Cisco 350-201 Exam Dumps & Practice Test Questions

Question 1:

A security team is analyzing NetFlow data from multiple branch office routers. To effectively identify potential beaconing command-and-control (C2) activity.

Which two fields in NetFlow v9/v10/IPFIX data records are most valuable for spotting such traffic patterns? (Choose two.)

A. Destination port
B. Flow end timestamp
C. Flow duration (delta time)
D. TCP flags
E. Source autonomous-system number

Correct Answers: B and C

Explanation:

Detecting beaconing command-and-control (C2) traffic is a critical component of threat hunting and malware detection. Beaconing typically involves infected endpoints periodically reaching out to attacker-controlled servers in a consistent and repetitive manner. These connections are often short-lived, occur at regular intervals, and use common protocols and ports to evade detection.

NetFlow and IPFIX data can provide deep insights into such behavior through metadata collected from network flows. The most useful indicators for identifying beaconing behavior are Flow End Timestamp and Flow Duration.

The Flow End Timestamp (B) indicates when a specific network flow concluded. By observing flow end times from the same source IP address, analysts can identify repetitive communication patterns. For example, if a device sends a packet to the same destination every 10 minutes consistently, this is a strong signal of automated (potentially malicious) activity.

Flow Duration (C), also known as delta time, specifies the length of each flow. Beaconing sessions typically last only a few seconds and show minimal variation across multiple flows. Uniformity in flow durations across time intervals can be another red flag, indicating scripted or scheduled behavior.

Here’s why the other options are less effective:

• A. Destination port: Although attackers sometimes use non-standard ports, modern threats often leverage ports 80 (HTTP) and 443 (HTTPS) to blend in with legitimate web traffic. Thus, the destination port provides limited value in detecting C2 patterns.

• D. TCP flags: These reflect the state of TCP sessions (e.g., SYN, FIN, RST) and are useful in understanding session lifecycle. However, they don’t offer time-based behavioral data, which is critical for beaconing detection.

• E. Source ASN: This identifies the originating Autonomous System and may help in mapping traffic origins but does not contribute meaningfully to detecting regular time intervals or flow lengths.

In summary, spotting beaconing behavior requires identifying consistent timing and duration patterns in flow data. Flow end timestamps and flow durations are central to this effort, helping defenders detect stealthy, automated communications indicative of C2 activity.

Question 2:

An analyst is building automation scripts to interact with Cisco SecureX Orchestration using its REST API. 

To either completely replace a resource or make a partial update, which two HTTP methods are most appropriate? (Choose two.)

A. GET
B. PUT
C. POST
D. DELETE
E. PATCH

Correct Answers: B and E

Explanation:

When interacting with RESTful APIs like Cisco SecureX Orchestration, understanding the behavior and intent behind each HTTP method is essential. Two common use cases during API-based scripting are (1) replacing a resource and (2) partially modifying it. For these tasks, the HTTP methods PUT and PATCH are the correct tools.

The PUT method (B) is used when you want to completely replace a resource at a specific URI. For instance, if a configuration file or automation workflow is represented as a JSON object, sending a PUT request with new JSON content will overwrite the existing object entirely. This method requires you to provide all the resource fields—any field omitted will often be deleted or reset by the server.

In contrast, the PATCH method (E) allows for partial updates to an existing resource. This is particularly useful when only a subset of fields needs modification, such as updating a status flag or modifying a single parameter. PATCH avoids unnecessary data transmission and reduces the risk of overwriting unintended fields, making it both efficient and safer for targeted changes.

Let’s examine why the remaining options don’t apply:

• A. GET: Used to retrieve data from the server. It is non-modifying and should never be used to alter or update resources.

• C. POST: Typically used for creating new resources, especially when the server determines the URI. Although POST is flexible and can be misused for updates, it is not the RESTful standard for updating resources.

• D. DELETE: As the name implies, this method removes a resource entirely. It’s destructive and unrelated to modification tasks.

By leveraging PUT and PATCH appropriately, analysts can maintain clean, structured, and effective scripts when working with REST APIs. These methods follow RESTful conventions and ensure that updates are performed with clarity and precision—vital for maintaining automation workflows in Cisco SecureX Orchestration.

Question 3:

In Cisco Secure Endpoint (previously known as AMP for Endpoints), which two file dispositions will temporarily prevent a newly observed file from executing on an endpoint while awaiting a decision from the cloud? (Choose two.)

A. Quarantined
B. Blocked
C. Malicious
D. Soft blocked (unknown prevalence)
E. Triaged

Correct Answers: B and D

Explanation:

Cisco Secure Endpoint employs multiple file disposition statuses to manage and restrict file behavior on protected systems based on real-time intelligence and reputation analysis. Two critical dispositions that proactively block unknown or potentially harmful files before a verdict is finalized are Blocked and Soft blocked (unknown prevalence).

The Blocked disposition (option B) is typically applied when a file has been flagged as suspicious or lacks a positive reputation. Based on pre-configured policy or risk settings, the file is prevented from executing. This is a preventive measure taken before the cloud or local engine confirms whether the file is definitively safe or harmful. It halts any activity until a conclusive decision is received, reducing the risk of premature compromise.

The Soft blocked (unknown prevalence) disposition (option D) is a more nuanced mechanism that handles first-seen files or those without a reputation history. When Cisco Secure Endpoint encounters a file with no prior prevalence data or reputation, it assigns a temporary hold status—soft block—until the cloud provides an authoritative classification. This is essential for defending against zero-day or brand-new malware samples by ensuring no execution happens before some level of analysis is complete.

Now let’s review the incorrect options:

• Quarantined (A) is a reactive measure taken after a file has already been determined to be harmful. Quarantining removes or isolates the threat to prevent further harm, but it doesn’t prevent execution before detection.

• Malicious (C) is a final, post-analysis classification for files already identified as dangerous. Once labeled as malicious, the file is removed or blocked, but this status doesn’t apply during the cloud evaluation stage.

• Triaged (E) is more relevant to incident investigation and alert workflow. It is used by analysts to categorize or prioritize alerts but doesn’t influence file execution behavior at the endpoint level.

In summary, Cisco Secure Endpoint uses the Blocked and Soft blocked dispositions to delay file execution until it is certain the file is safe, protecting endpoints during this decision-making window. These are proactive, preventive actions essential for stopping threats before they can execute.

Question 4:

A Security Operations Center (SOC) manager is building a dashboard to track how effectively analysts are handling security alerts. 

Which two metrics directly measure analyst performance, rather than automation or tool efficiency? (Choose two.)

A. Mean time to detect (MTTD)
B. Mean time to respond (MTTR)
C. Number of escalations rejected by Tier 2
D. Percentage of alerts auto-closed by correlation rules
E. Average EDR sensor dwell time

Correct Answers: B and C

Explanation:

When evaluating the effectiveness of security analysts, it’s important to focus on human performance indicators—metrics that directly reflect the decision-making, accuracy, and response speed of the SOC team. Among the given choices, Mean Time to Respond (MTTR) and the Number of escalations rejected by Tier 2 are the most appropriate indicators of analyst performance.

Mean Time to Respond (MTTR) (option B) represents the average time it takes an analyst to react to a threat once it has been detected. This includes investigation, triage, containment, and mitigation activities. A shorter MTTR suggests that analysts are responding promptly and effectively, while a longer MTTR may indicate inefficiencies, lack of expertise, or procedural bottlenecks. Although tool responsiveness can impact MTTR slightly, it is mostly driven by analyst activity.

Number of escalations rejected by Tier 2 (option C) provides a quality check on Tier 1 analysts' work. Frequent rejections by Tier 2 suggest that Tier 1 analysts are incorrectly escalating false positives or failing to triage effectively. Conversely, a low rejection rate reflects accurate identification and proper prioritization, signaling higher competence and efficiency in handling alerts.

Now let’s examine why the other options are less relevant for measuring analyst performance:

• Mean Time to Detect (MTTD) (A) is heavily influenced by tooling and detection mechanisms, such as SIEM rules or EDR capabilities. While analysts might influence this slightly through monitoring, it's not a direct reflection of their skill or speed.

• Percentage of alerts auto-closed by correlation rules (D) is a system automation metric, indicating how well predefined logic filters out false positives. It does not involve analyst intervention and therefore cannot assess human performance.

• Average EDR sensor dwell time (E) measures how long a threat remains undetected on an endpoint. While important for overall security posture, this metric is affected by sensor placement, configuration, and detection tool capabilities—not analyst response.

To summarize, MTTR and escalation rejection rates give the clearest view into how efficiently analysts detect, prioritize, and act upon threats, making them the best performance indicators in a SOC context.

Question 5:

When following an incident response playbook for a suspected phishing email, which three steps should be taken before running the email’s attachment in a sandbox environment?

A. Review the email's full SMTP headers and trace the delivery path
B. Extract and analyze any embedded URLs using threat intelligence sources
C. Generate a hash of the attachment and search for known verdicts in malware databases
D. Launch the attachment in a virtual machine to monitor network activity
E. Check the secure email gateway logs for any other occurrences of the same message ID

Correct Answers: A, B, and C

Explanation:

In phishing investigations, particularly when a suspicious attachment is involved, it's vital to proceed cautiously and systematically. The goal is to assess the threat level without introducing unnecessary risk or expending excessive resources too early. A well-structured playbook emphasizes low-risk intelligence-gathering steps before resorting to potentially dangerous actions like detonating the file in a sandbox.

Option A, reviewing SMTP headers, is a standard starting point. Full email headers provide valuable information such as the source IP, intermediary mail servers, SPF/DKIM results, and anomalies that suggest spoofing or abuse. By analyzing the “Received” paths, analysts can identify infrastructure patterns that are frequently reused in phishing campaigns. This not only helps verify the legitimacy of the email but also contributes to blocking similar threats proactively.

Option B, URL extraction and threat reputation checks, offers another passive yet highly informative step. Most phishing emails include links to malicious websites used for credential harvesting or malware delivery. These URLs can be run through commercial and open-source threat intelligence services (like Cisco Talos or VirusTotal) to determine if they’ve already been reported. This can confirm the email’s malicious nature without even opening the attachment.

Option C involves hashing the attachment (e.g., using SHA-256) and querying platforms like VirusTotal, Cisco Threat Grid, or other malware analysis services. If the file has previously been submitted and flagged, analysts can avoid redundant sandboxing. This step is safe, quick, and frequently yields useful verdicts.

Option D, detonating the file in a sandbox, is the very step we're trying to postpone. Sandboxing consumes more resources and carries the risk of network exposure if the sandbox is misconfigured. It should be a last resort after all passive methods are exhausted.

Option E, examining email gateway logs, is more about determining the scope of exposure—useful, but not essential for deciding whether to sandbox a file. It's often conducted after a file is confirmed to be malicious.

Therefore, the first three steps—A, B, and C—represent the optimal early actions before any detonation occurs.

Question 6:

Which two activities are typically carried out during the initial triage phase of an incident response process?

A. Determining which systems have been impacted
B. Archiving and safeguarding log data for later analysis
C. Using threat intelligence to enhance alert correlation
D. Dismissing alerts that are deemed false positives
E. Taking steps to isolate and remove the threat actor

Correct Answers: A and D

Explanation:

The triage phase of incident response is a critical early step where security analysts quickly assess incoming alerts to determine their legitimacy and severity. The goal during triage is to make a preliminary determination about whether a security incident is real and requires full investigation or response, or whether it’s a false alarm that can be dismissed. Efficiency and prioritization are key during this phase.

Option A, identifying affected systems, is a primary objective during triage. By establishing which endpoints, servers, user accounts, or network segments are implicated in an alert, security teams can assess the potential impact and urgency of the issue. This helps determine whether the incident could spread or has already impacted business-critical assets. It also informs downstream actions like containment, forensics, and communication.

Option D, closing false positives, is another essential task in triage. With the high volume of alerts generated by security tools, many are benign or triggered by non-malicious activity. The triage process weeds out these false positives so analysts can focus on the events that truly matter. Rapidly ruling out non-threats reduces alert fatigue and makes the overall response process more efficient.

Let’s consider why the other options don’t apply to the triage phase:

Option B, preserving logs, is typically done once an alert is confirmed as a legitimate incident. This step is important for later forensic analysis and legal compliance, but it's not part of the initial filtering phase. It belongs to the investigation or containment stage.

Option C, correlating alerts with threat intelligence, adds valuable context to incidents but is more resource-intensive and usually reserved for later phases when analysts are digging deeper into confirmed threats. It’s not always necessary during triage unless the alert is borderline or unclear.

Option E, containment and eradication, is a response activity that follows incident confirmation. Once an event is validated as malicious, these steps are critical—but acting prematurely can disrupt normal operations or tip off attackers.

In conclusion, A and D are fundamental to effective triage, enabling organizations to allocate resources wisely and respond efficiently to real threats.

Question 7:

Which two configuration actions can strengthen the DNS-layer security provided by Cisco Umbrella? (Choose two.)

A. Apply DNS policies that restrict access to domains by threat category
B. Use URL filtering to block sites based on web content categories
C. Modify DNS cache TTL to enhance performance
D. Change resolver IPs within the Umbrella management interface
E. Configure geo-based blocking to restrict traffic from high-risk regions

Correct Answers: A and E

Explanation:

Cisco Umbrella enhances security at the DNS layer by preventing connections to malicious sites before the actual IP connection is made. To increase the strength of DNS-layer protection, security teams can adjust configurations that proactively filter out threats and align controls with organizational risk policies.

Option A, applying DNS policies based on threat categories, is a core feature of Cisco Umbrella. This allows administrators to automatically block access to domains associated with known cyber threats such as phishing, malware, botnets, or newly registered domains. These categories are continuously updated via Cisco’s threat intelligence, making this a dynamic and scalable method to filter out harmful requests before connections are established. This minimizes user exposure and prevents malware from communicating with command-and-control infrastructure.

Option E, implementing geolocation-based filtering, is also a highly effective DNS-layer strategy. Organizations may choose to block or restrict DNS requests originating from or targeting certain geographic regions known for cyberattacks or fraud. For example, if a company does not operate in certain high-risk countries, it can block DNS queries that resolve to domains hosted in those regions. This shrinks the attack surface by eliminating traffic from sources with little to no business relevance but higher-than-average threat exposure.

The remaining options are less appropriate for DNS-layer improvement:

• Option B, URL filtering, operates at the HTTP/HTTPS layer, not DNS. While important for web security, it falls outside the DNS-layer focus of this question.

• Option C, adjusting TTL (Time to Live) settings, relates to performance optimization. Though DNS caching can influence resolution speed and network efficiency, modifying TTL doesn’t directly improve threat detection or prevention.

• Option D, changing DNS resolver IPs inside the Umbrella dashboard, is typically not supported. Cisco provides secure, managed DNS resolvers (e.g., 208.67.222.222), and altering these settings could disrupt functionality or reduce protection.

To maximize DNS-layer security, it’s essential to proactively filter traffic using policy and geography-based controls. Therefore, the most impactful methods are clearly A and E.

Question 8:

What are two key advantages of using Cisco Secure Network Analytics (formerly Stealthwatch) for internal threat detection? (Choose two.)

A. Detects threats within encrypted traffic without decryption
B. Uses behavioral analytics to identify abnormal network activity
C. Executes fully automated incident responses
D. Directly integrates Cisco Talos intelligence updates
E. Detects lateral movement strictly via machine learning

Correct Answers: A and B

Explanation:

Cisco Secure Network Analytics (SNA), previously known as Stealthwatch, is designed to provide deep, continuous monitoring of network activity across hybrid and on-premises environments. Unlike traditional signature-based tools, it leverages network telemetry and behavioral modeling to identify threats that may go unnoticed by other defenses. Two of its most notable features—encrypted traffic analysis and behavioral anomaly detection—set it apart as a robust internal security tool.

Option A, the ability to analyze encrypted traffic without decryption, is a unique and highly valuable capability. Many modern cyberattacks are hidden within encrypted traffic, which makes traditional inspection methods (such as packet sniffing) less effective. Cisco’s Encrypted Traffic Analytics (ETA) technology uses metadata, flow records (NetFlow), and telemetry to infer potential threats based on how the encrypted sessions behave, without violating privacy or requiring resource-intensive decryption. This enables Secure Network Analytics to detect malware and command-and-control (C2) activities that operate within encrypted channels—one of the hardest blind spots in cybersecurity.

Option B, the use of behavioral analytics, is central to how SNA detects anomalies. The system learns baseline behavior for devices, users, applications, and flows. It then continuously compares live activity against these baselines. Any deviations—such as unusual login times, excessive data transfers, or access to unknown external destinations—trigger alerts. These detections are not reliant on known signatures, making SNA highly effective against zero-day threats, insider risks, and advanced persistent threats (APTs).

Now let’s evaluate the incorrect choices:

• Option C, fully automated incident response, is not a native feature of Secure Network Analytics. While it can integrate with other Cisco tools like SecureX for orchestration, SNA itself is primarily focused on detection and visibility, not action.

• Option D, real-time updates from Cisco Talos, are not a direct function of Secure Network Analytics. While Talos intelligence is used extensively in products like Cisco Umbrella and Secure Firewall, SNA depends more on telemetry and flow analytics rather than threat feed ingestion.

• Option E, lateral movement detection via pure machine learning, is only partially true. While SNA can detect lateral movement, it doesn’t rely solely on machine learning. It uses a combination of pattern recognition, policy violations, and flow-based analytics—not ML alone.

Overall, Secure Network Analytics offers unmatched internal visibility by analyzing encrypted traffic without breaking it and using behavioral models to identify threats that traditional tools may miss. Hence, the most valid benefits are clearly A and B.

Question 9:

A company is planning to implement a continuous monitoring solution for its cloud infrastructure hosted on AWS and Azure.

Which two Cisco tools are the most appropriate for monitoring activities in these cloud environments? (Choose two)

A. Cisco Secure Network Analytics
B. Cisco Cloudlock
C. Cisco Stealthwatch Cloud
D. Cisco Umbrella
E. Cisco Identity Services Engine (ISE)

Correct Answers: B and C

Explanation:

When organizations move to the cloud, effective continuous monitoring becomes essential to ensure visibility, detect threats, and enforce security policies across dynamic infrastructure. In the context of AWS and Azure, Cisco provides specialized tools tailored for cloud-native and hybrid environments.

Cisco Cloudlock (B) is a Cloud Access Security Broker (CASB) designed to secure cloud-based applications and environments. It monitors cloud service usage, detects risky behavior, and enforces compliance across SaaS platforms such as Microsoft 365 and Google Workspace. While it does not monitor infrastructure elements like CPU utilization or network flow metrics, Cloudlock excels in monitoring identity, access, and sensitive data use in cloud apps, making it crucial for managing user-driven risks and insider threats in the cloud.

Cisco Stealthwatch Cloud (C)—now referred to as Secure Cloud Analytics—is designed for cloud infrastructure and hybrid environments. It provides deep visibility into cloud environments by analyzing telemetry data like AWS VPC flow logs or Azure NSG flow logs. This tool helps detect unusual behavior, misconfigurations, lateral movement, and insider threats. It's well suited for Infrastructure as a Service (IaaS) and is a cornerstone for organizations seeking real-time monitoring and threat detection across multi-cloud deployments.

Now, evaluating the incorrect options:

• Cisco Secure Network Analytics (A) (formerly on-prem Stealthwatch) is optimized for on-premises networks and internal traffic visibility. While powerful in data centers or campus networks, it lacks the out-of-the-box integrations and scalability needed for native cloud monitoring unless extended with complex configurations.

• Cisco Umbrella (D) is a DNS-layer security platform that helps block access to malicious domains and enforce content filtering. While it plays a key role in threat prevention, it does not provide deep cloud infrastructure visibility, which is needed for monitoring AWS and Azure operations.

• Cisco ISE (E) is focused on network access control in traditional enterprise environments. Its capabilities are valuable for endpoint authentication and segmentation in physical or wireless networks, but it lacks the tools necessary for monitoring dynamic cloud infrastructure.

In summary, for cloud-native monitoring, Cisco Cloudlock and Cisco Stealthwatch Cloud are the most appropriate choices. They address both SaaS security and IaaS visibility, making them complementary tools for modern cloud security operations.

Question 10:

To enhance protection against DNS-based threats while maintaining continuous DNS service availability,

Which two actions should a security administrator take? (Choose two)

A. Enable DNSSEC to provide data authenticity
B. Use a local DNS cache to reduce resolution times
C. Implement split-horizon DNS to isolate queries
D. Apply DNS filtering to block malicious domain access
E. Turn off DNS query logging to avoid data exfiltration

Correct Answers: A and D

Explanation:

DNS plays a foundational role in the internet, translating domain names into IP addresses. However, its open design makes it a common vector for various attacks like spoofing, cache poisoning, DNS hijacking, and tunneling. A strong DNS security strategy must prevent such threats while ensuring services remain fast and available.

DNSSEC (A), or Domain Name System Security Extensions, provides cryptographic validation of DNS records. This means that when a client system receives a DNS response, it can verify its authenticity using digital signatures. This effectively prevents attackers from spoofing DNS responses or poisoning DNS caches. Although it does not encrypt DNS traffic or protect confidentiality, DNSSEC ensures integrity, making it a key defense against attacks involving forged responses.

DNS Filtering (D) is another proactive control that blocks access to known harmful domains. By integrating threat intelligence feeds, DNS filtering tools evaluate every DNS query and block those linked to malware, phishing, botnets, or command-and-control servers. This preemptive approach can stop threats before a connection is established, offering a low-latency, high-impact defense that complements other layers of security.

Now, consider the incorrect choices:

• Local DNS Caching (B) improves performance by reducing latency but does not directly enhance security. Without additional controls, caches can become targets for poisoning attacks, especially if responses are not validated.

• Split-horizon DNS (C) serves different DNS responses depending on whether the requester is inside or outside the network. It improves internal segmentation and helps prevent information leakage, but it does not actively mitigate external DNS-based threats like spoofing or tunneling.

• Disabling DNS Logging (E) is a harmful practice. DNS logs are critical for monitoring, forensic analysis, and detecting suspicious activities like DNS tunneling or beaconing. Eliminating visibility removes a key detection mechanism and can allow attacks to go unnoticed.

In conclusion, enabling DNSSEC to validate DNS authenticity and applying DNS filtering to block harmful domains are both crucial, effective strategies for strengthening DNS security while keeping the system operational and reliable.