Free Cisco 300-740 Practice Exam with Questions & Answers

In Cisco Secure Endpoint (formerly AMP for Endpoints), isolating an infected machine is the most immediate action to contain the threat. Isolation cuts the endpoint off from all network communication except to the management console, allowing the analyst to investigate further while preventing lateral movement or data exfiltration.

According to SCAZT Section 6: Threat Response (Pages 114–117), isolation is a recommended first response in the event of malware detection.

When configuring Cisco Umbrella to block all traffic except to domains explicitly allowed (e.g., cisco.com), the “Allow-Only Mode” must be enabled. This setting overrides default behavior and ensures that only entries listed in the allow list are accessible—everything else is automatically blocked. According to SCAZT Section 1 (Cloud Security Architecture, Pages 16–19), enabling Allow-Only Mode is crucial for strict outbound DNS filtering.

Without this setting, the system allows access to all domains not explicitly blocked, which is why the engineer was able to access non-cisco.com domains despite defining an allow list.

The screenshot from Cisco ISE shows a configuration of a “File Condition” posture check that verifies the existence and version of the “Srv.sys” file in the System32 directory. This is a known method to validate if a Windows device has received a critical security patch (in this case, one related to protection against the WannaCry vulnerability, MS17-010). Cisco ISE does not rely solely on a patch management system for this type of validation but can use specific file version and path checks. Therefore, the correct posture condition is File Condition.

The App Discovery function in Cisco Umbrella enables organizations to identify cloud applications in use across their environment, including unsanctioned or shadow IT services. This is crucial for risk assessments and ranking cloud services based on their risk profile.

App Discovery analyzes DNS and web traffic to detect SaaS applications and assigns a risk score to each app based on industry best practices and Cisco Talos threat intelligence.

It provides visibility into cloud service usage and supports decisions about which applications should be allowed, restricted, or blocked.

???? Reference (Cisco SCAZT Guide):

Section: Visibility and Assurance

Topic: Cisco Umbrella > App Discovery

Key Statement: "App Discovery helps identify cloud applications in use and provides risk ratings for each, allowing organizations to apply governance policies to risky or unsanctioned cloud services."

Pages: 84–86

To preserve the user for investigation while immediately revoking access, the correct approach is to disable the user in the Duo Admin Panel. This action blocks authentication without deleting logs or user data. Simultaneously, resetting the password from Active Directory ensures any potentially compromised credentials are revoked.

According to SCAZT (Section 2: User and Device Security, Pages 40–44), disabling user accounts in Duo offers secure containment during security incidents while maintaining data for forensic review.

When integrating Cisco Cloudlock with SaaS platforms like Salesforce, two core authorizations are required: network access and API authorization. In the scenario, Cloudlock has been authorized in Salesforce, and its IP has been allow-listed. However, if access is still denied, the most likely cause is that Salesforce has not been configured to accept traffic from Cloudlock’s IP range — a process handled from the Salesforce admin panel.

To resolve the issue, network access must be explicitly granted to Cloudlock from within Salesforce. This ensures that Salesforce accepts requests initiated by Cloudlock for monitoring and enforcement.

Based on the alert of “Geographically Unusual Remote Access” from Secure Cloud Analytics and the SSH logs from foreign IPs, this device (linux-gcp-east-4c) has likely been compromised. According to SCAZT Section 6: Threat Response (Pages 114–117):

B: Isolating/quarantining the host is an immediate incident response step to prevent lateral movement and data exfiltration.

E: A firewall rule blocking inbound SSH to the GCP VM from external sources would be the appropriate access control response to prevent recurrence.

Options A and C (reinstallation) may be used later during recovery but are not immediate containment steps. Blocking outgoing SSH (Option D) is less relevant than restricting inbound SSH in this scenario.

Cisco Talos is Cisco’s threat intelligence organization, delivering real-time threat intelligence and malware analytics to help organizations detect and prevent threats before they impact the network. According to the SCAZT guide, Talos provides comprehensive coverage of threat data including signatures, indicators of compromise, and context-driven analytics. This intelligence feeds into Cisco security platforms such as Cisco SecureX and Cisco Secure Endpoint to enhance detection, investigation, and response capabilities. Talos is explicitly referenced in the Threat Response section as the primary source of threat intelligence and malware analytics that supports cloud and endpoint security frameworks.

In Cisco ASA configurations using IKEv2, the integrity command defines the hash algorithm. To use SHA-512, the correct syntax is:

integrity sha512

Without this, the IKEv2 proposal is considered incomplete or mismatched with the peer. The encryption command sets encryption (AES-256, etc.), not hashing. The correct structure is:

crypto ikev2 policy <#>

encryption aes-256

integrity sha512

group 2

prf sha512

lifetime 86400

Web Application Firewalls (WAFs) use rate-based rules as one of the primary mechanisms to detect and mitigate Distributed Denial of Service (DDoS) attacks. According to the SCAZT Study Guide, Section 3 (Network and Cloud Security, Pages 74–77), rate-based rules dynamically detect unusual spikes in traffic and can throttle or block connections exceeding predefined thresholds. This form of protection is more adaptive and intelligent than standard ACLs or static filtering, enabling protection against zero-day and volumetric attacks that may not follow known patterns.