.

  

  What kind of activity occurs in the network?

  A. TCP reset attack
  B. DNS redirect attack
  C. DNS flood
  D. UDP flood
  D. UDP flood

• Question 238:

  Which statement describes threat hunting?

  A. It is an activity by an entity to deliberately bring down critical internal servers.
  B. It includes any activity that might go after competitors and adversaries to infiltrate their systems.
  C. It is a vulnerability assessment conducted by cyber professionals.
  D. It is a prevention activity to detect signs of intrusion, compromise, data theft, abnormalities, or malicious activity.
  D. It is a prevention activity to detect signs of intrusion, compromise, data theft, abnormalities, or malicious activity.

• Question 239:

  Refer to the exhibit.

  

  What is occurring?

  A. DNS amplification attack
  B. Brute force attack
  C. ARP poisoning
  D. Denial of service
  A. DNS amplification attack

• Question 240:

  How is NetFlow different from traffic mirroring?

  A. NetFlow collects metadata and traffic mirroring clones data.
  B. Traffic mirroring impacts switch performance and NetFlow does not.
  C. Traffic mirroring costs less to operate than NetFlow.
  D. NetFlow generates more data than traffic mirroring.
  A. NetFlow collects metadata and traffic mirroring clones data.