Latest 350-201 Questions Help You Pass The Core Exam OF Cisco Certified CyberOps Professional Certification

Regina2021-08-23T03:34:52+00:00

Individuals who are planning for Cisco Certified CyberOps Professional Certification are required to pass the core exam 350-201 Performing CyberOps Using Core Security Technologies (CBRCOR) and the concentration exam 300-215 Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps (CBRFIR). Good news for all individuals, the latest 350-201 questions have been released online to help you pass the core exam successfully. 350-201 exam questions from ITExamShop contain the real questions with the accurate answers. Individuals who choose this study guide online can read the Q&As to prepare for Cisco 350-201 CBRCOR exam well. Also, we have the valid 300-215 CBRFIR practice exam as your preparation materials. You can choose the CyberOps Professional Bundle (350-201&300-215) to learn both the two exam.

Here we will share the Cisco CyberOps Professional 350-201 free questions for checking first.

Page 1 of 4

1. Which bash command will print all lines from the “colors.txt” file containing the non case-sensitive pattern “Yellow”?

grep -i “yellow” colors.txt

locate “yellow” colors.txt

locate -i “Yellow” colors.txt

grep “Yellow” colors.txt

2. An engineer is moving data from NAS servers in different departments to a combined storage database so that the data can be accessed and analyzed by the organization on-demand .

Which data management process is being used?

data clustering

data regression

data ingestion

data obfuscation

3. A security manager received an email from an anomaly detection service, that one of their contractors has downloaded 50 documents from the company’s confidential document management folder using a company- owned asset al039-ice-4ce687TL0500. A security manager reviewed the content of downloaded documents and noticed that the data affected is from different departments .

What are the actions a security manager should take?

Measure confidentiality level of downloaded documents.

Report to the incident response team.

Escalate to contractor’s manager.

Communicate with the contractor to identify the motives.

4. A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory .

What is the next step the analyst should take?

Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack

Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities

Review the server backup and identify server content and data criticality to assess the intrusion risk

Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious

5. DRAG DROP

An organization lost connectivity to critical servers, and users cannot access business applications and internal websites. An engineer checks the network devices to investigate the outage and determines that all devices are functioning.

Drag and drop the steps from the left into the sequence on the right to continue investigating this issue. Not all options are used.

6. Refer to the exhibit.

Two types of clients are accessing the front ends and the core database that manages transactions, access control, and atomicity .

What is the threat model for the SQL database?

An attacker can initiate a DoS attack.

An attacker can read or change data.

An attacker can transfer data to an external server.

An attacker can modify the access logs.

7. Refer to the exhibit.

An engineer must tune the Cisco IOS device to mitigate an attack that is broadcasting a large number of ICMP packets. The attack is sending the victim’s spoofed source IP to a network using an IP broadcast address that causes devices in the network to respond back to the source IP address .

Which action does the engineer recommend?

Use command ip verify reverse-path interface

Use global configuration command service tcp-keepalives-out

Use subinterface command no ip directed-broadcast

Use logging trap 6

8. Refer to the exhibit.

Where is the MIME type that should be followed indicated?

x-test-debug

strict-transport-security

x-xss-protection

x-content-type-options

9. Refer to the exhibit.

Cisco Advanced Malware Protection installed on an end-user desktop automatically submitted a low prevalence file to the Threat Grid analysis engine .

What should be concluded from this report?

Threat scores are high, malicious ransomware has been detected, and files have been modified

Threat scores are low, malicious ransomware has been detected, and files have been modified

Threat scores are high, malicious activity is detected, but files have not been modified

Threat scores are low and no malicious file activity is detected

10. An engineer implemented a SOAR workflow to detect and respond to incorrect login attempts and anomalous user behavior. Since the implementation, the security team has received dozens of false positive alerts and negative feedback from system administrators and privileged users. Several legitimate users were tagged as a threat and their accounts blocked, or credentials reset because of unexpected login times and incorrectly typed credentials .

How should the workflow be improved to resolve these issues?

Meet with privileged users to increase awareness and modify the rules for threat tags and anomalous behavior alerts

Change the SOAR configuration flow to remove the automatic remediation that is increasing the false positives and triggering threats

Add a confirmation step through which SOAR informs the affected user and asks them to confirm whether they made the attempts

Increase incorrect login tries and tune anomalous user behavior not to affect privileged accounts

Page 2 of 4

11. Refer to the exhibit.

An organization is using an internal application for printing documents that requires a separate registration on the website.

The application allows format-free user creation, and users must match these required conditions to comply with the company’s user creation policy:

- minimum length: 3

- usernames can only use letters, numbers, dots, and underscores

- usernames cannot begin with a number

The application administrator has to manually change and track these daily to ensure compliance. An engineer is tasked to implement a script to automate the process according to the company user creation policy. The engineer implemented this piece of code within the application, but users are still able to create format-free usernames.

Which change is needed to apply the restrictions?

modify code to return error on restrictions def return false_user(username, minlen)

automate the restrictions def automate_user(username, minlen)

validate the restrictions, def validate_user(username, minlen)

modify code to force the restrictions, def force_user(username, minlen)

12. The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and proceeds with behavioral analysis .

What is the next step in the malware analysis process?

Perform static and dynamic code analysis of the specimen.

Unpack the specimen and perform memory forensics.

Contain the subnet in which the suspicious file was found.

Document findings and clean-up the laboratory.

13. What is a limitation of cyber security risk insurance?

It does not cover the costs to restore stolen identities as a result of a cyber attack

It does not cover the costs to hire forensics experts to analyze the cyber attack

It does not cover the costs of damage done by third parties as a result of a cyber attack

It does not cover the costs to hire a public relations company to help deal with a cyber attack

14. Refer to the exhibit.

Which data format is being used?

JSON

HTML

XML

CSV

15. Refer to the exhibit.

An engineer received a report that an attacker has compromised a workstation and gained access to sensitive customer data from the network using insecure protocols .

Which action prevents this type of attack in the future?

Use VLANs to segregate zones and the firewall to allow only required services and secured protocols

Deploy a SOAR solution and correlate log alerts from customer zones

Deploy IDS within sensitive areas and continuously update signatures

Use syslog to gather data from multiple sources and detect intrusion logs for timely responses

16. Refer to the exhibit.

Where does it signify that a page will be stopped from loading when a scripting attack is detected?

x-frame-options

x-content-type-options

x-xss-protection

x-test-debug

17. A malware outbreak is detected by the SIEM and is confirmed as a true positive. The incident response team follows the playbook to mitigate the threat .

What is the first action for the incident response team?

Assess the network for unexpected behavior

Isolate critical hosts from the network

Patch detected vulnerabilities from critical hosts

Perform analysis based on the established risk factors

18. Refer to the exhibit.

What is the connection status of the ICMP event?

blocked by a configured access policy rule

allowed by a configured access policy rule

blocked by an intrusion policy rule

allowed in the default action

19. A SOC team receives multiple alerts by a rule that detects requests to malicious URLs and informs the incident response team to block the malicious URLs requested on the firewall.

Which action will improve the effectiveness of the process?

Block local to remote HTTP/HTTPS requests on the firewall for users who triggered the rule.

Inform the user by enabling an automated email response when the rule is triggered.

Inform the incident response team by enabling an automated email response when the rule is triggered.

Create an automation script for blocking URLs on the firewall when the rule is triggered.

20. A security engineer discovers that a spreadsheet containing confidential information for nine of their employees was fraudulently posted on a competitor’s website. The spreadsheet contains names, salaries, and social security numbers .

What is the next step the engineer should take in this investigation?

Determine if there is internal knowledge of this incident.

Check incoming and outgoing communications to identify spoofed emails.

Disconnect the network from Internet access to stop the phishing threats and regain control.

Engage the legal department to explore action against the competitor that posted the spreadsheet.

Page 3 of 4

21. What is a principle of Infrastructure as Code?

System maintenance is delegated to software systems

Comprehensive initial designs support robust systems

Scripts and manual configurations work together to ensure repeatable routines

System downtime is grouped and scheduled across the infrastructure

22. A company’s web server availability was breached by a DDoS attack and was offline for 3 hours because it was not deemed a critical asset in the incident response playbook. Leadership has requested a risk assessment of the asset. An analyst conducted the risk assessment using the threat sources, events, and vulnerabilities .

Which additional element is needed to calculate the risk?

assessment scope

event severity and likelihood

incident response playbook

risk model framework

23. Refer to the exhibit.

What results from this script?

Seeds for existing domains are checked

A search is conducted for additional seeds

Domains are compared to seed rules

A list of domains as seeds is blocked

24. After a recent malware incident, the forensic investigator is gathering details to identify the breach and causes. The investigator has isolated the affected workstation .

What is the next step that should be taken in this investigation?

Analyze the applications and services running on the affected workstation.

Compare workstation configuration and asset configuration policy to identify gaps.

Inspect registry entries for recently executed files.

Review audit logs for privilege escalation events.

25. Which action should be taken when the HTTP response code 301 is received from a web application?

Update the cached header metadata.

Confirm the resource’s location.

Increase the allowed user limit.

Modify the session timeout setting.

26. How is a SIEM tool used?

To collect security data from authentication failures and cyber attacks and forward it for analysis

To search and compare security data against acceptance standards and generate reports for analysis

To compare security alerts against configured scenarios and trigger system responses

To collect and analyze security data from network devices and servers and produce alerts

27. A security expert is investigating a breach that resulted in a $32 million loss from customer accounts. Hackers were able to steal API keys and two-factor codes due to a vulnerability that was introduced in a new code a few weeks before the attack .

Which step was missed that would have prevented this breach?

use of the Nmap tool to identify the vulnerability when the new code was deployed

implementation of a firewall and intrusion detection system

implementation of an endpoint protection system

use of SecDevOps to detect the vulnerability during development

28. A SOC team is informed that a UK-based user will be traveling between three countries over the next 60 days.

Having the names of the 3 destination countries and the user's working hours, what must the analyst do next to detect an abnormal behavior?

Create a rule triggered by 3 failed VPN connection attempts in an 8-hour period

Create a rule triggered by 1 successful VPN connection from any nondestination country

Create a rule triggered by multiple successful VPN connections from the destination countries

Analyze the logs from all countries related to this user during the traveling period

29. A SOC analyst is notified by the network monitoring tool that there are unusual types of internal traffic on IP subnet 103.861.2117.0/24. The analyst discovers unexplained encrypted data files on a computer system that belongs on that specific subnet .

What is the cause of the issue?

DDoS attack

phishing attack

virus outbreak

malware outbreak

30. An API developer is improving an application code to prevent DDoS attacks. The solution needs to accommodate instances of a large number of API requests coming for legitimate purposes from trustworthy services .

Which solution should be implemented?

Restrict the number of requests based on a calculation of daily averages. If the limit is exceeded, temporarily block access from the IP address and return a 402 HTTP error code.

Implement REST API Security Essentials solution to automatically mitigate limit exhaustion. If the limit is exceeded, temporarily block access from the service and return a 409 HTTP error code.

Increase a limit of replies in a given interval for each AP

If the limit is exceeded, block access from the API key permanently and return a 450 HTTP error code.

Apply a limit to the number of requests in a given time interval for each AP

If the rate is exceeded, block access from the API key temporarily and return a 429 HTTP error code.

Page 4 of 4

31. Refer to the exhibit.

Where are the browser page rendering permissions displayed?

X-Frame-Options

X-XSS-Protection

Content-Type

Cache-Control

32. What is the difference between process orchestration and automation?

Orchestration combines a set of automated tools, while automation is focused on the tools to automate process flows.

Orchestration arranges the tasks, while automation arranges processes.

Orchestration minimizes redundancies, while automation decreases the time to recover from redundancies.

Automation optimizes the individual tasks to execute the process, while orchestration optimizes frequent and repeatable processes.

33. Refer to the exhibit.

Which asset has the highest risk value?

servers

website

payment process

secretary workstation

34. An organization installed a new application server for IP phones. An automated process fetched user credentials from the Active Directory server, and the application will have access to on-premises and cloud services .

Which security threat should be mitigated first?

aligning access control policies

exfiltration during data transfer

attack using default accounts

data exposure from backups

35. An analyst received multiple alerts on the SIEM console of users that are navigating to malicious URLs. The analyst needs to automate the task of receiving alerts and processing the data for further investigations. Three variables are available from the SIEM console to include in an automation script: console_ip, api_token, and reference_set_name .

What must be added to this script to receive a successful HTTP response?

#!/usr/bin/python import sys import requests

{1}, {2}

{1}, {3}

console_ip, api_token

console_ip, reference_set_name

Welcome To Choose Required IT Certification Exams Online

Latest 350-201 Questions Help You Pass The Core Exam OF Cisco Certified CyberOps Professional Certification

Here we will share the Cisco CyberOps Professional 350-201 free questions for checking first.

Author