1. What is a feature of the tcpdump tool?

  • A. It uses agents to submit host logs to centralized management servers.
  • B. It records metadata about packet flows.
  • C. It provides real-time reporting and long-term analysis of security events.
  • D. It can display packet captures in real time or write them to a file.

The tcpdump command line tool is a packet analyzer that captures detailed packet protocol and content data. It can display packet captures in real time or write them to a file.

2. Which Windows tool can be used to review host logs?

  • A. Services
  • B. Device Manager
  • C. Event Viewer
  • D. Task Manager

Event Viewer in Windows can be used to review entries in various logs.

3. Which type of security data can be used to describe or predict network behavior?

  • A. Transaction
  • B. Session
  • C. Alert
  • D. Statistical

Statistical data is created through the analysis of other forms of network data. Conclusions from these analyses can be used to describe or predict network behavior.

4. Which statement describes the tcpdump tool?

  • A. It is a command-line packet analyzer.
  • B. It accepts and analyzes data captured by Wireshark.
  • C. It is used to control multiple TCP-based applications.
  • D. It can be used to analyze network log data in order to describe and predict network behavior.

The tcpdump command-line tool is a popular packet analyzer. It can display packet captures in real time or write packet captures to a file.

5. What are two popular SIEM platforms? (Choose two.)

  • A. Tcpdump
  • B. NetFlow
  • C. Security Onion with ELK
  • D. Cisco Umbrella
  • E. Splunk

Security Information and Event Management (SIEM) is a technology that provides real-time reporting and long-term analysis of security events. Two SIEM platforms used by organizations are Splunk and Security Onion with ELK.

6. Which Windows host log event type describes the successful operation of an application, driver, or service?

  • A. Warning
  • B. Error
  • C. Success audit
  • D. Information

Various Windows host logs can have different event types. The information event type records an event that describes the successful operation of an application, driver, or service.

7. Which Windows log records events related to login attempts and operations related to file or object access?

  • A. System logs
  • B. Setup logs
  • C. Security logs
  • D. Application logs

On a Windows host, security logs record events related to security, such as login attempts and operations related to file or object management and access.

8. What are two of the 5-tuples? (Choose two.)

  • A. IDS
  • B. Source port
  • C. IPS
  • D. Protocol
  • E. ACL

The components of a 5-tuple include a source IP address and port number, destination IP address and port number, and the protocol in use.

9. In a Cisco AVC system, in which module is NBAR2 deployed?

  • A. Control
  • B. Metrics Collection
  • C. Management and Reporting
  • D. Application Recognition

AVC uses Cisco Next Generation Network-Based Application Recognition (NBAR2) to discover and classify the applications in use on the network.

10. A NIDS/NIPS has identified a threat. Which type of security data will be generated and sent to a logging device?

  • A. Statistical
  • B. Transaction
  • C. Session
  • D. Alert

Alert data is generated by IPS or IDS devices in response to traffic that violates a rule or matches the signature of a known security threat.

11. Which statement describes an operational characteristic of NetFlow?

  • A. NetFlow can provide services for user access control.
  • B. NetFlow flow records can be viewed by the tcpdump tool.
  • C. NetFlow captures the entire contents of a packet.
  • D. NetFlow collects basic information about the packet flow, not the flow data itself.

NetFlow does not capture the entire contents of a packet. Instead, NetFlow collects metadata, or data about the flow, not the flow data itself. NetFlow information can be viewed with tools such as nfdump and FlowViewer.

12. Which type of data is used by Cisco Cognitive Intelligence to find malicious activity that has bypassed security controls, or entered through unmonitored channels, and is operating inside an enterprise network?

  • A. Statistical
  • B. Transaction
  • C. Session
  • D. Alert

Cisco Cognitive Intelligence utilizes statistical data for statistical analysis in order to find malicious activity that has bypassed security controls, or entered through unmonitored channels (including removable media), and is operating inside the network of an organization.