Free Cisco 300-215 Practice Questions 2026 | Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR)

Refer to the exhibit.

A security analyst is reviewing alerts from the SIEM system that was just implemented and notices a possible indication of an attack because the SSHD system just went live and there should be nobody using it. Which action should the analyst take to respond to the alert?

A. Investigate the alert by checking SSH logs and correlating with other relevant data in SIEM.

B. Reset the admin password in SSHD to prevent unauthorized access to the system at scale.

C. Ignore the alert and continue monitoring for further activity because the system was just implemented.

D. Immediately block the IP address 192.168.1.100 from accessing the SSHD environment.

A security team is discussing lessons learned and suggesting process changes after a security breach incident. During the incident, members of the security team failed to report the abnormal system activity due to a high project workload. Additionally, when the incident was identified, the response took six hours due to management being unavailable to provide the approvals needed. Which two steps will prevent these issues from occurring in the future? (Choose two.)

A. Introduce a priority rating for incident response workloads.

B. Provide phishing awareness training for the full security team.

C. Conduct a risk audit of the incident response workflow.

D. Create an executive team delegation plan.

E. Automate security alert timeframes with escalation triggers.

Refer to the exhibit.

What is the indicator of compromise?

A. SHA256 file hash

B. indicator ID: malware--a932fcc6-e032-476c-826f-cb970a569bce

C. indicator type: malicious-activity

D. MD5 file hash

Refer to the exhibit.

What is occurring within the exhibit?

A. Source 10.1.21.101 sends HTTP requests with the size of 302 kb.

B. Host 209.141.51.196 redirects the client request from /Lk9tdZ to /files/1.bin.

C. Host 209.141.51.196 redirects the client request to port 49723.

D. Source 10.1.21.101 is communicating with 209.141.51.196 over an encrypted channel.

Drag and drop the steps from the left into the order to perform forensics analysis of infrastructure networks on the right.

A cybersecurity analyst must evaluate files from an endpoint in an enterprise network. The antivirus software on the endpoint flagged a suspicious file during a routine scan On initial evaluation the file did not match any known signatures in the antivirus database, but exhibited unusual network behavior during dynamic analysis Which step should the analyst take next?

A. Submit the file to a threat intelligence platform for further analysis and to identify potential lOCs.

B. Delete the file immediately from the endpoint to prevent the potential spread of malware.

C. Install different antivirus software on the endpoint and perform another deep scan of affected assets.

D. Flag the file as a potential false positive due to not matching any known malware signatures

Refer to the exhibit.

An HR department submitted a ticket to the IT helpdesk indicating slow performance on an internal share server. The helpdesk engineer checked the server with a real-time monitoring tool and did not notice anything suspicious. After checking the event logs, the engineer noticed an event that occurred 48 hours prior. Which two indicators of compromise should be determined from this information? (Choose two.)

A. unauthorized system modification

B. privilege escalation

C. denial of service attack

D. compromised root access

E. malware outbreak

Refer to the exhibit.

Which type of code is being used?

A. Shell

B. VBScript

C. BASH

D. Python

E. Python

Refer to the exhibit.

Which determination should be made by a security analyst?

A. An email was sent with an attachment named “Grades.doc.exe”.

B. An email was sent with an attachment named “Grades.doc”.

C. An email was sent with an attachment named “Final Report.doc”.

D. An email was sent with an attachment named “Final Report.doc.exe”.

A new zero-day vulnerability is discovered in the web application. Vulnerability does not require physical access and can be exploited remotely. Attackers are exploiting the new vulnerability by submitting a form with malicious content that grants them access to the server. After exploitation, attackers delete the log files to hide traces. Which two actions should the security engineer take next? (Choose two.)

A. Validate input upon submission.

B. Block connections on port 443.

C. Install antivirus.

D. Update web application to the latest version.

E. Enable file integrity monitoring.