Cisco Expert

350-201

CBRCOR (CyberOps Professional Core)

The Understanding Cisco Cybersecurity Operations Fundamentals (350-201 CBRCOR) is the core exam for the Cisco Certified CyberOps Professional certification. This expert-level exam validates advanced knowledge and skills for Security Operations Center (SOC) analysts and cybersecurity professionals responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents.

The exam covers advanced security operations fundamentals including SOC metrics, threat intelligence platforms, and security frameworks (MITRE ATT&CK, Cyber Kill Chain), threat analysis techniques including malware analysis, traffic analysis, log analysis, and behavioral analysis using advanced tools and techniques, incident response processes including preparation, detection, analysis, containment, eradication, recovery, and post-incident activities, security automation using Python scripting, REST APIs, orchestration platforms (SOAR), and automated playbooks, and governance, risk, and compliance including security policies, regulatory requirements (GDPR, PCI-DSS), risk assessment, and compliance frameworks.

This certification is designed for senior SOC analysts, threat hunters, incident responders, cybersecurity engineers, and security operations team leads with 3-5 years of experience in cybersecurity operations. It requires deep technical knowledge and hands-on experience with security tools, threat detection, and incident response.

Updated Feb 2024 Cybersecurity

Questions

Practice Tests

83%

Pass Score

Views

Total Attempts

Avg. Score

Pass Rate

Discussions

Practice Tests Flash Cards Exam Topics Cheat Sheet

€5.00

350-201 Practice Exam 1

Comprehensive 50-question practice exam for Cisco CBRCOR 350-201 covering security operations fundamentals, threat analysis techniques, incident response processes, security automation, and governance risk and compliance.

50 Q 120 minutes 83%

Test Drive

€5.00

350-201 Practice Exam 2

50 Q 90 minutes 83%

Test Drive

€5.00

350-201 Practice Exam 3

Comprehensive 50-question practice exam for CBRCOR covering security operations fundamentals, threat analysis techniques, incident response processes, security automation, and governance risk and compliance.

50 Q 90 minutes 83%

Test Drive

€5.00

350-201 Practice Exam 4

CBRCOR practice exam covering vulnerability scanning, APT profiling, post-incident reporting, DevSecOps pipeline security, and third-party risk management across 50 advanced questions.

50 Q 90 minutes 83%

Test Drive

€5.00

350-201 Practice Exam 5

Comprehensive 50-question practice exam covering IDS/IPS tuning, Snort rule analysis, Zeek network monitoring, phishing campaign analysis, ransomware response playbooks, Terraform security policies, cloud-native security tools, and privacy impact assessments.

50 Q 90 minutes 83%

Test Drive

€5.00

350-201 Practice Exam 6

Comprehensive 50-question practice exam covering all CBRCOR domains including security operations fundamentals, threat analysis techniques, incident response processes, security automation, and governance risk and compliance.

50 Q 90 minutes 83%

Test Drive

Unlock All Content for 350-201

6 Practice Test(s) + Flash Cards — 3 months access

€39.99 €26.99 Save 30%

or included with Monthly subscription / Content Bundle

350-201 Cheat Sheet

Quick reference guide - 6 sections

Free Access

CBRCOR 350-201 Exam Details

Detail	Value
Exam Code	350-201 CBRCOR
Full Name	Performing CyberOps Using Cisco Security Technologies
Duration	120 minutes
Number of Questions	55-65 questions
Passing Score	~825 / 1000
Question Format	Multiple choice, multiple response, drag-and-drop
Exam Fee	$400 USD
Certification Level	Professional (core exam for CCNP CyberOps)

Domain Weight Breakdown

Domain	Weight
1.0 Fundamentals	20%
2.0 Techniques	30%
3.0 Processes	30%
4.0 Automation	20%

Cisco CyberOps Certification Path

The 350-201 CBRCOR is the core exam for the CCNP CyberOps (Cisco Certified CyberOps Professional) certification. Candidates must pass both this core exam and one concentration exam (300-215 CBRFIR for Conducting Forensic Analysis and Incident Response or 300-220 CBRTHD for Conducting Threat Hunting and Defending). The CBRCOR exam validates the ability to perform core cybersecurity operations including threat detection, analysis, incident response, and security automation using Cisco technologies and open-source tools.

While there is no formal prerequisite, Cisco recommends 3-5 years of experience in security operations center (SOC) environments. The exam covers advanced topics including MITRE ATT&CK framework mapping, digital forensics, memory and disk analysis, threat hunting methodologies, SIEM correlation, and security automation with Python and APIs. Passing the CBRCOR also satisfies the core requirement for the CCIE CyberOps certification track.

Tip: Focus heavily on Domains 2 and 3 (Techniques and Processes) as they account for 60% of the exam. Hands-on experience with SIEM tools, packet analysis, and incident response workflows is critical. Know the MITRE ATT&CK framework tactics and be able to map real-world attack scenarios to specific techniques.

MITRE ATT&CK Framework

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary behavior based on real-world observations. It provides a common language for describing attack techniques and is essential for threat intelligence, detection engineering, and red/blue team operations.

Tactic	ID	Description	Example Techniques
Reconnaissance	TA0043	Gathering information about the target	Active Scanning, Search Open Websites
Resource Development	TA0042	Establishing resources for attack	Acquire Infrastructure, Develop Capabilities
Initial Access	TA0001	Gaining initial foothold	Phishing (T1566), Exploit Public-Facing App (T1190)
Execution	TA0002	Running adversary-controlled code	PowerShell (T1059.001), Command Shell (T1059.004)
Persistence	TA0003	Maintaining access across restarts	Registry Run Keys (T1547.001), Scheduled Task (T1053)
Privilege Escalation	TA0004	Gaining higher-level permissions	Valid Accounts (T1078), Exploitation (T1068)
Defense Evasion	TA0005	Avoiding detection	Obfuscation (T1027), Masquerading (T1036)
Credential Access	TA0006	Stealing credentials	OS Credential Dumping (T1003), Brute Force (T1110)
Discovery	TA0007	Understanding the environment	Network Service Scan (T1046), System Info (T1082)
Lateral Movement	TA0008	Moving through the network	Remote Services (T1021), Pass-the-Hash (T1550.002)
Collection	TA0009	Gathering target data	Data from Local System (T1005), Screen Capture (T1113)
Command & Control	TA0011	Communicating with compromised systems	Application Layer Protocol (T1071), DNS Tunneling
Exfiltration	TA0010	Stealing data from the network	Exfil Over C2 Channel (T1041), Exfil Over Web (T1567)
Impact	TA0040	Disrupting availability or integrity	Data Encrypted for Impact (T1486), Defacement (T1491)

Threat Hunting Methodologies

Threat hunting is the proactive search for adversaries in an environment, assuming existing defenses have been bypassed. Unlike reactive detection (alerts), hunting starts with a hypothesis and investigates systematically.

Approach	Description	Example
Hypothesis-Driven	Start with a hypothesis based on threat intel or ATT&CK	"Adversaries are using PowerShell for lateral movement"
IoC-Based	Search for known indicators (hashes, IPs, domains)	Sweep environment for hashes from recent threat report
Analytics-Driven	Use statistical baselines and anomaly detection	Identify outlier DNS query volumes per host
TTP-Based	Hunt for specific adversary behaviors and techniques	Search for LSASS memory access patterns (credential dumping)

Tip: The hunting loop is: Hypothesis → Collect Data → Analyze → Validate/Refute → Document Findings → Improve Detections. Always convert confirmed findings into automated detection rules (Sigma, YARA, SIEM correlation).

Indicators of Compromise (IoC) Analysis

IoC Type	Examples	Analysis Tools
File-Based	MD5/SHA256 hashes, file names, file sizes, PE headers	VirusTotal, YARA, ssdeep (fuzzy hashing)
Network-Based	IP addresses, domains, URLs, JA3/JA3S fingerprints	Wireshark, Zeek, Cisco Umbrella, ThreatGrid
Host-Based	Registry keys, scheduled tasks, services, mutex names	Autoruns, Sysmon, Process Monitor, Volatility
Behavioral	Unusual process trees, lateral movement patterns, data staging	EDR telemetry, SIEM correlation, Cisco SecureX

Malware Analysis: Static vs Dynamic

Aspect	Static Analysis	Dynamic Analysis
Method	Examine code/binary without executing	Execute in sandbox and observe behavior
Tools	strings, file, PEiD, IDA Pro, Ghidra, YARA	Cisco ThreatGrid, Cuckoo, Any.Run, Joe Sandbox
Advantages	Safe, fast, no execution risk	Reveals runtime behavior, C2 communications
Limitations	Obfuscation/packing defeats analysis	Sandbox evasion, time-delayed execution
Key Outputs	Strings, imports, sections, PE metadata	Network traffic, file changes, registry mods, process tree

Threat Intelligence Platforms & Sharing

Standard / Platform	Purpose	Details
STIX (Structured Threat Information eXpression)	Threat intel data format	JSON-based language for expressing CTI: indicators, campaigns, TTPs, threat actors, malware, attack patterns
TAXII (Trusted Automated eXchange of Intelligence Info)	Transport protocol for STIX	RESTful API for exchanging CTI over HTTPS. Collection-based (pull) or Channel-based (push) models
MISP	Open-source threat intel platform	Community-driven sharing, supports STIX/TAXII, correlation engine, feeds integration
Cisco Talos	Cisco threat intelligence group	Research, vulnerability disclosure, Snort/ClamAV rules, reputation feeds
OpenCTI	Open-source CTI management	Organizes, stores, and visualizes threat data using STIX2 data model

YARA Rules for Malware Detection

YARA is a pattern-matching tool used to identify and classify malware based on textual or binary patterns. Rules consist of strings (text, hex, regex) and conditions that must be satisfied for a match.

// Example YARA rule for detecting a suspicious PE with encoded payload

rule Suspicious_Payload {

meta:

author = "SOC Analyst"

description = "Detects base64-encoded PowerShell in PE"

strings:

$mz = { 4D 5A } // PE header magic bytes

$ps = "powershell" nocase

$b64 = "FromBase64String"

$enc = "-EncodedCommand" nocase

condition:

$mz at 0 and ($ps and ($b64 or $enc))

}

Tip: Use YARA rules in conjunction with threat hunting to scan file shares, endpoints, and memory dumps. Tools like yarGen help auto-generate rules from malware samples by extracting unique strings.

Digital Forensics Process

Phase	Description	Key Activities
1. Identification	Recognize and scope the incident	Determine which systems are affected, triage alerts, identify evidence sources
2. Preservation	Protect evidence integrity	Create forensic images (dd, FTK Imager), hash verification (MD5/SHA256), chain of custody
3. Collection	Gather evidence systematically	Follow order of volatility, collect RAM before disk, capture network traffic
4. Examination	Process and extract relevant data	Parse logs, carve files, extract artifacts, timeline analysis
5. Analysis	Interpret findings and draw conclusions	Correlate evidence, reconstruct attack timeline, determine root cause
6. Reporting	Document and present findings	Executive summary, technical details, IoCs, recommendations, evidence chain

Order of Volatility (RFC 3227)

Evidence must be collected from the most volatile source first. Data disappears in this order:

Priority	Source	Volatility	Tools
1	CPU registers, cache	Nanoseconds	Hardware debuggers
2	RAM (memory)	Seconds-minutes	Volatility, WinPmem, LiME
3	Network state (connections, ARP)	Minutes	netstat, ss, conntrack
4	Running processes	Minutes	tasklist, ps, /proc
5	Disk / filesystem	Hours-days	dd, FTK Imager, Autopsy
6	Remote logs, backups	Days-months	SIEM, syslog server, tape archives

Memory Forensics with Volatility

Volatility is the leading open-source memory forensics framework. It analyzes RAM dumps to extract running processes, network connections, loaded modules, injected code, registry hives, and other artifacts that may not appear on disk.

Volatility Plugin	Purpose	Key Use Case
pslist / psscan	List processes (EPROCESS linked list / pool scanning)	psscan finds hidden/unlinked processes that pslist misses
pstree	Display process parent-child relationships	Identify suspicious process trees (e.g., Word spawning cmd.exe)
netscan	List network connections and listening ports	Identify C2 connections, lateral movement, data exfiltration
malfind	Detect injected code in process memory	Find process hollowing, reflective DLL injection, shellcode
dlllist / ldrmodules	List loaded DLLs per process	Detect DLL side-loading, phantom DLLs (unlinked from PEB)
handles	List open handles (files, registry, mutexes)	Find mutex names used by known malware families
cmdline	Show command-line arguments for processes	Reveal obfuscated PowerShell commands, encoded payloads
filescan / dumpfiles	Scan for file objects in memory / extract files	Recover deleted files or malware binaries from memory
hashdump	Extract password hashes from SAM/SYSTEM	Determine if credential theft occurred

# Volatility 3 example commands

$ vol -f memory.dmp windows.pslist

$ vol -f memory.dmp windows.pstree

$ vol -f memory.dmp windows.netscan

$ vol -f memory.dmp windows.malfind --pid 4820

$ vol -f memory.dmp windows.cmdline

Disk Forensics & Artifact Analysis

Windows Artifact	Location	Forensic Value
Prefetch files	C:\Windows\Prefetch\*.pf	Evidence of program execution, timestamps, run count
Event Logs	C:\Windows\System32\winevt\Logs\	Security (4624 logon, 4688 process create), System, Application
Registry Hives	SAM, SYSTEM, SOFTWARE, NTUSER.DAT	Persistence mechanisms, USB history, user activity, autoruns
$MFT	NTFS Master File Table (root of volume)	File metadata, timestamps (MACB), deleted file references
Shimcache / Amcache	SYSTEM hive / Amcache.hve	Application compatibility traces, execution evidence
Browser History	AppData\Local\{Browser}\	Downloads, visited URLs, cached credentials

Network Forensics

Network forensics involves capturing, recording, and analyzing network traffic to detect intrusions, reconstruct events, and gather evidence of malicious activity.

Tool	Type	Use Case
Wireshark	Full packet capture analysis	Deep packet inspection, protocol analysis, stream reconstruction
tcpdump	CLI packet capture	Lightweight capture on servers, scripted collection
Zeek (Bro)	Network security monitor	Connection logs, DNS logs, HTTP logs, protocol metadata extraction
NetworkMiner	Network forensics tool	Extract files, images, credentials from pcap files

# Useful Wireshark display filters for forensic analysis

dns.qry.name contains "malicious" // DNS queries to suspicious domain

http.request.method == "POST" // Potential data exfiltration

tcp.flags.syn == 1 && tcp.flags.ack == 0 // SYN scan detection

ip.addr == 10.0.0.0/8 && !ip.dst == 10.0.0.0/8 // Outbound traffic

tls.handshake.type == 1 // TLS Client Hello (JA3 fingerprinting)

frame.len > 1400 // Large frames (potential exfil)

NIST Incident Response Framework (SP 800-61)

Phase	Activities	Key Outputs
1. Preparation	Develop IR plan, train team, deploy tools, establish communication channels	IR policy, playbooks, contact lists, tool readiness
2. Detection & Analysis	Monitor alerts, triage events, determine scope, classify severity	Incident classification, initial IoCs, scope assessment
3. Containment, Eradication & Recovery	Isolate affected systems, remove malware, restore services, patch vulnerabilities	Containment actions, eradication confirmation, recovery plan
4. Post-Incident Activity	Lessons learned meeting, update playbooks, improve detections, final report	Lessons learned report, updated procedures, new detection rules

Containment Strategies

Strategy	Description	When to Use
Network Isolation	Disconnect host from network (VLAN change, ACL, switch port disable)	Active lateral movement, ransomware spread
Endpoint Quarantine	EDR-based isolation (allow only EDR communication)	Need to maintain remote forensic access
DNS Sinkholing	Redirect malicious domains to controlled server	C2 disruption without alerting the adversary
Account Disabling	Disable compromised accounts, force password reset	Credential theft confirmed
Firewall Blocking	Block C2 IPs/domains at perimeter firewall	Known C2 infrastructure identified

Evidence Handling & Chain of Custody

Always create a forensic image (bit-for-bit copy) before analysis — never work on original evidence
Verify integrity with cryptographic hashes (MD5 + SHA256) before and after acquisition
Document every transfer: who, what, when, where, why (chain of custody form)
Use write-blockers when imaging physical drives to prevent accidental modification
Store evidence in tamper-evident bags with proper labeling and access logs
Maintain detailed notes with timestamps for every action taken during the investigation

Tip: For the exam, remember that evidence integrity is paramount. Any break in the chain of custody or failure to hash-verify can render evidence inadmissible. Always collect volatile data first (memory → network state → disk).

SIEM Correlation & Log Analysis

Security Information and Event Management (SIEM) systems aggregate, normalize, and correlate logs from across the enterprise to detect security events. Effective SIEM usage requires understanding log sources, correlation rules, and tuning to reduce false positives.

Log Source	Key Events	Detection Use Cases
Windows Security	4624/4625 (logon success/fail), 4688 (process creation), 4720 (account created)	Brute force, privilege escalation, unauthorized accounts
Sysmon	Event 1 (process create), 3 (network connect), 7 (image load), 11 (file create)	Process injection, C2 communication, malware drops
Firewall / IPS	Allow/deny actions, IPS signatures triggered, connection metadata	Reconnaissance, lateral movement, policy violations
DNS Logs	Query/response records, NXDOMAIN responses, TXT queries	DNS tunneling, DGA detection, C2 communication
Proxy / Web Gateway	URL categories, user agents, blocked requests, data volumes	Data exfiltration, malware download, policy bypass
Email Gateway	Sender/recipient, attachments, URLs, spam/phish verdicts	Phishing campaigns, malicious attachments, BEC

Sigma Rules for Detection Engineering

Sigma is a generic signature format for SIEM systems, analogous to Snort for network traffic and YARA for files. Sigma rules are written in YAML and can be converted to specific SIEM query languages (Splunk SPL, Elastic KQL, Microsoft Sentinel, etc.).

# Example Sigma rule: Detect Mimikatz via process creation

title: Mimikatz Execution Detected

status: stable

logsource:

category: process_creation

product: windows

detection:

selection:

Image|endswith:

- \mimikatz.exe

CommandLine|contains:

- sekurlsa::logonpasswords

- lsadump::sam

- privilege::debug

condition: selection

level: critical

Tip: Sigma rules are SIEM-agnostic. Use the sigmac compiler or pySigma to convert rules into your platform's query language. Build a library of Sigma rules aligned with MITRE ATT&CK techniques for comprehensive coverage.

Packet Analysis & Protocol Deep Dive

Protocol	Suspicious Indicators	Detection Approach
DNS	High entropy subdomains, large TXT responses, high query volume to single domain	DNS tunneling detection, DGA pattern matching, entropy analysis
HTTP/HTTPS	Beaconing patterns, unusual user-agents, POST with large bodies, non-standard ports	JA3/JA3S TLS fingerprinting, beacon interval analysis, URL categorization
SMB	Named pipe access (\pipe\svcctl, \pipe\atsvc), psexec patterns, EternalBlue exploits	Monitor for remote execution, lateral movement, unusual share access
Kerberos	Kerberoasting (TGS requests for SPNs), overpass-the-hash, golden ticket	Monitor 4769 events, detect RC4 encryption in TGS requests
ICMP	Oversized payloads, unusual type/code values, high frequency	ICMP tunneling detection, covert channel analysis

Endpoint Detection & Response (EDR)

EDR solutions provide continuous monitoring and response capabilities on endpoints. They collect telemetry on process execution, file modifications, registry changes, network connections, and user activity to detect threats that bypass traditional antivirus.

EDR Capability	Description	Cisco Product
Process Monitoring	Track process creation, parent-child chains, command lines	Cisco Secure Endpoint (formerly AMP)
File Trajectory	Track file movement across endpoints in the environment	Cisco Secure Endpoint file trajectory
Retrospective Detection	Reclassify previously seen files when new intel emerges	Cisco Secure Endpoint retrospective alerting
Threat Response	Isolate endpoints, kill processes, quarantine files remotely	Cisco SecureX + Secure Endpoint integration

Network Detection & Response (NDR)

Technology	Detection Method	Cisco Product
Network Traffic Analysis (NTA)	Flow metadata analysis, behavioral baselining, anomaly detection	Cisco Secure Network Analytics (Stealthwatch)
Intrusion Detection (IDS/IPS)	Signature-based and anomaly-based detection at network perimeter	Cisco Secure IPS (Firepower), Snort
DNS Security	DNS layer visibility, block malicious domains, detect C2 via DNS	Cisco Umbrella
Encrypted Traffic Analytics	Detect malware in encrypted traffic without decryption (metadata, JA3)	Cisco ETA (integrated into Stealthwatch)

Cisco SecureX Orchestration

SecureX is Cisco's cloud-native, integrated security platform that connects the Cisco security portfolio and third-party tools. It provides threat response orchestration, automated workflows, and a unified investigation interface.

Threat Response: Pivot across Cisco products (Umbrella, Secure Endpoint, Email Security, Firepower) from a single observable (IP, hash, domain)
Orchestration Workflows: Automate repetitive SOC tasks using pre-built or custom workflows (SOAR capabilities)
Ribbon: Browser plugin for instant lookups of observables across all integrated products
Tiles & Dashboards: Unified view of security metrics across all Cisco and third-party products
Integration: REST API-based integration with SIEM, ticketing (ServiceNow), Slack, Webex, and custom tools

Tip: SecureX is heavily tested on the CBRCOR exam. Understand how it ties together Cisco's portfolio for unified threat investigation and automated response. Know the difference between SecureX Threat Response (investigation) and SecureX Orchestration (automated workflows/playbooks).

Risk Management Framework

Risk management in cybersecurity involves identifying, assessing, and mitigating risks to an organization's information assets. The goal is to reduce risk to an acceptable level aligned with business objectives.

Concept	Definition	Formula / Details
Risk	Potential for loss or damage	Risk = Threat × Vulnerability × Impact
Threat	Any potential danger to an asset	Natural disasters, nation-state actors, insider threats
Vulnerability	Weakness that can be exploited	Unpatched software, misconfigurations, weak passwords
Risk Mitigation	Apply controls to reduce risk	Patching, segmentation, MFA, encryption
Risk Transfer	Shift risk to third party	Cyber insurance, outsourced SOC (MSSP)
Risk Acceptance	Accept risk when cost exceeds benefit	Documented business decision with management sign-off
Risk Avoidance	Eliminate the risk entirely	Discontinue a risky service or application

Vulnerability Management & CVSS

A continuous lifecycle of identifying, classifying, prioritizing, and remediating vulnerabilities in systems and applications.

CVSS Score Range	Severity	Response Timeframe
9.0 - 10.0	Critical	Immediate (24-48 hours)
7.0 - 8.9	High	Within 7 days
4.0 - 6.9	Medium	Within 30 days
0.1 - 3.9	Low	Within 90 days

CVSS Metric Group	Metrics	Description
Base Score	Attack Vector, Complexity, Privileges, User Interaction, Scope, CIA Impact	Intrinsic characteristics of the vulnerability (does not change)
Temporal Score	Exploit Code Maturity, Remediation Level, Report Confidence	Changes over time (exploit availability, patches)
Environmental Score	Modified base metrics, CIA requirements	Organization-specific adjustments (asset criticality)

Compliance Frameworks

Framework	Scope	Key Focus
NIST CSF	Voluntary, all organizations	Identify, Protect, Detect, Respond, Recover
NIST SP 800-53	US federal agencies	Security and privacy controls catalog (20 control families)
ISO 27001/27002	International, all organizations	Information security management system (ISMS), certifiable
PCI DSS	Payment card industry	12 requirements for cardholder data protection
GDPR	EU data subjects	Data protection, privacy rights, breach notification (72 hours)
HIPAA	US healthcare	Protected health information (PHI) security and privacy
SOC 2	Service organizations	Trust Service Criteria: Security, Availability, Confidentiality, Processing Integrity, Privacy

Secure Network Design

Principle	Description	Implementation
Defense in Depth	Multiple layers of security controls	Firewall + IPS + EDR + SIEM + MFA + segmentation
Network Segmentation	Divide network into security zones	VLANs, firewalls between zones, micro-segmentation (TrustSec SGT)
Zero Trust	Never trust, always verify	Continuous authentication, least privilege, microsegmentation, assume breach
Least Privilege	Minimum access required for job function	RBAC, JIT access, privilege access management (PAM)
DMZ Architecture	Isolate public-facing services	Dual-firewall DMZ: Internet → FW1 → DMZ → FW2 → Internal

Cloud Security Considerations

Cloud Model	Customer Responsibility	Provider Responsibility
IaaS (e.g., EC2, Azure VMs)	OS, apps, data, network config, identity	Physical infrastructure, hypervisor, network fabric
PaaS (e.g., App Service, Lambda)	Application code, data, identity	OS, runtime, middleware, infrastructure
SaaS (e.g., O365, Salesforce)	Data, identity, access configuration	Everything else (app, OS, infrastructure)

CASB (Cloud Access Security Broker): Visibility and control over cloud app usage, DLP, threat protection (Cisco Cloudlock)
CSPM (Cloud Security Posture Management): Continuous assessment of cloud misconfigurations and compliance
CWPP (Cloud Workload Protection Platform): Runtime protection for cloud workloads, containers, serverless

Automation with Python & Ansible

Security automation reduces response time, eliminates repetitive tasks, and ensures consistent execution of security operations procedures.

Automation Use Case	Tool	Example
Threat Intel Enrichment	Python (requests, pymisp)	Auto-query VirusTotal, MISP, Shodan for IoC context
Firewall Rule Updates	Ansible, Python (REST API)	Auto-block C2 IPs across all Firepower devices
Log Collection & Parsing	Python (regex, json, csv)	Parse syslog feeds, normalize data, feed to SIEM
Vulnerability Scanning	Python (nessus API, openvas)	Scheduled scans, auto-generate tickets for critical findings
Configuration Compliance	Ansible playbooks	Enforce security baselines across network devices
Incident Response	SecureX Orchestration, Python	Auto-isolate endpoint, collect forensic data, create ticket

# Python: Auto-enrich IoC via VirusTotal API

import requests

api_key = "YOUR_VT_API_KEY"

ioc_hash = "44d88612fea8a8f36de82e1278abb02f"

url = f"https://www.virustotal.com/api/v3/files/{ioc_hash}"

headers = {"x-apikey": api_key}

response = requests.get(url, headers=headers)

result = response.json()

print(f"Detections: {result['data']['attributes']['last_analysis_stats']}")

Tip: Cisco emphasizes automation in CBRCOR. Know how to use REST APIs (GET/POST with JSON payloads), parse JSON responses in Python, and understand Ansible playbook structure (hosts, tasks, modules). SecureX orchestration workflows are also a key exam topic.

Cisco Security Product Portfolio

Product	Category	Function
Cisco Secure Endpoint (AMP)	EDR	Endpoint detection, file trajectory, retrospective security, threat hunting
Cisco Secure Network Analytics (Stealthwatch)	NDR / NTA	NetFlow analysis, behavioral baselining, encrypted traffic analytics
Cisco Secure Firewall (Firepower)	NGFW / IPS	Firewall, IPS (Snort), URL filtering, malware protection, AVC
Cisco Umbrella	DNS Security	DNS-layer security, web filtering, CASB, secure web gateway
Cisco Secure Email	Email Security	Anti-spam, anti-phishing, DLP, sandboxing, URL rewriting
Cisco ThreatGrid	Malware Sandbox	Dynamic malware analysis, threat intelligence, behavioral indicators
Cisco SecureX	XDR / SOAR	Unified visibility, threat response, orchestration workflows
Cisco ISE	NAC / Identity	Network access control, 802.1X, posture assessment, TrustSec SGT
Cisco Talos	Threat Intelligence	Research group providing threat intel, Snort rules, reputation data

Detection Approaches Compared

Approach	How It Works	Strengths	Weaknesses
Signature-Based	Match against known patterns (Snort rules, AV sigs)	Fast, low false positives, precise	Cannot detect unknown/zero-day threats
Anomaly-Based	Baseline normal behavior, alert on deviations	Detects unknown threats, insider threats	High false positives, requires tuning
Behavioral	Analyze actions and sequences (TTP-based)	Detects fileless malware, living-off-the-land	Complex to implement, resource intensive
Heuristic	Rule-based scoring of suspicious characteristics	Catches variants of known malware	Can be evaded by sophisticated threats
Machine Learning	Train models on labeled data to classify threats	Adaptive, handles large data volumes	Black box, adversarial evasion, training bias

SIEM vs SOAR vs XDR

Feature	SIEM	SOAR	XDR
Primary Function	Log aggregation, correlation, alerting	Orchestration, automation, response	Unified detection and response across domains
Data Sources	Logs from all sources (broad)	Alerts from SIEM, EDR, ticketing	Telemetry from endpoint, network, email, cloud
Key Strength	Compliance, long-term log retention	Automated playbooks, reduces MTTR	Correlated detection across all layers
Cisco Product	Splunk (Cisco acquired)	SecureX Orchestration	SecureX (XDR capabilities)
Analyst Role	Investigate alerts, write queries	Build and maintain playbooks	Focus on high-fidelity incidents

IDS vs IPS vs NGFW

Feature	IDS	IPS	NGFW
Deployment	Passive (mirror/span port)	Inline (in traffic path)	Inline (in traffic path)
Action	Alert only (detect)	Alert + Block (prevent)	Alert + Block + App Control
Visibility	Network packets	Network packets	Packets + Application layer + User identity
Latency Impact	None (passive)	Minimal	Moderate (deep inspection)
Cisco Product	Snort (IDS mode)	Snort (IPS mode) / Firepower	Cisco Secure Firewall (Firepower)

Threat Intelligence Sharing Standards

Feature	STIX	TAXII	OpenIOC	CybOX
Purpose	Data format for CTI	Transport for CTI	IoC description format	Observable description (merged into STIX 2)
Format	JSON (STIX 2.x)	REST API (HTTPS)	XML	XML (legacy)
Maintained By	OASIS	OASIS	Mandiant/FireEye	MITRE (deprecated)
Relationship	What to share	How to share	What to look for	What was observed

Forensic Tools Comparison

Tool	Type	Use Case	License
Volatility	Memory Forensics	RAM analysis: processes, network, injected code, handles	Open source
Autopsy / Sleuth Kit	Disk Forensics	File system analysis, file carving, timeline, keyword search	Open source
Wireshark	Network Forensics	Packet capture analysis, protocol dissection, stream follow	Open source
Zeek (Bro)	Network Monitoring	Connection logs, protocol metadata, custom scripts	Open source
FTK Imager	Disk Imaging	Forensic image creation (E01, dd), RAM capture	Free (AccessData)
YARA	Pattern Matching	Malware classification, IoC scanning, threat hunting	Open source
Cisco ThreatGrid	Sandbox Analysis	Automated dynamic malware analysis, behavioral indicators	Commercial (Cisco)
Snort	IDS/IPS Engine	Network intrusion detection, rule-based packet inspection	Open source (Cisco)

Key Acronyms Quick Reference

Acronym	Meaning	Context
SOC	Security Operations Center	Team and facility for monitoring security events 24/7
DFIR	Digital Forensics & Incident Response	Combined discipline of forensics and IR
CTI	Cyber Threat Intelligence	Processed threat data for decision-making
TTP	Tactics, Techniques, and Procedures	Adversary behavior patterns (MITRE ATT&CK)
MTTR	Mean Time to Respond	Average time from detection to containment
MTTD	Mean Time to Detect	Average time from compromise to detection
DGA	Domain Generation Algorithm	Malware technique for generating C2 domains dynamically
C2 / C&C	Command and Control	Infrastructure used by attackers to manage compromised hosts
APT	Advanced Persistent Threat	Sophisticated, targeted, long-duration threat actor
BEC	Business Email Compromise	Social engineering targeting business email for fraud

Tip: The CBRCOR exam heavily tests Cisco-specific products and how they integrate via SecureX. Know the current product names (Secure Endpoint, not AMP; Secure Network Analytics, not Stealthwatch) and how each product contributes to the detect-investigate-respond workflow. Understand the difference between STIX (data format) and TAXII (transport protocol), and know that Sigma is for SIEM detection rules while YARA is for file/malware pattern matching.

350-201

CBRCOR (CyberOps Professional Core)

350-201 Practice Exam 1

350-201 Practice Exam 2

350-201 Practice Exam 3

350-201 Practice Exam 4

350-201 Practice Exam 5

350-201 Practice Exam 6

Unlock All Content for 350-201

Preview (10 / 120)

Flash Cards

Available Languages

Exam Topics

350-201 Cheat Sheet

CBRCOR 350-201 Exam Details

Domain Weight Breakdown

Cisco CyberOps Certification Path

MITRE ATT&CK Framework

Threat Hunting Methodologies

Indicators of Compromise (IoC) Analysis

Malware Analysis: Static vs Dynamic

Threat Intelligence Platforms & Sharing

YARA Rules for Malware Detection

Digital Forensics Process

Order of Volatility (RFC 3227)

Memory Forensics with Volatility

Disk Forensics & Artifact Analysis

Network Forensics

NIST Incident Response Framework (SP 800-61)

Containment Strategies

Evidence Handling & Chain of Custody

SIEM Correlation & Log Analysis

Sigma Rules for Detection Engineering

Packet Analysis & Protocol Deep Dive

Endpoint Detection & Response (EDR)

Network Detection & Response (NDR)

Cisco SecureX Orchestration

Risk Management Framework

Vulnerability Management & CVSS

Compliance Frameworks

Secure Network Design

Cloud Security Considerations

Automation with Python & Ansible

Cisco Security Product Portfolio

Detection Approaches Compared

SIEM vs SOAR vs XDR

IDS vs IPS vs NGFW

Threat Intelligence Sharing Standards

Forensic Tools Comparison

Key Acronyms Quick Reference