Free Cisco 300-220 Practice Questions 2026 | Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD

A threat hunter is usingCisco Secure Network Analytics (Stealthwatch)to investigate possible lateral movement inside the network. Which behavior would MOST strongly indicate lateral movement using valid credentials?

A. High volume of inbound internet traffic to a web server

B. Internal systems authenticating to multiple hosts using SMB in a short time

C. DNS queries to newly registered domains

D. Repeated HTTP requests to the same external IP address

Refer to the exhibit. Which technique is used by the attacker?

A. Perform a preliminary check to verify if the victim has already been compromised.

B. Scan using a batch file created on the fly that contains the command.

C. Use a base64-encoded VBScript that is decoded and executed on the endpoint.

D. Set up persistence by creating a shortcut for the malicious macro in the user's Startup directory

The SOC team receives an alert about a user sign-in from an unusual country. After investigating the SIEM logs, the team confirms the user never signed in from that country. The incident is reported to the IT administrator who resets the user's password. Which threat hunting phase was initially used?

A. Collect and process intelligence and data

B. Response and resolution

C. Hypothesis

D. Post-incident review

After a multi-week threat hunting exercise, a security team confirms that an attacker gained access using valid credentials, moved laterally, and exfiltrated data without deploying malware. Senior leadership asks how the hunting program reduced organizational risk. Which outcome BEST demonstrates the value of threat hunting?

A. Identification of the attacker’s IP addresses and domains

B. Discovery of unknown attacker behaviors and closure of detection gaps

C. Removal of malicious files from compromised hosts

D. Resetting credentials for affected users

A SOC analyst using Cisco security tools wants to differentiatethreat huntingfrom traditional detection engineering. Which activity BEST represents threat hunting rather than detection engineering?

A. Creating a SIEM rule to alert on known malicious domains

B. Tuning EDR alerts to reduce false positives

C. Formulating a hypothesis to search for credential misuse without alerts

D. Blocking IP addresses based on Talos intelligence

After completing several successful hunts using Cisco Secure Network Analytics and Secure Endpoint, the SOC wants to ensure long-term defensive improvement. Which action BEST represents a mature threat hunting outcome?

A. Increasing alert sensitivity across all Cisco security tools

B. Blocking all suspicious network connections automatically

C. Converting hunt findings into permanent detection rules

D. Performing additional ad-hoc hunts weekly

A threat hunter usesCisco Secure Network Analytics (Stealthwatch)to identify potential command-and-control traffic. Which characteristic MOST strongly indicates beaconing behavior?

A. Large file transfers to external IP addresses

B. Irregular outbound connections over multiple protocols

C. Small, periodic outbound connections to a rare destination

D. High-volume inbound traffic from the internet

A SOC analyst is usingCisco Secure Network Analytics (Stealthwatch)to hunt for command-and-control (C2) activity across the enterprise. The analyst wants to identify stealthy C2 channels that intentionally avoid known malicious IP addresses and domains. Which Stealthwatch hunting approach BEST supports this objective?

A. Blocking outbound traffic to known C2 IP addresses

B. Monitoring NetFlow records for abnormal beaconing patterns

C. Reviewing firewall deny logs for suspicious connections

D. Relying on threat intelligence feeds for C2 indicators

A SOC team must prepare for a new phishing campaign that tricks users into clicking a malicious URL to download a file. When the file executes, it creates a Windows process that harvests user credentials. The team must configure the SIEM tool to receive an alert if a suspicious process is detected. Which two rules must the team create in the SIEM tool?
(Choose two.)

A. Rule that detects processes created by the users

B. Rule that detects processes in nonstandard file paths

C. Rule that detects common processes that have modified names

D. Rule that detects changes in process ownership

E. Rule that detects changes in process startup time

What is a limitation of automated dynamic malware analysis tools?

A. Vulnerabilities in runtime environments cannot be found.

B. They produce false positives and false negatives.

C. All programming languages are not supported.

D. They are time consuming when performed manually.