Free Cisco 350-701 Practice Questions 2026 | Implementing and Operating Cisco Security Core Technologies (SCOR 350-701)

Configure intrusion rules for the DNP3 preprocessor

Reference:
https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmcconfigguide-
v63/scada_preprocessors.htmlBoth DNP3 and CIP preprocessors can be used
to detect traffic anomalies but we choose CIP as it is widely used in industrial
applications.Note:+ An intrusion rule is a specified set of keywords and arguments that the
system uses to detect attempts to exploit vulnerabilities in your network. As the system
analyzes network traffic, it compares packets against the conditions specified in each rule,
and triggers the rule if the data packet meets all the conditions specified in the rule. +
Preprocessor rules, which are rules associated with preprocessors and packet decoder
detection options in the network analysis policy. Most preprocessor rules are disabled by
default.

Explanation:
While all the options provide forms of telemetry, NetFlow (and its industry-standard version, IPFIX) is considered the baseline, recommended form of telemetry for understanding network behavior and security posture.

Let's break down the options:

B) NetFlow is CORRECT.
NetFlow provides a rich set of metadata about network conversations. It answers the critical questions: Who is talking to whom, over what protocol and port, for how long, and how much data was transferred? This "flow" data is the cornerstone for:

Network Performance Monitoring:
Identifying top talkers and application usage.

Security Analysis:
Detecting anomalies, data exfiltration, and beaconing to command-and-control servers (used by tools like Cisco Stealthwatch).

Capacity Planning:
Understanding traffic patterns over time.

It is a lightweight, ubiquitous standard supported on nearly all enterprise-grade network infrastructure.

Why the other options are incorrect or less "baseline":

A) SDNS is INCORRECT.
This appears to be a distractor. There is no widely recognized telemetry standard called "SDNS." It may be a misspelling or confusion with DNS (Domain Name System), which is itself a critical source of security telemetry but is not the "baseline" for general network infrastructure telemetry.

C) passive taps is INCORRECT.
A passive tap is a method for collecting data, not a type of telemetry itself. You can use a tap to collect NetFlow, full packet data, or other information. Taps are excellent for specific, deep-dive analysis but are not deployed on every link and are not as scalable or lightweight as the flow data exported natively by network devices.

D) SNMP is INCORRECT, but a common distractor.
SNMP is primarily used for device health and status monitoring (e.g., CPU, memory, interface up/down, interface byte counters). It tells you how the device itself is performing and how much traffic is on a link, but it does not provide the crucial details about the conversations happening on the network (source, destination, application) that NetFlow provides. SNMP and NetFlow are complementary, but for understanding network behavior, NetFlow is the more powerful and recommended baseline.

Reference:

Cisco Guide to Network Telemetry: Official documentation consistently positions NetFlow/IPFIX as the fundamental data source for network visibility and security analytics.

Cisco Stealthwatch Solution Overview: Stealthwatch, Cisco's primary network security analytics platform, is built around the consumption and analysis of NetFlow data as its primary source of intelligence.

blocked

Explanation for Each Option:

A. Guest (Incorrect):
Guest access typically provides restricted network access, often through a captive portal or temporary credentials. When transparent authentication fails on the Cisco Web Security Appliance (WSA), the system cannot verify the user’s identity, and it does not default to guest access. Instead, to enforce security policies, access is blocked entirely to prevent unauthorized use, making this option incorrect. Guest access requires explicit configuration, which is not the default behavior.

(Reference: Cisco WSA Administration Guide, Authentication Settings.) (63 words)

B. Limited Internet (Incorrect):
Limited Internet access suggests partial connectivity, such as access to specific sites or services. However, when transparent authentication fails, the WSA cannot apply user-specific policies due to the lack of identity verification. The default action is to block all access to ensure security compliance, not to allow limited access. This option is incorrect as it does not align with the WSA’s strict authentication requirements.

(Reference: Cisco WSA Configuration Guide, Policy Enforcement.) (62 words)

C. Blocked (Correct):
When transparent authentication fails on the Cisco WSA, the appliance cannot authenticate the user to apply access policies. To maintain security, the default action is to block all internet access, preventing unverified users from bypassing security controls. This ensures no unauthorized access occurs, aligning with the WSA’s security-first design. This is the correct behavior as per the appliance’s authentication failure handling.

(Reference: Cisco WSA Administration Guide, Chapter on Authentication and Access Policies.) (64 words)

D. Full Internet (Incorrect):
Full Internet access implies unrestricted connectivity, which is a significant security risk. If transparent authentication fails, the WSA cannot verify the user, and granting full access would violate security policies. Instead, the appliance blocks access to prevent potential threats, making this option incorrect. The WSA prioritizes security over unrestricted access in such scenarios.

(Reference: Cisco WSA Deployment Guide, Authentication Failure Handling.) (60 words)

Additional Notes:
The Cisco Web Security Appliance uses transparent authentication (e.g., NTLM, Kerberos) to seamlessly identify users. If authentication fails, the WSA blocks access by default to enforce security policies, as unverified users could bypass restrictions. For detailed information, refer to the Cisco Web Security Appliance Administration Guide (available on Cisco’s official website, cisco.com, under WSA documentation, specifically sections on authentication and access control). If you have more questions, please share them!

Generate the RSA key using the crypto key generate rsa command.

In this question, the engineer was trying to secure
the connection so maybe he was trying to allow SSH to the device. But maybe something went wrong so the connection was failing (the connection used to be good). So maybe he was missing the “crypto key generate rsa” command.

Explanation for Each Option:

A. It is an authentication broker to enable single sign-on and multi-factor authentication for a cloud solution (Incorrect):
While a Cloud Access Security Broker (CASB) can enhance security by integrating with identity management systems, its primary function is not limited to authentication (e.g., single sign-on or multi-factor authentication). This role is more aligned with identity providers like Cisco Duo, not the broader security and monitoring scope of a CASB. (Reference: Cisco Cloudlock Overview, Authentication vs. CASB.)

B. It integrates with other cloud solutions via APIs and monitors and creates incidents based on events from the cloud solution (Correct):
A CASB, such as Cisco Cloudlock, functions by integrating with cloud applications (e.g., Office 365, Salesforce) via APIs to provide visibility, monitor user and data activities, and detect security events. It generates incidents or alerts based on policy violations or threats, fulfilling its role in cloud security. (Reference: Cisco CASB Datasheet, API Integration.)

C. It acts as a security information and event management solution and receives syslog from other cloud solutions (Incorrect):
A CASB is distinct from a Security Information and Event Management (SIEM) system, which aggregates logs (e.g., syslog) from various sources for analysis. CASBs focus on cloud-specific security via API integration, not syslog collection, making this option a mischaracterization of its functionality. (Reference: Cisco SIEM vs. CASB Comparison.)

D. It scans other cloud solutions being used within the network and identifies vulnerabilities (Incorrect):
While a CASB can identify misconfigurations or risky behaviors in cloud applications, its primary role is not to scan for vulnerabilities like a vulnerability management tool. It monitors usage and enforces policies via APIs, not performing active vulnerability scans, making this option an incomplete description. (Reference: Cisco Cloudlock User Guide, Monitoring Features.)

Additional Notes:
CASB functionality, relevant to the 350-701 SCOR exam under cloud security, enhances cloud environment protection. As of 09:20 AM PKT, October 02, 2025, this remains a critical technology. For details, refer to the Cisco Cloudlock documentation (cisco.com) and the 350-701 Exam Blueprint (Section 3.0 Security Concepts).

unified management of mobile devices, Macs, and PCs from a centralized dashboard

enforcement of device security policies from a centralized dashboard

Explanation
Cisco Container Platform (CCP) was a Kubernetes-based platform designed to simplify the deployment and management of containerized applications. Its value proposition for customers using cloud service providers was centered around consistency and management.

A. Allows developers to create code once and deploy to multiple clouds:
This describes the concept of hybrid cloud portability. CCP provided a consistent Kubernetes layer on top of different infrastructures, including various cloud service providers (like AWS, Azure) and on-premises environments. This meant developers could package their application into containers and deploy it to any environment supported by CCP without rewriting the underlying deployment logic, avoiding "cloud vendor lock-in."

D. manages Kubernetes clusters:
This was the core function of CCP. It automated the complex process of provisioning, scaling, upgrading, and maintaining the entire Kubernetes cluster lifecycle (including the master and worker nodes). This relieved operational teams from the heavy lifting of manually managing Kubernetes, allowing them to focus on the applications running on the clusters.

Why the other options are incorrect:

B. helps maintain source code for cloud deployments:
CCP operated at the application deployment and orchestration layer (containers and Kubernetes). It did not interact with or manage the application's source code, which is the domain of source code repositories (like GitLab, GitHub) and CI/CD pipelines.

C. manages Docker containers:
This is misleading. While CCP uses Docker containers (or other container runtimes), it does not manage individual containers. It manages them at a higher level of abstraction by orchestrating them with Kubernetes. Kubernetes is the system that manages the containers; CCP manages the Kubernetes clusters themselves.

E. Creates complex tasks for managing code:
This is the direct opposite of CCP's purpose. The platform was designed to reduce complexity and automate tasks, not create them.

Important Note:
*As mentioned previously, Cisco announced the End-of-Life (EOL) for the Cisco Container Platform (CCP) in 2021. However, for the purpose of the 350-701 SCOR exam, which may reference this product, A and D remain the historically correct answers.*

Explanation:
Endpoint-based security refers to security software installed directly on a device (like a laptop, server, or mobile phone), such as Cisco Secure Endpoint (formerly AMP for Endpoints). This software has deep visibility into the activities on that specific host.

Let's analyze why this is the correct scenario and why the others are better handled by other security tools:

Why Option C is Correct:
Signature-based application control is a classic function of endpoint protection. The security agent on the endpoint can monitor all processes and applications running on the system. It can compare these applications against a database of known malicious software signatures (or hashes) and block them from executing. Because the agent resides directly on the system where the applications run, it has the perfect vantage point to perform this control effectively.

Why the Other Options are Incorrect:

Why Option A is Incorrect:
Inspecting encrypted traffic (like HTTPS) is primarily the role of a network-based security appliance, not an endpoint agent. While an endpoint agent can see the decrypted traffic after it has been processed by the web browser on the machine, the heavy lifting of decrypting, inspecting, and re-encrypting traffic in transit is typically done by a firewall, IPS, or secure web gateway. Some endpoint agents can perform limited inspection, but it is not their primary strength.

Why Option B is Incorrect:
Device profiling and authorization is a function of network access control (NAC) systems like Cisco Identity Services Engine (ISE). ISE uses information from network infrastructure (switches, wireless controllers) and may collect data from an endpoint agent, but the final decision on profiling (identifying the device type) and granting network access (authorization) is made by the central ISE policy engine, not the endpoint security software itself.

Why Option D is Incorrect:
Inspecting a password-protected archive (like a .zip or .rar file) is extremely difficult for any security solution. A network appliance cannot inspect the contents without the password. An endpoint-based solution has a significant advantage here. It can wait for the file to reach the endpoint, and if the user enters the password to open it, the endpoint agent can then scan the now-unpacked contents for malware. However, the question asks for the scenario where endpoint security is the solution. While it's the best available solution for this problem, it's not foolproof, as it relies on the user providing the password. The most clear-cut and definitive "solution" among the options is using the endpoint for signature-based application control.

Reference:
This falls under the Endpoint Protection and Detection domain. A core capability of any Endpoint Detection and Response (EDR) or antivirus product is to control which applications can run on a host, which is fundamentally a task for software residing on that host.

Flood attacks

Explanation
Phishing attacks are social engineering attacks that trick users into revealing sensitive information, most commonly via deceptive emails that lead to fraudulent websites.

A. Enable browser alerts for fraudulent websites:
Modern web browsers integrate with services like Google Safe Browsing or Microsoft SmartScreen. These services maintain databases of known phishing websites. When this feature is enabled, the browser will display a prominent warning alert to the user before they access a site identified as fraudulent, giving them a chance to turn back. This is a direct control against the "landing" part of a phishing attack.

E. Implement email filtering techniques:
This is a primary defense against the "delivery" mechanism of phishing. Email security gateways (like Cisco Secure Email) use sophisticated techniques to filter incoming emails. They analyze sender reputation, check links against URL databases, inspect email content for phishing language, and use machine learning to identify and quarantine phishing emails before they ever reach the user's inbox.

Why the other options are incorrect:

B. Define security group memberships:
This is related to network access control and authorization (e.g., using Cisco ISE). It determines what resources a user can access after they are authenticated. It does not prevent a user from being tricked by a phishing email into giving away their credentials in the first place.

C. Revoke expired CRL of the websites:
A Certificate Revocation List (CRL) is used to check if a website's SSL certificate has been revoked. This is a control for verifying the authenticity of a legitimate website that uses a certificate. It does not specifically protect against phishing, as phishing sites often use valid certificates for their own domains or use HTTP instead of HTTPS.

D. Use antispyware software:
Antispyware is designed to detect and remove spyware and other malicious software that may already be on a system. It is a reactive measure for malware that has been installed, often after a separate initial compromise. It is not a primary mechanism for preventing the social engineering and email delivery that defines a phishing attack.

Reference:
These controls are standard recommendations in cybersecurity frameworks for mitigating phishing. The CISA (Cybersecurity and Infrastructure Security Agency) and NIST guidelines for phishing prevention highlight email filtering and web browser security controls as essential first lines of defense.