Refer to the exhibit.

Cisco 300-220 Question Answer

A security analyst receives an alert from Cisco Secure Network Analytics (formerly StealthWatch) with the C2 category. Which information aids the investigation?

The number of packets shows that a C2 communication occurred.

IP address 10.201.3.99 is a C2 server.

Host 10.201.3.99 is attempting to contact the C2 server to retrieve the payload.

The payload describes the address of the zombie endpoint.

Explanation:

The correct answer isC. Host 10.201.3.99 is attempting to contact the C2 server to retrieve the payload.

Cisco Secure Network Analytics (Stealthwatch) detectsCommand-and-Control (C2)activity by analyzingnetwork behavior, not by relying solely on known malicious indicators. In the exhibit, the critical investigative clue is theHTTP payload containing a suspicious external URL, which strongly suggests outbound communication from an internal host to an external command-and-control infrastructure.

The internal IP address10.201.3.99belongs to a workstation group (“Desktops”), indicating it is an internal endpoint, not a C2 server. This immediately rules out option B. Instead, the endpoint is acting as acompromised host (zombie)attempting to reach a remote server controlled by an attacker. This outbound beaconing behavior is a classic hallmark of C2 communication.

Option A is incorrect because packet count alone does not confirm C2 activity. C2 traffic is oftenlow-and-slow, intentionally designed to blend in with normal traffic patterns. Option D is also incorrect because the payload does not describe the zombie endpoint; rather, it shows aremote URL, which is likely part of malware staging or command retrieval.

From a threat hunting and SOC perspective, the most valuable information isdirectionality and intent:

Internal host → external suspicious domain

HTTP-based communication over an unusual port

Low data volume consistent with beaconing or payload retrieval

This aligns withMITRE ATT&CK – Command and Control (TA0011)techniques such asApplication Layer Protocols (T1071). Identifying which internal host is reaching out—and why—is essential for containment, endpoint isolation, and scope expansion.

Professionally, this insight enables the analyst to:

Quarantine host 10.201.3.99

Pivot to EDR telemetry on that endpoint

Block the external domain or IP

Hunt for similar beaconing patterns across the environment

In summary, the investigation is aided most by understanding thatan internal host is actively communicating with a C2 server, makingOption Cthe correct and operationally meaningful answer.

300-220 PDF/Engine

Printable Format
Value of Money
100% Pass Assurance
Verified Answers
Researched by Industry Experts
Based on Real Exams Scenarios
100% Real Questions

Get 65% Discount on All Products, Use Coupon: "ac4s65"

The CISO must improve the threat-hunting strategy to strengthen the organization's security posture and better...

Refer to the exhibit.

Weekend Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ac4s65

Refer to the exhibit.

The Answer Is:

Explanation:

Quick Links