Special Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

350-201 Performing CyberOps Using Core Security Technologies (CBRCOR) Questions and Answers

Questions 4

An API developer is improving an application code to prevent DDoS attacks. The solution needs to accommodate instances of a large number of API requests coming for legitimate purposes from trustworthy services. Which solution should be implemented?

Options:

A.

Restrict the number of requests based on a calculation of daily averages. If the limit is exceeded, temporarily block access from the IP address and return a 402 HTTP error code.

B.

Implement REST API Security Essentials solution to automatically mitigate limit exhaustion. If the limit is exceeded, temporarily block access from the service and return a 409 HTTP error code.

C.

Increase a limit of replies in a given interval for each API. If the limit is exceeded, block access from the API key permanently and return a 450 HTTP error code.

D.

Apply a limit to the number of requests in a given time interval for each API. If the rate is exceeded, block access from the API key temporarily and return a 429 HTTP error code.

Buy Now
Questions 5

An employee abused PowerShell commands and script interpreters, which lead to an indicator of compromise (IOC) trigger. The IOC event shows that a known malicious file has been executed, and there is an increased likelihood of a breach. Which indicator generated this IOC event?

Options:

A.

ExecutedMalware.ioc

B.

Crossrider.ioc

C.

ConnectToSuspiciousDomain.ioc

D.

W32 AccesschkUtility.ioc

Buy Now
Questions 6

After a recent malware incident, the forensic investigator is gathering details to identify the breach and causes. The investigator has isolated the affected workstation. What is the next step that should be taken in this investigation?

Options:

A.

Analyze the applications and services running on the affected workstation.

B.

Compare workstation configuration and asset configuration policy to identify gaps.

C.

Inspect registry entries for recently executed files.

D.

Review audit logs for privilege escalation events.

Buy Now
Questions 7

Employees report computer system crashes within the same week. An analyst is investigating one of the computers that crashed and discovers multiple shortcuts in the system’s startup folder. It appears that the shortcuts redirect users to malicious URLs. What is the next step the engineer should take to investigate this case?

Options:

A.

Remove the shortcut files

B.

Check the audit logs

C.

Identify affected systems

D.

Investigate the malicious URLs

Buy Now
Questions 8

A SOC analyst is investigating a recent email delivered to a high-value user for a customer whose network their organization monitors. The email includes a suspicious attachment titled “Invoice RE: 0004489”. The

hash of the file is gathered from the Cisco Email Security Appliance. After searching Open Source Intelligence, no available history of this hash is found anywhere on the web. What is the next step in analyzing this attachment to allow the analyst to gather indicators of compromise?

Options:

A.

Run and analyze the DLP Incident Summary Report from the Email Security Appliance

B.

Ask the company to execute the payload for real time analysis

C.

Investigate further in open source repositories using YARA to find matches

D.

Obtain a copy of the file for detonation in a sandbox

Buy Now
Questions 9

An engineer received an incident ticket of a malware outbreak and used antivirus and malware removal tools to eradicate the threat. The engineer notices that abnormal processes are still occurring in the system and determines that manual intervention is needed to clean the infected host and restore functionality. What is the next step the engineer should take to complete this playbook step?

Options:

A.

Scan the network to identify unknown assets and the asset owners.

B.

Analyze the components of the infected hosts and associated business services.

C.

Scan the host with updated signatures and remove temporary containment.

D.

Analyze the impact of the malware and contain the artifacts.

Buy Now
Questions 10

Refer to the exhibit.

350-201 Question 10

Which command was executed in PowerShell to generate this log?

Options:

A.

Get-EventLog -LogName*

B.

Get-EventLog -List

C.

Get-WinEvent -ListLog* -ComputerName localhost

D.

Get-WinEvent -ListLog*

Buy Now
Questions 11

Refer to the exhibit.

350-201 Question 11

An engineer is analyzing this Vlan0386-int12-117.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable. What does this STIX indicate?

Options:

A.

The extension is not performing as intended because of restrictions since ports 80 and 443 should be accessible

B.

The traffic is legitimate as the google chrome extension is reaching out to check for updates and fetches this information

C.

There is a possible data leak because payloads should be encoded as UTF-8 text

D.

There is a malware that is communicating via encrypted channels to the command and control server

Buy Now
Questions 12

How is a SIEM tool used?

Options:

A.

To collect security data from authentication failures and cyber attacks and forward it for analysis

B.

To search and compare security data against acceptance standards and generate reports for analysis

C.

To compare security alerts against configured scenarios and trigger system responses

D.

To collect and analyze security data from network devices and servers and produce alerts

Buy Now
Questions 13

Refer to the exhibit.

350-201 Question 13

What is the threat in this Wireshark traffic capture?

Options:

A.

A high rate of SYN packets being sent from multiple sources toward a single destination IP

B.

A flood of ACK packets coming from a single source IP to multiple destination IPs

C.

A high rate of SYN packets being sent from a single source IP toward multiple destination IPs

D.

A flood of SYN packets coming from a single source IP to a single destination IP

Buy Now
Questions 14

Refer to the exhibit.

350-201 Question 14

An engineer received multiple reports from employees unable to log into systems with the error: The Group Policy Client service failed to logon – Access is denied. Through further analysis, the engineer discovered several unexpected modifications to system settings. Which type of breach is occurring?

Options:

A.

malware break

B.

data theft

C.

elevation of privileges

D.

denial-of-service

Buy Now
Questions 15

A security expert is investigating a breach that resulted in a $32 million loss from customer accounts. Hackers were able to steal API keys and two-factor codes due to a vulnerability that was introduced in a new code a few weeks before the attack. Which step was missed that would have prevented this breach?

Options:

A.

use of the Nmap tool to identify the vulnerability when the new code was deployed

B.

implementation of a firewall and intrusion detection system

C.

implementation of an endpoint protection system

D.

use of SecDevOps to detect the vulnerability during development

Buy Now
Questions 16

The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and proceeds with behavioral analysis. What is the next step in the malware analysis process?

Options:

A.

Perform static and dynamic code analysis of the specimen.

B.

Unpack the specimen and perform memory forensics.

C.

Contain the subnet in which the suspicious file was found.

D.

Document findings and clean-up the laboratory.

Buy Now
Questions 17

Drag and drop the function on the left onto the mechanism on the right.

350-201 Question 17

Options:

Buy Now
Questions 18

An engineer is investigating several cases of increased incoming spam emails and suspicious emails from the HR and service departments. While checking the event sources, the website monitoring tool showed several web scraping alerts overnight. Which type of compromise is indicated?

Options:

A.

phishing

B.

dumpster diving

C.

social engineering

D.

privilege escalation

Buy Now
Questions 19

Refer to the exhibit.

350-201 Question 19

An organization is using an internal application for printing documents that requires a separate registration on the website. The application allows format-free user creation, and users must match these required conditions to comply with the company’s user creation policy:

    minimum length: 3

    usernames can only use letters, numbers, dots, and underscores

    usernames cannot begin with a number

The application administrator has to manually change and track these daily to ensure compliance. An engineer is tasked to implement a script to automate the process according to the company user creation policy. The engineer implemented this piece of code within the application, but users are still able to create format-free usernames. Which change is needed to apply the restrictions?

Options:

A.

modify code to return error on restrictions def return false_user(username, minlen)

B.

automate the restrictions def automate_user(username, minlen)

C.

validate the restrictions, def validate_user(username, minlen)

D.

modify code to force the restrictions, def force_user(username, minlen)

Buy Now
Questions 20

An engineer returned to work and realized that payments that were received over the weekend were sent to the wrong recipient. The engineer discovered that the SaaS tool that processes these payments was down over the weekend. Which step should the engineer take first?

Options:

A.

Utilize the SaaS tool team to gather more information on the potential breach

B.

Contact the incident response team to inform them of a potential breach

C.

Organize a meeting to discuss the services that may be affected

D.

Request that the purchasing department creates and sends the payments manually

Buy Now
Questions 21

Which bash command will print all lines from the “colors.txt” file containing the non case-sensitive pattern “Yellow”?

Options:

A.

grep -i “yellow” colors.txt

B.

locate “yellow” colors.txt

C.

locate -i “Yellow” colors.txt

D.

grep “Yellow” colors.txt

Buy Now
Questions 22

Drag and drop the phases to evaluate the security posture of an asset from the left onto the activity that happens during the phases on the right.

350-201 Question 22

Options:

Buy Now
Questions 23

An engineer notices that every Sunday night, there is a two-hour period with a large load of network activity. Upon further investigation, the engineer finds that the activity is from locations around the globe outside the organization’s service area. What are the next steps the engineer must take?

Options:

A.

Assign the issue to the incident handling provider because no suspicious activity has been observed during business hours.

B.

Review the SIEM and FirePower logs, block all traffic, and document the results of calling the call center.

C.

Define the access points using StealthWatch or SIEM logs, understand services being offered during the hours in QUESTION NO:, and cross-correlate other source events.

D.

Treat it as a false positive, and accept the SIEM issue as valid to avoid alerts from triggering on weekends.

Buy Now
Questions 24

How does Wireshark decrypt TLS network traffic?

Options:

A.

with a key log file using per-session secrets

B.

using an RSA public key

C.

by observing DH key exchange

D.

by defining a user-specified decode-as

Buy Now
Questions 25

An organization lost connectivity to critical servers, and users cannot access business applications and internal websites. An engineer checks the network devices to investigate the outage and determines that all devices are functioning. Drag and drop the steps from the left into the sequence on the right to continue investigating this issue. Not all options are used.

350-201 Question 25

Options:

Buy Now
Questions 26

Drag and drop the telemetry-related considerations from the left onto their cloud service models on the right.

350-201 Question 26

Options:

Buy Now
Questions 27

A European-based advertisement company collects tracking information from partner websites and stores it on a local server to provide tailored ads. Which standard must the company follow to safeguard the resting data?

Options:

A.

HIPAA

B.

PCI-DSS

C.

Sarbanes-Oxley

D.

GDPR

Buy Now
Questions 28

Refer to the exhibit.

350-201 Question 28

An engineer is investigating a case with suspicious usernames within the active directory. After the engineer investigates and cross-correlates events from other sources, it appears that the 2 users are privileged, and their creation date matches suspicious network traffic that was initiated from the internal network 2 days prior. Which type of compromise is occurring?

Options:

A.

compromised insider

B.

compromised root access

C.

compromised database tables

D.

compromised network

Buy Now
Questions 29

Refer to the exhibit.

350-201 Question 29

Which data format is being used?

Options:

A.

JSON

B.

HTML

C.

XML

D.

CSV

Buy Now
Questions 30

An organization is using a PKI management server and a SOAR platform to manage the certificate lifecycle. The SOAR platform queries a certificate management tool to check all endpoints for SSL certificates that have either expired or are nearing expiration. Engineers are struggling to manage problematic certificates outside of PKI management since deploying certificates and tracking them requires searching server owners manually. Which action will improve workflow automation?

Options:

A.

Implement a new workflow within SOAR to create tickets in the incident response system, assign problematic certificate update requests to server owners, and register change requests.

B.

Integrate a PKI solution within SOAR to create certificates within the SOAR engines to track, update, and monitor problematic certificates.

C.

Implement a new workflow for SOAR to fetch a report of assets that are outside of the PKI zone, sort assets by certification management leads and automate alerts that updates are needed.

D.

Integrate a SOAR solution with Active Directory to pull server owner details from the AD and send an automated email for problematic certificates requesting updates.

Buy Now
Questions 31

Refer to the exhibit.

350-201 Question 31

An engineer notices a significant anomaly in the traffic in one of the host groups in Cisco Secure Network Analytics (Stealthwatch) and must analyze the top data transmissions. Which tool accomplishes this task?

Options:

A.

Top Peers

B.

Top Hosts

C.

Top Conversations

D.

Top Ports

Buy Now
Questions 32

A SOC analyst detected a ransomware outbreak in the organization coming from a malicious email attachment. Affected parties are notified, and the incident response team is assigned to the case. According to the NIST incident response handbook, what is the next step in handling the incident?

Options:

A.

Create a follow-up report based on the incident documentation.

B.

Perform a vulnerability assessment to find existing vulnerabilities.

C.

Eradicate malicious software from the infected machines.

D.

Collect evidence and maintain a chain-of-custody during further analysis.

Buy Now
Questions 33

A SIEM tool fires an alert about a VPN connection attempt from an unusual location. The incident response team validates that an attacker has installed a remote access tool on a user’s laptop while traveling. The attacker has the user’s credentials and is attempting to connect to the network.

What is the next step in handling the incident?

Options:

A.

Block the source IP from the firewall

B.

Perform an antivirus scan on the laptop

C.

Identify systems or services at risk

D.

Identify lateral movement

Buy Now
Questions 34

A security manager received an email from an anomaly detection service, that one of their contractors has downloaded 50 documents from the company’s confidential document management folder using a company- owned asset al039-ice-4ce687TL0500. A security manager reviewed the content of downloaded documents and noticed that the data affected is from different departments. What are the actions a security manager should take?

Options:

A.

Measure confidentiality level of downloaded documents.

B.

Report to the incident response team.

C.

Escalate to contractor’s manager.

D.

Communicate with the contractor to identify the motives.

Buy Now
Questions 35

What is the impact of hardening machine images for deployment?

Options:

A.

reduces the attack surface

B.

increases the speed of patch deployment

C.

reduces the steps needed to mitigate threats

D.

increases the availability of threat alerts

Buy Now
Questions 36

Refer to the exhibit.

350-201 Question 36

At which stage of the threat kill chain is an attacker, based on these URIs of inbound web requests from known malicious Internet scanners?

Options:

A.

exploitation

B.

actions on objectives

C.

delivery

D.

reconnaissance

Buy Now
Questions 37

Refer to the exhibit.

350-201 Question 37

A threat actor behind a single computer exploited a cloud-based application by sending multiple concurrent API requests. These requests made the application unresponsive. Which solution protects the application from being overloaded and ensures more equitable application access across the end-user community?

Options:

A.

Limit the number of API calls that a single client is allowed to make

B.

Add restrictions on the edge router on how often a single client can access the API

C.

Reduce the amount of data that can be fetched from the total pool of active clients that call the API

D.

Increase the application cache of the total pool of active clients that call the API

Buy Now
Questions 38

Refer to the exhibit.

350-201 Question 38

Based on the detected vulnerabilities, what is the next recommended mitigation step?

Options:

A.

Evaluate service disruption and associated risk before prioritizing patches.

B.

Perform root cause analysis for all detected vulnerabilities.

C.

Remediate all vulnerabilities with descending CVSS score order.

D.

Temporarily shut down unnecessary services until patch deployment ends.

Buy Now
Questions 39

An engineer received an alert of a zero-day vulnerability affecting desktop phones through which an attacker sends a crafted packet to a device, resets the credentials, makes the device unavailable, and allows a default

administrator account login. Which step should an engineer take after receiving this alert?

Options:

A.

Initiate a triage meeting to acknowledge the vulnerability and its potential impact

B.

Determine company usage of the affected products

C.

Search for a patch to install from the vendor

D.

Implement restrictions within the VoIP VLANS

Buy Now
Questions 40

An organization installed a new application server for IP phones. An automated process fetched user credentials from the Active Directory server, and the application will have access to on-premises and cloud services. Which security threat should be mitigated first?

Options:

A.

aligning access control policies

B.

exfiltration during data transfer

C.

attack using default accounts

D.

data exposure from backups

Buy Now
Questions 41

Refer to the exhibit.

350-201 Question 41

An engineer configured this SOAR solution workflow to identify account theft threats and privilege escalation, evaluate risk, and respond by resolving the threat. This solution is handling more threats than Security analysts have time to analyze. Without this analysis, the team cannot be proactive and anticipate attacks. Which action will accomplish this goal?

Options:

A.

Exclude the step “BAN malicious IP” to allow analysts to conduct and track the remediation

B.

Include a step “Take a Snapshot” to capture the endpoint state to contain the threat for analysis

C.

Exclude the step “Check for GeoIP location” to allow analysts to analyze the location and the associated risk based on asset criticality

D.

Include a step “Reporting” to alert the security department of threats identified by the SOAR reporting engine

Buy Now
Exam Code: 350-201
Exam Name: Performing CyberOps Using Core Security Technologies (CBRCOR)
Last Update: Mar 28, 2025
Questions: 139

PDF + Testing Engine

$61.25  $174.99

Testing Engine

$47.25  $134.99
buy now 350-201 testing engine

PDF (Q&A)

$40.25  $114.99
buy now 350-201 pdf