Free Cisco 300-215 Practice Questions 2026 | Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR)

Refer to the exhibit.

The application x-dosexec with hash 691c65e4fb1d19f82465df1d34ad51aaeceba14a78167262dc7b2840a6a6aa87 is reported as malicious and labeled as "Trojan.Generic" by the threat intelligence tool. What is considered an indicator of compromise?

A. modified registry

B. hooking

C. process injection

D. data compression

Refer to the exhibit.

A. hex encoding

B. metamorphic encoding

C. ASCII85 encoding

D. Base64 encoding

Refer to the exhibit.

What do these artifacts indicate?

A. An executable file is requesting an application download.

B. A malicious file is redirecting users to different domains.

C. The MD5 of a file is identified as a virus and is being blocked.

D. A forged DNS request is forwarding users to malicious websites.

Which issue is associated with gathering evidence from virtualized environments provided by major cloud vendors?

A. increased data transparency provided by cloud vendors

B. difficulty ensuring the integrity of data due to multitenancy

C. reduced complexity in isolating and securing evidence

D. simplified chain of custody due to virtualization

An employee receives an email from a “trusted” person containing a hyperlink that is malvertising. The employee clicks the link and the malware downloads. An information analyst observes an alert at the SIEM and engages the cybersecurity team to conduct an analysis of this incident in accordance with the incident response plan. Which event detail should be included in this root cause analysis?

A. phishing email sent to the victim

B. alarm raised by the SIEM

C. information from the email header

D. alert identified by the cybersecurity team

During a routine security audit, an organization's security team detects an unusual spike in network traffic originating from one of their internal servers. Upon further investigation, the team discovered that the server was communicating with an external IP address known for hosting malicious content. The security team suspects that the server may have been compromised. As the incident response process begins, which two actions should be taken during the initial assessment phase of this incident? (Choose two.)

A. Notify law enforcement agencies about the incident.

B. Disconnect the compromised server from the network.

C. Conduct a comprehensive forensic analysis of the server hard drive.

D. Interview employees who have access to the server.

E. Review the organization's network logs for any signs of intrusion.

Which technique exemplifies an antiforensic technique?

A. steganalysis

B. data replication

C. stepheorology

D. steganography

What are YARA rules based upon?

A. binary patterns

B. HTML code

C. network artifacts

D. IP addresses

A security team detected an above-average amount of inbound tcp/135 connection attempts from unidentified senders. The security team is responding based on their incident response playbook. Which two elements are part of the eradication phase for this incident?
(Choose two.)

A. anti-malware software

B. data and workload isolation

C. centralized user management

D. intrusion prevention system

E. enterprise block listing solution

A company had a recent data leak incident. A security engineer investigating the incident discovered that a malicious link was accessed by multiple employees. Further investigation revealed targeted phishing attack attempts on macOS systems, which led to backdoor installations and data compromise. Which two security solutions should a security engineer recommend to mitigate similar attacks in the future? (Choose two.)

A. endpoint detection and response

B. secure email gateway

C. data loss prevention

D. intrusion prevention system

E. web application firewall