200-201 Exam Dumps - Try Best 200-201 Exam Questions from Training Expert Lead1Pass
Practice Examples and Dumps & Tips for 2026 Latest 200-201 Valid Tests Dumps
NEW QUESTION # 122
Exhibit.
An engineer received a ticket about a slowdown of a web application, Drug analysis of traffic, the engineer suspects a possible attack on a web server. How should the engineer interpret the Wiresharat traffic capture?
- A. 10.0.0.2 sends HTTP FORBIDDEN /1.1 And Post request, while the target responds with HTTP/1.1
200 Get and HTTP/1.1 403. This is an HTTP GET flood attack. - B. 10.128.0.2 sends HTTP/FORBIDDEN/ 1.1 and Get requests, and the target responds with HTTP/1.1
200 OK and HTTP/1.1 403. This is an HTTP cache bypass attack. - C. 10.0.0.2 sends GET/ HTTP/1.1 And Post request and the target responds with HTTP/1.1. 200 OC and HTTP/1.1 403 accordingly. This is an HTTP flood attempt.
- D. 10.128.0.2 sends POST/1.1 And POST requests, and the target responds with HTTP/1.1 200 Ok and HTTP/1.1 403 accordingly. This is an HTTP Reserve Bandwidth flood.
Answer: A
Explanation:
When analyzing Wireshark traffic for potential attacks, an engineer should look for patterns that indicate abnormal behavior, such as:
* Excessive Requests: A high number of requests over a short period could suggest an attempt to overwhelm the server, known as an HTTP flood.
* Status Codes: Repeated 403 Forbidden responses may indicate that the server is rejecting requests due to a security rule being triggered.
* Request Types: A mix of GET and POST requests could be used in various attack scenarios, including bandwidth flooding or cache bypassing.
NEW QUESTION # 123
An engineer is working with the compliance teams to identify the data passing through the network. During analysis, the engineer informs the compliance team that external penmeter data flows contain records, writings, and artwork Internal segregated network flows contain the customer choices by gender, addresses, and product preferences by age. The engineer must identify protected data. Which two types of data must be identified'? (Choose two.)
- A. copyright
- B. PCI
- C. PII
- D. SOX
- E. PHI
Answer: C,E
Explanation:
Protected data refers to any information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. In the scenario described, the engineer must identify data that is considered protected under privacy laws and regulations. Personal Identifiable Information (PII) and Protected Health Information (PHI) are two types of data that are considered protected.
PII includes any data that could potentially identify a specific individual, such as addresses and gender. PHI refers to any information about health status, provision of health care, or payment for health care that can be linked to an individual. This is what makes both PII and PHI crucial to be identified and protected in compliance with data protection regulations.
References: The Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) course provides insights into identifying protected data and the importance of safeguarding it within a network1.
NEW QUESTION # 124
What is a benefit of using asymmetric cryptography?
- A. decrypts data with one key
- B. fast data transfer
- C. secure data transfer
- D. encrypts data with one key
Answer: C
NEW QUESTION # 125
An investigator is examining a copy of an ISO file that is stored in CDFS format. What type of evidence is this file?
- A. data from a DVD copied using Windows system
- B. data from a CD copied using Mac-based system
- C. data from a CD copied using Windows
- D. data from a CD copied using Linux system
Answer: B
Explanation:
CDFS stands for Compact Disc File System, which is a file system used by Mac OS to store data on CDs.
CDFS is also known as ISO 9660, which is a standard format for data interchange on optical discs. CDFS allows files to be accessed by different operating systems, such as Windows, Linux, and Mac OS. Therefore, an ISO file that is stored in CDFS format is data from a CD copied using Mac-based system. References := Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 4: Network Intrusion Analysis, Lesson 4.4: File Type Analysis, Topic 4.4.1: File Systems, page 4-40.
NEW QUESTION # 126
What is the impact of false negative alerts when compared to true negative alerts?
- A. A false negative is someone trying to hack into the system and no alert is raised, and a true negative is an event that never happened and an alert was not raised.
- B. A true negative is a legitimate attack that triggers a brute force alert, and a false negative is when no alert and no attack is occurring.
- C. A true negative is an alert for an exploit attempt when no attack was detected, and a false negative is when no attack happens and an alert is still raised.
- D. A false negative is an event that alerts for injection attack when no attack is happening, and a true negative is an attack that happens and an alert that is appropriately raised.
Answer: A
NEW QUESTION # 127
What is the purpose of command and control for network-aware malware?
- A. It takes over the user account for analysis
- B. It controls and shuts down services on the infected host.
- C. It helps the malware to profile the host
- D. It contacts a remote server for commands and updates
Answer: D
NEW QUESTION # 128
Refer to exhibit.
An analyst performs the analysis of the pcap file to detect the suspicious activity. What challenges did the analyst face in terms of data visibility?
- A. data encryption
- B. code obfuscation
- C. IP fragmentation
- D. data encapsulation
Answer: A
Explanation:
When analyzing a pcap file, data encryption can pose a significant challenge in terms of visibility. Encrypted data cannot be easily inspected, which means that the analyst may not be able to view the contents of the network packets to detect suspicious activity.
The answers are based on the general knowledge of host-based firewalls and the challenges faced during the analysis of pcap files in cybersecurity, as outlined in Cisco's cybersecurity documentation and resources.
NEW QUESTION # 129
Refer to the exhibit.
During the analysis of a suspicious scanning activity incident, an analyst discovered multiple local TCP connection events Which technology provided these logs?
- A. IDS/IPS
- B. antivirus
- C. proxy
- D. firewall
Answer: D
NEW QUESTION # 130
Refer to the exhibit.
What is shown in this PCAP file?
- A. Timestamps are indicated with error.
- B. The HTTP GET is encoded.
- C. The protocol is TCP.
- D. The User-Agent is Mozilla/5.0.
Answer: A
NEW QUESTION # 131
Refer to the exhibit.
Refer to the exhibit. An engineer must use a 5-tuple approach to isolate a compromised host in a grouped set of logs.
Which data must the engineer use?
- A. 0
- B. 1
- C. 7c:5c:f8:9f:d1:fc
- D. b4:2a0ef227 83
Answer: B
NEW QUESTION # 132
Refer to the exhibit.
In which Linux log file is this output found?
- A. /var/log/auth.log
- B. /var/log/authorization.log
- C. var/log/var.log
- D. /var/log/dmesg
Answer: A
NEW QUESTION # 133
A user received a targeted spear-phishing email and identified it as suspicious before opening the content. To which category of the Cyber Kill Chain model does to this type of event belong?
- A. exploitation
- B. reconnaissance
- C. delivery
- D. weaponization
Answer: C
Explanation:
The delivery phase of the Cyber Kill Chain model involves the transmission of the weapon to the targeted environment. In the case of a spear-phishing email, the delivery is the act of sending the email to the user. The email itself is the weapon, designed to exploit the recipient's trust to cause a breach
NEW QUESTION # 134
Refer to the exhibit.
An analyst received this alert from the Cisco ASA device, and numerous activity logs were produced. How should this type of evidence be categorized?
- A. best
- B. circumstantial
- C. indirect
- D. corroborative
Answer: D
Explanation:
Explanation
Indirect=circumstantail so there is no posibility to match A or B (only one answer is needed in this question).
For suer it's not a BEST evidence - this FW data inform only of DROPPED traffic. If smth happend inside network, presented evidence could be used to support other evidences or make our narreation stronger but alone it's mean nothing.
NEW QUESTION # 135
Which type of attack is a blank email with the subject "price deduction" that contains a malicious attachment?
- A. phishing attack
- B. integrity violation
- C. smishing
- D. man-in-the-middle attack
Answer: A
NEW QUESTION # 136
Refer to the exhibit.
What is shown in this PCAP file?
- A. The User-Agent is Mozilla/5.0.
- B. Timestamps are indicated with error.
- C. The HTTP GET is encoded.
- D. The protocol is TCP.
Answer: A
Explanation:
The PCAP file shows a network packet capture of an HTTP GET request from a client to a server. The User-Agent header field identifies the type and version of the client software that generated the request. In this case, the User-Agent is Mozilla/5.0, which indicates that the client is using a Mozilla-based browser or application. The User-Agent can help the server to customize the response based on the client's capabilities and preferences. Reference: Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) v1.0, Module 3: Network Protocols and Services, Lesson 3.2: HTTP and HTTPS, Topic 3.2.1: HTTP Headers.
1of30
NEW QUESTION # 137
Refer to the exhibit.
A company's user HTTP connection to a malicious site was blocked according to configured policy What is the source technology used for this measure'?
- A. network application control
- B. web proxy
- C. IPS
- D. firewall
Answer: B
Explanation:
A web proxy is the technology used to block a user's HTTP connection to a malicious site according to configured policy. It acts as an intermediary between users and the internet, enforcing security policies and preventing access to harmful sites by inspecting and managing web traffic.
NEW QUESTION # 138
Which list identifies the information that the client sends to the server in the negotiation phase of the TLS handshake?
- A. ClientStart, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
- B. ClientStart, TLS versions it supports, cipher-suites it supports, and suggested compression methods
- C. ClientHello, ClientKeyExchange, cipher-suites it supports, and suggested compression methods
- D. ClientHello, TLS versions it supports, cipher-suites it supports, and suggested compression methods
Answer: D
NEW QUESTION # 139
Refer to the exhibit.
An attacker gained initial access to the company s network and ran an Nmap scan to advance with the lateral movement technique and to search the sensitive data Which two elements can an attacker identify from the scan? (Choose two.)
- A. user accounts and SID
- B. functionality and purpose of the server
- C. running services
- D. workload and the configuration details
- E. number of users and requests that the server is handling
Answer: B,C
Explanation:
An Nmap scan can provide detailed information about a network including the functionality and purpose of servers on that network as well as any services that are currently running on those servers. This information can be used by an attacker to identify potential vulnerabilities or targets for exploitation during a cyber attack.
References := Cisco Cybersecurity Training
NEW QUESTION # 140
An engineer received a flood of phishing emails from HR with the source address HRjacobm@companycom. What is the threat actor in this scenario?
- A. HR
- B. sender
- C. receiver
- D. phishing email
Answer: B
Explanation:
In the context of phishing emails, the threat actor is the entity that is responsible for initiating the threat, which in this case is the sender of the phishing emails. The sender is impersonating the HR department to deceive the receiver into believing that the emails are legitimate
NEW QUESTION # 141
An analyst is using the SIEM platform and must extract a custom property from a Cisco device and capture the phrase, "File: Clean." Which regex must the analyst import?
- A. ^Parent File Clean$
- B. File: Clean (.*)
- C. ^File: Clean$
- D. File: Clean
Answer: D
Explanation:
A regular expression (regex) is a sequence of characters that defines a search pattern for text. A regex can be used to extract custom properties from log messages or events in a SIEM platform. In this case, the regex that matches the phrase "File: Clean" exactly is ^File: Clean$. The ^ symbol indicates the beginning of the line and the $ symbol indicates the end of the line. The regex ensures that no other characters are before or after the phrase. References:
* Understanding Cisco Cybersecurity Operations Fundamentals (CBROPS) - Cisco, Module 5: Security Policies and Procedures, Lesson 5.3: Data and Event Analysis
* 200-201 CBROPS - Cisco, Exam Topics, 5.0 Security Policies and Procedures, 5.3 Analyze data as part of security monitoring activities
* Cisco Certified CyberOps Associate Overview - Cisco Learning Network, Videos, 5.3 Analyze data as part of security monitoring activities
NEW QUESTION # 142
Refer to the exhibit.
An analyst was given a PCAP file, which is associated with a recent intrusion event in the company FTP server Which display filters should the analyst use to filter the FTP traffic?
- A. tcpport = FTP
- B. dstport == FTP
- C. tcp.port==21
- D. dstport = 21
Answer: C
Explanation:
The correct display filter for analyzing FTP traffic in a PCAP file is "tcp.port==21". This filter will show all TCP packets where the port number is 21, which is the standard port for FTP control messages.
NEW QUESTION # 143
An engineer configured regular expression "."\.(pd][Oo][Cc)|[Xx][LI][Ss]|[Pp][Pp][Tt]) HTTP/1 .[01]" on Cisco ASA firewall. What does this regular expression do?
- A. It captures .doc, .xls, and .pdf files in HTTP v1.0 and v1.1.
- B. It captures Word, Excel, and PowerPoint files in HTTPv1.0 and v1.1.
- C. It captures documents in an HTTP network session.
- D. It captures .doc, .xls, and .ppt files extensions in HTTP v1.0.
Answer: B
Explanation:
The regular expression provided is: .\.(pd][Oo][Cc)|[Xx][LI][Ss]|[Pp][Pp][Tt]) HTTP/1 .[01] This regular expression is designed to match file extensions for Word (.doc), Excel (.xls), and PowerPoint (.ppt) files in HTTP network sessions.
The regular expression uses character classes and alternatives to match different case variations of these file extensions.
The part .\.(pd][Oo][Cc)|[Xx][LI][Ss]|[Pp][Pp][Tt]) matches the file extensions, and HTTP/1 .[01] ensures that the match is in the context of HTTP version 1.0 or 1.1.
Reference:
Cisco ASA Regular Expressions Documentation
Understanding Regular Expressions in Network Security
Filtering and Capturing HTTP Traffic with Regex
NEW QUESTION # 144
......
Cisco CyberOps Job Roles
We don’t miss a case of massive security breaches every year, which only goes to show why cybersecurity specialists are in high demand these days. In essence, cybersecurity is a sophisticated niche, with many organizations now willing to work with a team of security specialists as part of Security Operations Centers (SOC), which brings us to the question, which roles can you qualify for after passing 200-201 test? Well, with security still a vital component of many networking roles, it’s easy to see a lot of overlapping roles between these two paths. The four most popular roles that you can qualify for after completing this training include the following:
- Network Security Engineer;
- Information Security Analyst;
- Security Engineer.
- Cybersecurity Engineer;
Latest 100% Passing Guarantee - Brilliant 200-201 Exam Questions PDF: https://simplilearn.lead1pass.com/Cisco/200-201-practice-exam-dumps.html