1. Home
  2. Cisco
  3. 300-215

Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps (CBRFIR)

Exam Details

  • Exam Code
    :300-215
  • Exam Name
    :Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps (CBRFIR)
  • Certification
    :CyberOps Professional
  • Vendor
    :Cisco
  • Total Questions
    :59 Q&As
  • Last Updated
    :Apr 25, 2024

Cisco CyberOps Professional 300-215 Questions & Answers

  • Question 1:

    An organization recovered from a recent ransomware outbreak that resulted in significant business damage. Leadership requested a report that identifies the problems that triggered the incident and the security team's approach to address these problems to prevent a reoccurrence. Which components of the incident should an engineer analyze first for this report?

    A. impact and flow

    B. cause and effect

    C. risk and RPN

    D. motive and factors

  • Question 2:

    Refer to the exhibit. A company that uses only the Unix platform implemented an intrusion detection system. After the initial configuration, the number of alerts is overwhelming, and an engineer needs to analyze and classify the alerts. The highest number of alerts were generated from the signature shown in the exhibit. Which classification should the engineer assign to this event?

    A. True Negative alert

    B. False Negative alert

    C. False Positive alert

    D. True Positive alert

  • Question 3:

    Refer to the exhibit. After a cyber attack, an engineer is analyzing an alert that was missed on the intrusion detection system. The attack exploited a vulnerability in a business critical, web-based application and violated its availability. Which two migration techniques should the engineer recommend? (Choose two.)

    A. encapsulation

    B. NOP sled technique

    C. address space randomization

    D. heap-based security

    E. data execution prevention

  • Question 4:

    An engineer is analyzing a ticket for an unexpected server shutdown and discovers that the web-server ran out of useable memory and crashed.

    Which data is needed for further investigation?

    A. /var/log/access.log

    B. /var/log/messages.log

    C. /var/log/httpd/messages.log

    D. /var/log/httpd/access.log

  • Question 5:

    Refer to the exhibit. An employee notices unexpected changes and setting modifications on their workstation and creates an incident ticket. A support specialist checks processes and services but does not identify anything suspicious. The ticket was escalated to an analyst who reviewed this event log and also discovered that the workstation had multiple large data dumps on network shares. What should be determined from this information?

    A. data obfuscation

    B. reconnaissance attack

    C. brute-force attack

    D. log tampering

  • Question 6:

    An organization uses a Windows 7 workstation for access tracking in one of their physical data centers on which a guard documents entrance/exit activities of all personnel. A server shut down unexpectedly in this data center, and a security specialist is analyzing the case. Initial checks show that the previous two days of entrance/exit logs are missing, and the guard is confident that the logs were entered on the workstation. Where should the security specialist look next to continue investigating this case?

    A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

    B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

    C. HKEY_CURRENT_USER\Software\Classes\Winlog

    D. HKEY_LOCAL_MACHINES\SOFTWARE\Microsoft\WindowsNT\CurrentUser

  • Question 7:

    An engineer received a report of a suspicious email from an employee. The employee had already opened the attachment, which was an empty Word document. The engineer cannot identify any clear signs of compromise but while reviewing running processes, observes that PowerShell.exe was spawned by cmd.exe with a grandparent winword.exe process. What is the recommended action the engineer should take?

    A. Upload the file signature to threat intelligence tools to determine if the file is malicious.

    B. Monitor processes as this a standard behavior of Word macro embedded documents.

    C. Contain the threat for further analysis as this is an indication of suspicious activity.

    D. Investigate the sender of the email and communicate with the employee to determine the motives.

  • Question 8:

    Refer to the exhibit. What should be determined from this Apache log?

    A. A module named mod_ssl is needed to make SSL connections.

    B. The private key does not match with the SSL certificate.

    C. The certificate file has been maliciously modified

    D. The SSL traffic setup is improper

  • Question 9:

    Which tool is used for reverse engineering malware?

    A. Ghidra

    B. SNORT

    C. Wireshark

    D. NMAP

  • Question 10:

    A scanner detected a malware-infected file on an endpoint that is attempting to beacon to an external site. An analyst has reviewed the IPS and SIEM logs but is unable to identify the file's behavior. Which logs should be reviewed next to evaluate this file further?

    A. email security appliance

    B. DNS server

    C. Antivirus solution

    D. network device

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cisco exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 300-215 exam preparations and Cisco certification application, do not hesitate to visit our Vcedump.com to find your solutions here.