Cisco (350-201-CBRCOR) Exam Questions And Answers page 3
Refer to the exhibit. An engineer configured this SOAR solution workflow to identify account theft threats and privilege escalation, evaluate risk, and respond by resolving the threat. This solution is handling more threats than Security analysts have time to analyze. Without this analysis, the team cannot be proactive and anticipate attacks. Which action will accomplish this goal?
Include a step Take a Snapshot to capture the endpoint state to contain the threat for analysis
Exclude the step Check for GeoIP location to allow analysts to analyze the location and the associated risk based on asset criticality
Include a step Reporting to alert the security department of threats identified by the SOAR reporting engine
Security Concepts
Threat Intelligence and Incident Response
Refer to the exhibit. Cisco Advanced Malware Protection installed on an end-user desktop has automatically submitted a low prevalence file to the Threat Grid analysis engine for further analysis. What should be concluded from this report?
The prioritized behavioral indicators of compromise do not justify the execution of the ransomware because the scores do not indicate the likelihood of malicious ransomware.
The prioritized behavioral indicators of compromise do not justify the execution of the ransomware because the scores are high and do not indicate the likelihood of malicious ransomware.
The prioritized behavioral indicators of compromise justify the execution of the ransomware because the scores are high and indicate the likelihood that malicious ransomware has been detected.
The prioritized behavioral indicators of compromise justify the execution of the ransomware because the scores are low and indicate the likelihood that malicious ransomware has been detected.
Endpoint Security
Threat Intelligence and Incident Response
An engineer receives a report that indicates a possible incident of a malicious insider sending company information to outside parties. What is the first action the engineer must take to determine whether an incident has occurred?
Analyze environmental threats and causes
Inform the product security incident response team to investigate further
Analyze the precursors and indicators
Inform the computer security incident response team to investigate further
Security Concepts
Threat Intelligence and Incident Response
An organization is using a PKI management server and a SOAR platform to manage the certificate lifecycle. The SOAR platform queries a certificate management tool to check all endpoints for SSL certificates that have either expired or are nearing expiration. Engineers are struggling to manage problematic certificates outside of PKI management since deploying certificates and tracking them requires searching server owners manually. Which action will improve workflow automation?
Implement a new workflow within SOAR to create tickets in the incident response system, assign problematic certificate update requests to server owners, and register change requests.
Integrate a PKI solution within SOAR to create certificates within the SOAR engines to track, update, and monitor problematic certificates.
Implement a new workflow for SOAR to fetch a report of assets that are outside of the PKI zone, sort assets by certification management leads and automate alerts that updates are needed.
Integrate a SOAR solution with Active Directory to pull server owner details from the AD and send an automated email for problematic certificates requesting updates.
Security Concepts
Endpoint Security
Refer to the exhibit. An engineer notices a significant anomaly in the traffic in one of the host groups in Cisco Secure Network Analytics (Stealthwatch) and must analyze the top data transmissions. Which tool accomplishes this task?
Top Peers
Top Hosts
Top Conversations
Top Ports
Network Security
Security Operations and Technology
Refer to the exhibit. What is the connection status of the ICMP event?
blocked by a configured access policy rule
allowed by a configured access policy rule
blocked by an intrusion policy rule
allowed in the default action
Security Concepts
Network Security
What is happening in this packet capture?
Single Choice
Refer to the exhibit. What is occurring in this packet capture?
TCP port scan
TCP flood
DNS flood
DNS tunneling
Security Concepts
Network Security
Refer to the exhibit. IDS is producing an increased amount of false positive events about brute force attempts on the organization s mail server. How should the Snort rule be modified to improve performance?
Block list of internal IPs from the rule
Change the rule content match to case sensitive
Set the rule to track the source IP
Tune the count and seconds threshold of the rule
Network Security
Threat Intelligence and Incident Response
An engineer is going through vulnerability triage with company management because of a recent malware outbreak from which 21 affected assets need to be patched or remediated. Management decides not to prioritize fixing the assets and accepts the vulnerabilities. What is the next step the engineer should take?
Investigate the vulnerability to prevent further spread
Acknowledge the vulnerabilities and document the risk
Apply vendor patches or available hot fixes
Isolate the assets affected in a separate network
Security Concepts
Network Security
Refer to the exhibit. An organization is using an internal application for printing documents that requires a separate registration on the website. The application allows format-free user creation, and users must match these required conditions to comply with the company s user creation policy:
• minimum length: 3
• usernames can only use letters, numbers, dots, and underscores
• usernames cannot begin with a number
The application administrator has to manually change and track these daily to ensure compliance. An engineer is tasked to implement a script to automate the process according to the company user creation policy. The engineer implemented this piece of code within the application, but users are still able to create format-free usernames. Which change is needed to apply the restrictions?
modify code to return error on restrictions def return false_user(username, minlen)
automate the restrictions def automate_user(username, minlen)
validate the restrictions, def validate_user(username, minlen)
modify code to force the restrictions, def force_user(username, minlen)
Security Concepts
Endpoint Security
Comments