Chat with AI
Deck 3: Intel Security Certified Product Specialist
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/85
Play
Full screen (f)
Deck 3: Intel Security Certified Product Specialist
1
Event Aggregation is performed on which of the following fields?
A) Signature ID, Destination IP, User ID
B) Source IP, Destination IP, User ID
C) Signature ID, Source IP, Destination IP
D) Signature ID, Source IP, User ID
A) Signature ID, Destination IP, User ID
B) Source IP, Destination IP, User ID
C) Signature ID, Source IP, Destination IP
D) Signature ID, Source IP, User ID
Signature ID, Source IP, Destination IP
2
Alarms using field match as the condition type allow for selected Actions to be taken when the Alarm condition is met. Which of the following McAfee ePolicy Orchestrator (ePO) Actions can be selected when creating such Alarm?
A) Send Events
B) Collect and Send Properties
C) Agent Uninstall
D) Assign Tag with ePO
A) Send Events
B) Collect and Send Properties
C) Agent Uninstall
D) Assign Tag with ePO
Assign Tag with ePO
3
Zones allow a user to group devices and the events they generate by
A) Geographical location and IP reputation
B) Geographical reputation and IP Address
C) Geographical location and IP Address
D) Geographical location and File reputation
A) Geographical location and IP reputation
B) Geographical reputation and IP Address
C) Geographical location and IP Address
D) Geographical location and File reputation
Geographical location and IP Address
4
The fundamental purpose of the Receiver Correlation Subsystem (RCS) is
A) to analyze data from the ESM and detect matching patterns.
B) to collect and consolidate identical data from the ESM into a single summary event.
C) to classify or categorize data from the Receiver into related types and sub-types.
D) to organize, retrieve and archive data from the Receiver into the SIEM database.
A) to analyze data from the ESM and detect matching patterns.
B) to collect and consolidate identical data from the ESM into a single summary event.
C) to classify or categorize data from the Receiver into related types and sub-types.
D) to organize, retrieve and archive data from the Receiver into the SIEM database.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
5
The McAfee Enterprise Log Manager (ELM) offers three levels of compression (Low, Medium, and High). By default, the ELM compression level is set to Low. Which of the following is the compression ratio for the Medium level?
A) 17:1
B) 20:1
C) 10:1
D) 14:1
A) 17:1
B) 20:1
C) 10:1
D) 14:1
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
6
Which of the following is the default port used to communicate between McAfee SIEM devices?
A) 22
B) 222
C) 21
D) 211
A) 22
B) 222
C) 21
D) 211
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
7
Which of the following statements about Client Data Sources is TRUE?
A) They will have VIPS, Policy and Agent rights
B) They will be displayed on the Receiver Properties > Data Sources table
C) They will appear on the System Navigation tree
D) They can have independent time zones
A) They will have VIPS, Policy and Agent rights
B) They will be displayed on the Receiver Properties > Data Sources table
C) They will appear on the System Navigation tree
D) They can have independent time zones
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
8
The McAfee SIEM solution satisfies which of the following compliance requirements?
A) Continuous monitoring, Log retention
B) Personally Identifiable Information (PII) protection
C) Payment Card Industry/ Data Security Standard (PCI/ DSS) protection
D) Patch management automation
A) Continuous monitoring, Log retention
B) Personally Identifiable Information (PII) protection
C) Payment Card Industry/ Data Security Standard (PCI/ DSS) protection
D) Patch management automation
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
9
Which of the following operations is NOT an available selection when using Multi-Device Management?
A) Reboot
B) Update
C) Start
D) Disable
A) Reboot
B) Update
C) Start
D) Disable
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
10
While investigating beaconing Malware, an analyst can narrow the search quickly by using which of the following watchlists in the McAfee SIEM?
A) MTIE Suspicious and Malicious
B) TSI Suspicious and Malicious
C) GTI Suspicious and Malicious
D) MTI Suspicious and Malicious
A) MTIE Suspicious and Malicious
B) TSI Suspicious and Malicious
C) GTI Suspicious and Malicious
D) MTI Suspicious and Malicious
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
11
Which of the following is the name of the Dashboard View that shows correlated events for the selected Data Source?
A) Default Summary
B) Normalized Dashboard
C) Incidents Dashboard
D) Triggered Alarms
A) Default Summary
B) Normalized Dashboard
C) Incidents Dashboard
D) Triggered Alarms
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
12
Where can the ESM event database archive inactive partitions?
A) Storage on the hard disk of the ESM itself
B) Storage on the hard disk of the backup ESM
C) Storage on the ELM
D) Remote storage connected to the ESM
A) Storage on the hard disk of the ESM itself
B) Storage on the hard disk of the backup ESM
C) Storage on the ELM
D) Remote storage connected to the ESM
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
13
When a Correlation Rule successfully triggers, this occurs at the
A) Correlation Element.
B) Correlation Processor.
C) Correlation Engine.
D) Correlation Manager.
A) Correlation Element.
B) Correlation Processor.
C) Correlation Engine.
D) Correlation Manager.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
14
The McAfee SIEM baselines daily events over
A) three days
B) five days
C) seven days
D) nine days
A) three days
B) five days
C) seven days
D) nine days
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
15
The configuration of a receiver has recently been modified and issues occur. Which command will collect historical data?
A) htop
B) getstatsdata
C) snmpget
D) df
A) htop
B) getstatsdata
C) snmpget
D) df
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
16
The ESM database is unavailable for use during
A) a configuration backup.
B) a full backup.
C) archiving of inactive partitions.
D) synchronization with the redundant ESM.
A) a configuration backup.
B) a full backup.
C) archiving of inactive partitions.
D) synchronization with the redundant ESM.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
17
A backup of the ELM management database captures
A) ELM configuration settings
B) ELM configuration settings, and the ELM archive index.
C) ELM configuration settings, the ELM archive index, and all archived ELM contents.
D) ELM configuration settings, the ELM archive index, and all archived ELM contents up to the ESM database retention limit.
A) ELM configuration settings
B) ELM configuration settings, and the ELM archive index.
C) ELM configuration settings, the ELM archive index, and all archived ELM contents.
D) ELM configuration settings, the ELM archive index, and all archived ELM contents up to the ESM database retention limit.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
18
Which of the following are the three compression ratios available for raw logs being handled by the ELM?
A) 10:1, 14:1, 19:1
B) 14:1, 18:1, 20:1
C) 14:1, 17:1, 21:1
D) 14:1, 17:1, 20:1
A) 10:1, 14:1, 19:1
B) 14:1, 18:1, 20:1
C) 14:1, 17:1, 21:1
D) 14:1, 17:1, 20:1
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
19
A SIEM can be effectively used to identify active threats from internal systems by monitoring/correlating events that occur
A) when no one is logged in; for example, after hours or on weekends.
B) across an unusual range of ports or destinations; for example, all high ports.
C) irregularly; for example, only on Fridays, or only at end-of-quarter.
D) in accordance with expected systems use.
A) when no one is logged in; for example, after hours or on weekends.
B) across an unusual range of ports or destinations; for example, all high ports.
C) irregularly; for example, only on Fridays, or only at end-of-quarter.
D) in accordance with expected systems use.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
20
How often does the configuration and policy data from the primary Enterprise Security Manager (ESM) get synchronized with the redundant ESM?
A) Every 2 minutes
B) Every 5 minutes
C) Every 10 minutes
D) This is based on manual selection
A) Every 2 minutes
B) Every 5 minutes
C) Every 10 minutes
D) This is based on manual selection
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
21
A SIEM allows an organization the ability to correlate seemingly disparate streams of traffic into a central console for analysis. This correlation, in many cases, can point out activities that might otherwise go undetected. This type of detection is also known as
A) anomaly based detection.
B) behavioral based detection.
C) heuristic based detection.
D) signature based detection.
A) anomaly based detection.
B) behavioral based detection.
C) heuristic based detection.
D) signature based detection.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
22
A McAfee Event Receiver (ERC) will allow for how many Correlation Data Sources to be configured?
A) 1
B) 3
C) 5
D) 10
A) 1
B) 3
C) 5
D) 10
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
23
The analyst has created a correlation rule to correlate events from Anti-Virus (AV), Network Intrusion Prevention (NIPS) and the firewall. While reviewing just firewall events, the analyst notices a large spike in outbound Command and Control traffic; however, the correlation rule is not triggering. The analyst then looks at the Network IPS and the Anti-Virus views and notices there are no alerts for this traffic. Which of the following features of NIPS and AV are most likely turned off?
A) Alerting
B) Heuristics
C) Advanced Persistent Threats (APT)
D) Automatic DAT updates
A) Alerting
B) Heuristics
C) Advanced Persistent Threats (APT)
D) Automatic DAT updates
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
24
Which of the following are the Boolean logic functions that can be used to create Correlation Rules?
A) NOR and AND
B) AND and SET
C) OR and SET
D) OR and AND
A) NOR and AND
B) AND and SET
C) OR and SET
D) OR and AND
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
25
Which authentication methods can be configured to control alarm management privileges?
A) SNMP
B) SSH Key Pair
C) Active Directory
D) Access Groups
A) SNMP
B) SSH Key Pair
C) Active Directory
D) Access Groups
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
26
The possibility of both data source Network Interface Cards (NICs) using the shared IP and MAC address at the same time is eliminated by using which of the following?
A) iSCSI Adapter
B) IPMI Card
C) PCI Adapter
D) SAN Card
A) iSCSI Adapter
B) IPMI Card
C) PCI Adapter
D) SAN Card
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
27
Which of the following is the minimum amount of disk space required to install the McAfee Enterprise Security Manager (ESM) as a virtual machine?
A) 100 GB
B) 250 GB
C) 500 GB
D) 1 TB
A) 100 GB
B) 250 GB
C) 500 GB
D) 1 TB
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
28
Which of the following two appliances contain Event databases?
A) ELM and REC
B) ESM and ELM
C) ESM and REC
D) REC and ADM
A) ELM and REC
B) ESM and ELM
C) ESM and REC
D) REC and ADM
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
29
The primary function of the Application Data Monitor (ADM) appliance is to decode traffic at layer
A) one for inspection.
B) three for inspection.
C) five for inspection.
D) seven for inspection.
A) one for inspection.
B) three for inspection.
C) five for inspection.
D) seven for inspection.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
30
A security administrator is configuring the Enterprise Security Manager (ESM) to comply with corporate security policy and wishes to restrict access to the ESM to certain users and machines. Which of the following actions would accomplish this?
A) Configure the Access Control List and setup user accounts
B) Define user groups and set permissions based on IP
C) Assign AD users to computer assignment groups
D) Setup local accounts based on IP Zones
A) Configure the Access Control List and setup user accounts
B) Define user groups and set permissions based on IP
C) Assign AD users to computer assignment groups
D) Setup local accounts based on IP Zones
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
31
To correlate known vulnerabilities to devices that are currently exposed to such vulnerabilities, which of the following must be selected on the Receiver?
A) Auto Download VulnEvents
B) Enable Vulnerability Event Correlation
C) Generate Vulnerability Events
D) Enable VA Source
A) Auto Download VulnEvents
B) Enable Vulnerability Event Correlation
C) Generate Vulnerability Events
D) Enable VA Source
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
32
By default, the McAfee Enterprise Security Manager (ESM) communicates with the McAfee Event Receiver (ERC) and McAfee Enterprise Log Manager (ELM) over port
A) 21.
B) 443.
C) 22.
D) 23.
A) 21.
B) 443.
C) 22.
D) 23.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
33
Which of the following features of the Enterprise Log Manager (ELM) can alert the user if any data has been modified?
A) Integrity Check
B) SNMP Trap
C) Log Audit
D) ELM Database Check
A) Integrity Check
B) SNMP Trap
C) Log Audit
D) ELM Database Check
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
34
On the McAfee enterprise Security Manager (ESM), the default data Retention setting specifies that Event and Flow data should be maintained for
A) 365 days.
B) same value as configured on the ELM.
C) 90 Days.
D) all data allowed by system.
A) 365 days.
B) same value as configured on the ELM.
C) 90 Days.
D) all data allowed by system.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
35
The security Analyst notices that there has been a large spike for Secure Shell (SSH) drops in the Network Intrusion Prevention System (NIPS). What other perimeter device will add more insight into what is happening?
A) McAfee ePlocy Orchestrator (ePO)
B) The core switch
C) The external switch
D) The firewall
A) McAfee ePlocy Orchestrator (ePO)
B) The core switch
C) The external switch
D) The firewall
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
36
If the SIEM Administrator deploys the Enterprise Security Manager (ESM) using the Federal Information Processing Standards (FIPS) encryption mode, which of the following types of user authentication will NOT be compliant with FIPS?
A) Windows Active Directory
B) Radius
C) Lightweight Directory Access Protocol (LDAP)
D) Local Authentication
A) Windows Active Directory
B) Radius
C) Lightweight Directory Access Protocol (LDAP)
D) Local Authentication
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
37
Be default, events in McAfee SIEM are aggregated on which of the following three fields?
A) Signature ID, Source IP, Source Port
B) Signature ID, Source IP, Destination IP
C) Signature ID, Destination IP, Source User
D) Signature ID, Event ID, Source IP
A) Signature ID, Source IP, Source Port
B) Signature ID, Source IP, Destination IP
C) Signature ID, Destination IP, Source User
D) Signature ID, Event ID, Source IP
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
38
The normalization value assigned to each data-source event allows
A) increased usability via views based on category rather than signature ID.
B) more efficient parsing of each event by the McAfee SIEM Receiver.
C) quicker ELM searches.
D) the McAfee ESM database to retain fewer events overall.
A) increased usability via views based on category rather than signature ID.
B) more efficient parsing of each event by the McAfee SIEM Receiver.
C) quicker ELM searches.
D) the McAfee ESM database to retain fewer events overall.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
39
Checkpoint firewalls provide logs to the McAfee SIEM Receiver in which of the following formats?
A) Syslog
B) Open Platform for Security (OPSEC)
C) McAfee Event Format (MEF)
D) Common Event Format (CEF)
A) Syslog
B) Open Platform for Security (OPSEC)
C) McAfee Event Format (MEF)
D) Common Event Format (CEF)
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
40
Malware performing a network enumeration scan will be visible at the McAfee SIEM as
A) data -source events.
B) Application Data Monitor (ADM) events.
C) Database Event Monitor (DEM) events.
D) Enhanced Log manager (ELM) entries.
A) data -source events.
B) Application Data Monitor (ADM) events.
C) Database Event Monitor (DEM) events.
D) Enhanced Log manager (ELM) entries.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
41
When a Correlation Rule successfully triggers, this occurs at the
A) Correlation Element.
B) Correlation Processor.
C) Correlation Engine.
D) Correlation Manager.
A) Correlation Element.
B) Correlation Processor.
C) Correlation Engine.
D) Correlation Manager.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
42
Analysts can effectively use the McAfee SIEM to identify threats by
A) focusing on aggregated and correlated events data.
B) disabling aggregation, so all data are visible.
C) studying ELM archives, to analyze the original data.
D) use the streaming event viewer to analyze data.
A) focusing on aggregated and correlated events data.
B) disabling aggregation, so all data are visible.
C) studying ELM archives, to analyze the original data.
D) use the streaming event viewer to analyze data.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
43
While investigating beaconing Malware, an analyst can narrow the search quickly by using which of the following watchlists in the McAfee SIEM?
A) MTIE Suspicious and Malicious
B) TSI Suspicious and Malicious
C) GTI Suspicious and Malicious
D) MTI Suspicious and Malicious
A) MTIE Suspicious and Malicious
B) TSI Suspicious and Malicious
C) GTI Suspicious and Malicious
D) MTI Suspicious and Malicious
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
44
The McAfee SIEM solution satisfies which of the following compliance requirements?
A) Continuous monitoring, Log retention
B) Personally Identifiable Information (PII) protection
C) Payment Card Industry/ Data Security Standard (PCI/ DSS) protection
D) Patch management automation
A) Continuous monitoring, Log retention
B) Personally Identifiable Information (PII) protection
C) Payment Card Industry/ Data Security Standard (PCI/ DSS) protection
D) Patch management automation
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
45
If there is no firewall at the border of the network, which of the following could be used to simulate the protection a firewall provides?
A) Load balancer
B) Router Access Control List (ACL)
C) Switch port blocking
D) An email gateway
A) Load balancer
B) Router Access Control List (ACL)
C) Switch port blocking
D) An email gateway
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
46
The configuration of a receiver has recently been modified and issues occur. Which command will collect historical data?
A) htop
B) getstatsdata
C) snmpget
D) df
A) htop
B) getstatsdata
C) snmpget
D) df
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
47
The historical ACE function allows the user to perform retrospective correlations on older data. In which of the following devices is the data located that the historical correlation engine uses?
A) ELM
B) REC
C) ADM
D) ESM
A) ELM
B) REC
C) ADM
D) ESM
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
48
The McAfee SIEM baselines daily events over
A) three days
B) five days
C) seven days
D) nine days
A) three days
B) five days
C) seven days
D) nine days
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
49
Which of the following are the three default users defined within the Users and Groups option in the ESM properties?
A) NGCP, POLICY, REPORT
B) NGCP, BACKUP, REPORT
C) ADMIN, POLICY, REPORT
D) NGCP, SYSTEM, REPORT
A) NGCP, POLICY, REPORT
B) NGCP, BACKUP, REPORT
C) ADMIN, POLICY, REPORT
D) NGCP, SYSTEM, REPORT
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
50
Which of the following are the three compression ratios available for raw logs being handled by the ELM?
A) 10:1, 14:1, 19:1
B) 14:1, 18:1, 20:1
C) 14:1, 17:1, 21:1
D) 14:1, 17:1, 20:1
A) 10:1, 14:1, 19:1
B) 14:1, 18:1, 20:1
C) 14:1, 17:1, 21:1
D) 14:1, 17:1, 20:1
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
51
The McAfee Enterprise Log Manager (ELM) offers three levels of compression (Low, Medium, and High). By default, the ELM compression level is set to Low. Which of the following is the compression ratio for the Medium level?
A) 17:1
B) 20:1
C) 10:1
D) 14:1
A) 17:1
B) 20:1
C) 10:1
D) 14:1
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
52
Alarms using field match as the condition type allow for selected Actions to be taken when the Alarm condition is met. Which of the following McAfee ePolicy Orchestrator (ePO) Actions can be selected when creating such Alarm?
A) Send Events
B) Collect and Send Properties
C) Agent Uninstall
D) Assign Tag with ePO
A) Send Events
B) Collect and Send Properties
C) Agent Uninstall
D) Assign Tag with ePO
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
53
Reports can be created by selecting the ESM System Properties window, the Reports Icon in the top right of the ESM screen or by which of the following other methods within Alarm Creation?
A) Actions tab
B) Conditions tab
C) Escalation tab
D) Summary tab
A) Actions tab
B) Conditions tab
C) Escalation tab
D) Summary tab
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
54
The Global Blacklist feature can be used to block specific traffic from which of the following devices?
A) Corporate Firewall
B) Application Data Monitor (ADM)
C) Event Receiver (ERC)
D) Nitro IPS
A) Corporate Firewall
B) Application Data Monitor (ADM)
C) Event Receiver (ERC)
D) Nitro IPS
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
55
Which of the following is the default port used to communicate between McAfee SIEM devices?
A) 22
B) 222
C) 21
D) 211
A) 22
B) 222
C) 21
D) 211
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
56
When the automated system backup is configured to include events, flows and log data, the first backup will capture all events, flows and logs
A) in the ESM database.
B) in the ESM database older than what is currently held in the Receivers.
C) inserted in the ESM database on the most recent Receiver poll.
D) in the ESM database from the current day.
A) in the ESM database.
B) in the ESM database older than what is currently held in the Receivers.
C) inserted in the ESM database on the most recent Receiver poll.
D) in the ESM database from the current day.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
57
When displaying baseline averages using the automatic time range option, baseline data is correlated by using the same time period that is being used for the current query for which of the following past number of intervals?
A) Three
B) Seven
C) Five
D) Ten
A) Three
B) Seven
C) Five
D) Ten
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
58
How often does the configuration and policy data from the primary Enterprise Security Manager (ESM) get synchronized with the redundant ESM?
A) Every 2 minutes
B) Every 5 minutes
C) Every 10 minutes
D) This is based on manual selection
A) Every 2 minutes
B) Every 5 minutes
C) Every 10 minutes
D) This is based on manual selection
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
59
An organization notices an increasing number of ESM concurrent connection events. To mitigate risks related to concurrent sessions which action should the organization take?
A) Increase the concurrent session alarm threshold
B) Decrease the console timeout value
C) Increase the number of the concurrent sessions allowed
D) Customize the login page with the organization's logo
A) Increase the concurrent session alarm threshold
B) Decrease the console timeout value
C) Increase the number of the concurrent sessions allowed
D) Customize the login page with the organization's logo
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
60
A SIEM can be effectively used to identify active threats from internal systems by monitoring/correlating events that occur
A) when no one is logged in; for example, after hours or on weekends.
B) across an unusual range of ports or destinations; for example, all high ports.
C) irregularly; for example, only on Fridays, or only at end-of-quarter.
D) in accordance with expected systems use.
A) when no one is logged in; for example, after hours or on weekends.
B) across an unusual range of ports or destinations; for example, all high ports.
C) irregularly; for example, only on Fridays, or only at end-of-quarter.
D) in accordance with expected systems use.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
61
Which of the following features of the Enterprise Log Manager (ELM) can alert the user if any data has been modified?
A) Integrity Check
B) SNMP Trap
C) Log Audit
D) ELM Database Check
A) Integrity Check
B) SNMP Trap
C) Log Audit
D) ELM Database Check
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
62
A McAfee Event Receiver (ERC) will allow for how many Correlation Data Sources to be configured?
A) 1
B) 3
C) 5
D) 10
A) 1
B) 3
C) 5
D) 10
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
63
The ESM database is unavailable for use during
A) a configuration backup.
B) a full backup.
C) archiving of inactive partitions.
D) synchronization with the redundant ESM.
A) a configuration backup.
B) a full backup.
C) archiving of inactive partitions.
D) synchronization with the redundant ESM.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
64
The possibility of both data source Network Interface Cards (NICs) using the shared IP and MAC address at the same time is eliminated by using which of the following?
A) iSCSI Adapter
B) IPMI Card
C) PCI Adapter
D) SAN Card
A) iSCSI Adapter
B) IPMI Card
C) PCI Adapter
D) SAN Card
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
65
Zones allow a user to group devices and the events they generate by
A) Geographical location and IP reputation
B) Geographical reputation and IP Address
C) Geographical location and IP Address
D) Geographical location and File reputation
A) Geographical location and IP reputation
B) Geographical reputation and IP Address
C) Geographical location and IP Address
D) Geographical location and File reputation
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
66
The normalization value assigned to each data-source event allows
A) increased usability via views based on category rather than signature ID.
B) more efficient parsing of each event by the McAfee SIEM Receiver.
C) quicker ELM searches.
D) the McAfee ESM database to retain fewer events overall.
A) increased usability via views based on category rather than signature ID.
B) more efficient parsing of each event by the McAfee SIEM Receiver.
C) quicker ELM searches.
D) the McAfee ESM database to retain fewer events overall.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
67
Reports can be created by selecting the ESM System Properties window, the Reports Icon in the top right of the ESM screen or by which of the following other methods within Alarm Creation?
A) Actions tab
B) Conditions tab
C) Escalation tab
D) Summary tab
A) Actions tab
B) Conditions tab
C) Escalation tab
D) Summary tab
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
68
Which of the following are the Boolean logic functions that can be used to create Correlation Rules?
A) NOR and AND
B) AND and SET
C) OR and SET
D) OR and AND
A) NOR and AND
B) AND and SET
C) OR and SET
D) OR and AND
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
69
Malware performing a network enumeration scan will be visible at the McAfee SIEM as
A) data -source events.
B) Application Data Monitor (ADM) events.
C) Database Event Monitor (DEM) events.
D) Enhanced Log manager (ELM) entries.
A) data -source events.
B) Application Data Monitor (ADM) events.
C) Database Event Monitor (DEM) events.
D) Enhanced Log manager (ELM) entries.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
70
If the SIEM Administrator deploys the Enterprise Security Manager (ESM) using the Federal Information Processing Standards (FIPS) encryption mode, which of the following types of user authentication will NOT be compliant with FIPS?
A) Windows Active Directory
B) Radius
C) Lightweight Directory Access Protocol (LDAP)
D) Local Authentication
A) Windows Active Directory
B) Radius
C) Lightweight Directory Access Protocol (LDAP)
D) Local Authentication
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
71
When writing custom correlation rules, the analyst should focus on
A) multiple security controls and events specific to the environment.
B) any one specific high-quality indicator of compromise.
C) malware alerts announced by industry security groups.
D) firewall events, as they provide the first indication of a compromise.
A) multiple security controls and events specific to the environment.
B) any one specific high-quality indicator of compromise.
C) malware alerts announced by industry security groups.
D) firewall events, as they provide the first indication of a compromise.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
72
The fundamental purpose of the Receiver Correlation Subsystem (RCS) is
A) to analyze data from the ESM and detect matching patterns.
B) to collect and consolidate identical data from the ESM into a single summary event.
C) to classify or categorize data from the Receiver into related types and sub-types.
D) to organize, retrieve and archive data from the Receiver into the SIEM database.
A) to analyze data from the ESM and detect matching patterns.
B) to collect and consolidate identical data from the ESM into a single summary event.
C) to classify or categorize data from the Receiver into related types and sub-types.
D) to organize, retrieve and archive data from the Receiver into the SIEM database.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
73
The analyst has created a correlation rule to correlate events from Anti-Virus (AV), Network Intrusion Prevention (NIPS) and the firewall. While reviewing just firewall events, the analyst notices a large spike in outbound Command and Control traffic; however, the correlation rule is not triggering. The analyst then looks at the Network IPS and the Anti-Virus views and notices there are no alerts for this traffic. Which of the following features of NIPS and AV are most likely turned off?
A) Alerting
B) Heuristics
C) Advanced Persistent Threats (APT)
D) Automatic DAT updates
A) Alerting
B) Heuristics
C) Advanced Persistent Threats (APT)
D) Automatic DAT updates
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
74
A security administrator is configuring the Enterprise Security Manager (ESM) to comply with corporate security policy and wishes to restrict access to the ESM to certain users and machines. Which of the following actions would accomplish this?
A) Configure the Access Control List and setup user accounts
B) Define user groups and set permissions based on IP
C) Assign AD users to computer assignment groups
D) Setup local accounts based on IP Zones
A) Configure the Access Control List and setup user accounts
B) Define user groups and set permissions based on IP
C) Assign AD users to computer assignment groups
D) Setup local accounts based on IP Zones
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
75
Which of the following is the Primary function of the Event Receiver (ERC) in relation to the Enterprise Security Manager (ESM)?
A) Collect and parse events before the ESM pulls them form the ERC
B) Collect and parse the events before the receiver forwards them to the ESM
C) Collect and store the events before they are forwarded to the ESM for parsing
D) Collect and parse the events before forwarding them to the ELM
A) Collect and parse events before the ESM pulls them form the ERC
B) Collect and parse the events before the receiver forwards them to the ESM
C) Collect and store the events before they are forwarded to the ESM for parsing
D) Collect and parse the events before forwarding them to the ELM
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
76
By default, the McAfee Enterprise Security Manager (ESM) communicates with the McAfee Event Receiver (ERC) and McAfee Enterprise Log Manager (ELM) over port
A) 21.
B) 443.
C) 22.
D) 23.
A) 21.
B) 443.
C) 22.
D) 23.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
77
The security Analyst notices that there has been a large spike for Secure Shell (SSH) drops in the Network Intrusion Prevention System (NIPS). What other perimeter device will add more insight into what is happening?
A) McAfee ePlocy Orchestrator (ePO)
B) The core switch
C) The external switch
D) The firewall
A) McAfee ePlocy Orchestrator (ePO)
B) The core switch
C) The external switch
D) The firewall
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
78
The primary function of the Application Data Monitor (ADM) appliance is to decode traffic at layer
A) one for inspection.
B) three for inspection.
C) five for inspection.
D) seven for inspection.
A) one for inspection.
B) three for inspection.
C) five for inspection.
D) seven for inspection.
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
79
To correlate known vulnerabilities to devices that are currently exposed to such vulnerabilities, which of the following must be selected on the Receiver?
A) Auto Download VulnEvents
B) Enable Vulnerability Event Correlation
C) Generate Vulnerability Events
D) Enable VA Source
A) Auto Download VulnEvents
B) Enable Vulnerability Event Correlation
C) Generate Vulnerability Events
D) Enable VA Source
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
80
Which of the following is the minimum amount of disk space required to install the McAfee Enterprise Security Manager (ESM) as a virtual machine?
A) 100 GB
B) 250 GB
C) 500 GB
D) 1 TB
A) 100 GB
B) 250 GB
C) 500 GB
D) 1 TB
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 85 flashcards in this deck.
