Free Cisco 300-220 Practice Questions 2026 | Conducting Threat Hunting and Defending using Cisco Technologies for Cybersecurity 300-220 CBRTHD

A SOC team wants to detect lateral movement performed using legitimate administrative tools rather than malware. Which telemetry source provides the MOST reliable visibility for this hunting objective?

A. Antivirus detection logs

B. Email security gateway logs

C. Authentication and remote execution logs

D. Web proxy URL filtering logs

A threat hunting team wants to ensure hunts are repeatable, scalable, and less dependent on individual analyst intuition. What is the MOST important process improvement?

A. Increasing the number of threat intelligence feeds

B. Automating alert triage workflows

C. Standardizing hunt documentation and hypotheses

D. Blocking all suspicious activity automatically

The CISO must improve the threat-hunting strategy to strengthen the organization's security posture and better prepare against sophisticated threats. Which aspect of the Threat Hunting Maturity Model can significantly enhance an organization's ability to address challenges outlined in the Pyramid of Pain?

A. Emphasizing focus on compliance-driven security checks and audits to ensure seamless audit

B. Conducting threat assessments and wargames quarterly during scheduled security reviews

C. Transitioning from reactive to proactive threat hunting to identify unknown threats and vulnerabilities

D. Developing automated processes to systematically detect known threats across the network

A threat hunter is performing a structured hunt usingCisco Secure Endpoint (AMP) telemetry to identify credential harvesting activity. Which data source is MOST critical during thedata collection and processing phaseof the hunt?

A. File reputation scores from Talos

B. Endpoint process execution and memory access events

C. Threat intelligence reports from external vendors

D. User-reported suspicious activity

Refer to the exhibit.

A company recently was breached and decided to improve their security posture going forward. A security assessment was ordered, specifically intended to test weak points exploited during the breach. A security analyst reviews server logs to identify activities related to the aforementioned security assessment. Which entry suggests a delivery method associated with authorized assessment?

A. Login test at scale using "AuthCheck/4.1" and leaked credentials.

B. Using "SecurityScan/2.5" to access all /admin endpoints.

C. Exploitation via "ExploitTest/2.0" using a shutdown command.

D. Scan via "WebCrawler/1.0" to gather public-facing information.

During multiple intrusions, analysts observe that attackers consistently perform internal reconnaissance before privilege escalation, avoid noisy exploitation, and limit actions to business hours of the victim’s region. Why is this observation important for attribution?

A. It confirms the use of a specific exploit kit

B. It indicates an advanced persistence mechanism

C. It reveals operational discipline and intent

D. It identifies the malware command-and-control protocol

According to the MITRE ATT&CK framework, how is the password spraying technique classified?

A. Privilege escalation

B. Initial access

C. Lateral movement

D. Credential access

A threat hunter wants to detect credential dumping attempts that bypass traditional malware detection. Which telemetry source is MOST effective for this purpose?

A. Email gateway attachment logs

B. Endpoint memory access telemetry

C. DNS query logs

D. Firewall allow/deny logs

A security operations team is transitioning from alert-driven investigations to a mature threat hunting program. The team wants to focus on detecting adversaries who intentionally evade signature-based tools and traditional SIEM alerts by using legitimate credentials and native system utilities. Which hunting focus best supports this objective?

A. Tracking known malicious IP addresses and domains from threat intelligence feeds

B. Monitoring endpoint antivirus alerts for malware detections

C. Analyzing abnormal behavior patterns across identity, endpoint, and network telemetry

D. Blocking files with known malicious hashes at the firewall

The Security Operations Center team at a company detects a successful VPN connection from a country outside the known countries of operation. After the connection occurs, the team receives multiple triggers from the same source IP address about file access and modifications to the file server. The team concludes that this is a case of data exfiltration from an unknown adversary through a compromised user account. To find other potential actions taken by the adversary, which type of threat hunting should be used?

A. Unstructured

B. AI-driven

C. Proactive

D. Structured