MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: Your company has found some suspicious conversations for some internal users. The security teamsuspects those users are communicating with entities in other countries. You have been assigned the taskof identifying those users who are either uploading or downloading files from servers in other countries. Isthis the best way to visualize conversations of suspected users in this scenario? (Visualizing conversationgraphs.)
Question2: A network administrator is looking for an option to set the maximum data retention period to 180 days inthe IntroSpect Analyzer. Is this a correct statement about data retention in IntroSpect? (The default dataretention period is set at 30 days, and this cannot be changed.)
Question3: You are looking in the conversation page on the IntroSpect Analyzer. Is this a valid method for determiningwhich source the conversation data come from? (Click on the different options under Applications to filterfor application types like DNS and HTTP.)
Question4: You receive an email alert that a Packet Processor forwarding AMON data at a remote site to a cloud-based Analyzer has stopped communicating.Is this a valid step to try to fix the issue? (Contact the firewall administrator from the site and see if anyrules have changed that may be blocking TCP port 389.)
Question5: While investigating alerts in the Analyzer you notice a host desktop with a low risk score has been sendingregular emails from an internal account to the same external account. Upon investigation you see that theemails all have attachments. Would this be correct assessment of the situation? (Your next step should beto find what user account logs into this desktop, and look at activity of their devices this user has accessto.)
Question6: You are a security analyst for a company where an Aruba infrastructure, such as Controllers, ClearPass,and Airwave, has been deployed. The company has recently deployed Aruba IntroSpect for securityanalytics. You are trying to understand the functionality of three components: Analyzer, Compute Node(CN), and Packet Processor of the IntroSpect system. Is this a good description of the functions of theAnalyzer Node in the system? (The Analyzer Node is the center of the system, providing all of the controland interface to the other components.)
Question7: While troubleshooting integration between ClearPass and IntroSpect, you notice that there are no logevents for either THROUGHPUT or ERROR in the ClearPass log source on the IntroSpect Analyzer. Youare planning your troubleshooting actions.Is this something you should check? (Under Cluster-Wide Parameters on the ClearPass Publisher, makesure Post-Auth v2 is enabled.)
Question8: A customer with approximately 200 users in Active Directory, is running Aruba Mobility Controllers, PaloAlto firewalls, and Pulse Secure VPN and InfoBlox DNS on their network. They would like to implement the2RU Fixed Configuration Analyzer Standard Edition.Would this be a good response to the customer? (The 2RU Fixed Configuration Analyzer should work forthis smaller customer. However, they will need the Advanced Edition to monitor the DNS server.)
Question9: You are a system admin with a company where Aruba infrastructure, such as Controllers, ClearPass, andAirwave, have been deployed. The company has integrated an Aruba Introspect 2-RU appliance in theNetwork Infrastructure. Recently, you are seeing overload issues with the IntroSpect system. So, you wantto add five more Compute Nodes to meet the requirements.Is this a correct solution for adding more Compute Nodes? (With a 2-RU system, you can add a maximum4 Compute Nodes.)
Question10: The company has a DMZ with an application server where customers can upload and access their productorders. The security admin wants to know how you configure IntroSpect to monitor this server. Should thisbe part of your plan? (List the IP subnet of the DMZ as "External" under the Main Menu > Analytics>GlobalConfig>so that alerts for the server will show up as IN-to-OUT traffic.)
Question11: You are a system admin with a company where Aruba infrastructure, such as Controllers, ClearPass, andAirwave, have been deployed. The company has integrated an Aruba Introspect 2-RU appliance in theNetwork Infrastructure. Recently, you are seeing overload issues with the IntroSpect system. So, you wantto add five more Compute Nodes to meet the requirements.Is this a correct solution for adding more Compute Nodes? (2-RU is a single appliance that does not scale,and you cannot add any more Compute Nodes to it.)
Question12: You are planning to configure ClearPass to send endpoint context to IntroSpect. You need to create achecklist of functions that must be enabled in ClearPass to support this. Is this an option that is required?(Time Source Now as part of the authorization in the service.)
Question13: While investigating alerts you notice an entity has triggered a peer alert for visiting recruiting websites. Twodays later the same user accessed the office for the first time in the late evening. You also noticed thatthey downloaded more data than their peers through the VPN session. Based on these conditions, is this apossible cause? (The user's account could have been compromised and is now being used by an attackerto exfiltrate company information.)
Question14: You were called into a customer site to do an evaluation of installing IntroSpect for a small business.During the discovery process, the customer asks you to explain when they would need to deploy a PacketProcessor. Does this explain the function of the Packet Processor? (They always need the PacketProcessor to process AMON data from the Aruba Networks Mobility Controller.)
Question15: You are planning to configure ClearPass to send endpoint context to IntroSpect. You need to create achecklist of functions that must be enabled in ClearPass to support this. Is this an option that is required?(System Monitor Service.)
Question16: An IntroSpect installation has been up for a day. While validating the log sources, you see an ArubaFirewall log source configured on a Packet Processor that has shown up on the interface in the analyzer.While evaluating conversation data you notice there is no eflow data from AMON. You log into thecontroller and confirm there is user activity in the dashboard. Would this be a correct statement about thissituation? (The log source on the Packet Processor may not be pointed to the analyzer IP address.)
Question17: In a meeting with a customer that runs a fully automated manufacturing facility that is connected to thebusiness and corporate offices, the operations manager asks why they need IntroSpect to monitor themanufacturing network. Is this a reason they should monitor the manufacturing network security?(Because the controllers and sensors do not store customer data or corporate intellectual property, even ifthe automation network was to be breached it would not expose anything valuable.)
Question18: While investigating alerts you notice a user entity has triggered a historical alert for Large Internal DataDownload. While investigating the alert, you notice that the download came from a different device thannormal for the user. Based on these conditions, is this a possible cause? (This is a classic user accounttake over pattern.)
Question19: An admin is evaluating entity activity alerts for large internal downloads, excessive host access, accessinghosts with SSH, and host and port scans. Is this a correct reason for these types of alerts? (an attackerconducting reconnaissance on the network.)
Question20: While looking at the conversations page you notice one user account logging into a number of servers on aregular basis. Is this information that you can draw from this activity? (This could be a service account andshould be excluded from correlating Logon events with devices, or every device it logs into will be creditedto it as the owner.)
Question21: You are one of the system administrators in your company, and you are assigned to monitor the IntroSpectsystem for alarms. Is this a correct statement about alarms? (The alarm bell icon on the header barindicates active alarms, and clicking on it will take you to the Alerts>page.)
Question22: You have been asked to provide a Bill of Materials (BoM) for a mature small business with two sites. TheIT Director prefers all hardware to be on-premise but is open to cloud-based solution. In conversations withthe IT staff, you determine that the main site has approximately 550 network devices and 400 users. Allusers are in Active Directory. Eighty of the users use a Pulse Secure VPN to work remotely.The second site is a warehouse operation with approximately 40 users and another 10 users that usePulse Secure VPN. All wireless is using Aruba Networks Instant APs. There are Active Directory servers atboth sites. All logs are currently being gathered into Splunk. The team feels that they can properly monitorthe corporate site network with a single tap port on a central switch at the main office. There will be anetwork tap at the remote site.Is this a suggestion you would make to the customer? (The customer should install the Fixed ConfigurationAnalyzer at the main site, along with a Packet Processor in the data center and a single Packet Processorat the warehouse site.)
Question23: Refer to the exhibit.You are a security analyst for a company that has deployed an Aruba infrastructure, such as MobilityControllers, ClearPass, and Airwave. Recently they have deployed Aruba IntroSpect for security analytics.You are looking at the conversation details of an entity. Is this statement correct about the detailshighlighted? (These details came from the ClearPass server and it has been integrated as a context serverin the IntroSpect.)
Question24: Refer to the exhibit.Would this be a correct option when configuring a user account for a ClearPass to use to communicatewith IntroSpect? (The username and email address must match.)
Question25: You are deploying a new IntroSpect Packet Processor in your data center. It is not communicating with theanalyzer in the same data center. You think that you have entered the host name of the analyzerincorrectly while bootstrapping the packet processor. Would this be a logical next step? (Just restart thesystem by executing "shutdown -r now" command during the reboot; when prompted, select the option for"reset processor".)
Question26: While discussing network security with an associate, the associate asks why a company would needinternal monitoring when they have firewalls and Wireless Intrusion Protection configured. Is this anappropriate response? (You point out that while these security measures are required, there are otherattack vectors in a network that are simply not protected by these.)
Question27: You are troubleshooting ClearPass with IntroSpect, and you notice that in Access Tracker the IntroSpectLogon Logoff actions profile is executing. However, the ClearPass Log Source on the IntroSpect Analyzeris showing dropped entries.Would this be a good troubleshooting step? (Confirm that the ClearPass context action is sending the Username, MAC Address, Entity Type, and User Role)
Question28: Would this be a proper correlation between entity and attack stage? (There is an alert for port scans by anentity, and you correlate that to a malware doing recon.)
Question29: Refer to the exhibit.An IntroSpect admin is configuring an Aruba IntroSpect Packet Processor to add Microsoft AD server as alog source for analyzing the AD server logs. Are these correct Format and Source options? (FormatStandard, and Source Type = Syslog.)
Question30: During a discovery at a large company, the customer asks if they can run IntroSpect on a segment of thenetwork and only monitor a small group of users and servers as a trial. As their IT staff becomes familiarwith the analytics, they want to expand the installation to the entire enterprise. Would this be a valid optionfor the customer? (The customer can deploy the analyzer at the first site and use whitelist/blacklistfunctions to contain the scope of the analytics to the smaller site.)
Question31: Refer to the exhibit.You have been assigned a task to monitor, analyze, and find those entities who are trying to accessinternal resources without having valid user credentials. You are creating an AD-based use case to look forthis activity. Could you use this entity type to accomplish this? (Dest IP.)
Question32: You are working on an IntroSpect Analyzer to fix an issue, and a restart is required after fixing the issue. Isthis the correct procedure to restart? (From the Analyzer Menu navigate to Configuration ->System->Cluster Start/Stop->Restart Cluster.)
Question33: Refer to the exhibit.Which alert is not supported by AD-based use case? (Privilege escalation.)
Question34: You are an administrator who made a few configuration changes in the IntroSpect Packet Processor, anda restart is required after those changes. Is this a valid method to restart the Packet Processor? (SSH intothe Packet Processor, and log in as "admin" and issue the command #> shutdown -s now.)
Question35: Would this be a proper correlation between entity and attack stage? (You see an alert for a user sendingDNS requests for TOR sites, and correlate this to data exfiltration.)
Question36: You have been asked to provide a Bill of Materials (BoM) for a mature small business with two sites. TheIT Director prefers all hardware to be on-premise but is open to cloud-based solution. In conversations withthe IT staff, you determine that the main site has approximately 550 network devices and 400 users. Allusers are in Active Directory. Eighty of the users use a Pulse Secure VPN to work remotely.The second site is a warehouse operation with approximately 40 users and another 10 users that usePulse Secure VPN. All wireless is using Aruba Networks Instant APs. There are Active Directory servers atboth sites. All logs are currently being gathered into Splunk. The team feels that they can properly monitorthe corporate site network with a single tap port on a central switch at the main office. There will be anetwork tap at the remote site.Is this a suggestion you would make to the customer? (The customer should install the Fixed ConfigurationAnalyzer in the data center to manage the tap and Splunk logs for the main site and a single PacketProcessor at the warehouse site.)
Question37: Refer to the exhibit.You are working with an IntroSpect Analyzer which is configured to monitor your network. You havenavigated to the “Config Subnets” page to verify whether the internal and external subnetsare configured properly. Is this a correct assessment of the screen? (The 10.100.120 subnet is incorrectlylisted as external.)
Question38: You were called into a customer site to do an evaluation of installing IntroSpect for a small business.During the discovery process, the customer asks you to explain when they would need to deploy a PacketProcessor. Does this explain the function of the Packet Processor? (The packet Processor helps if they areusing the analyzer deployed in the cloud by forwarding log data over HTTPS.)
Question39: While troubleshooting integration between ClearPass and IntroSpect, you notice that there are no logevents for either THROUGHPUT or ERROR in the ClearPass log source on the IntroSpect Analyzer. Youare planning your troubleshooting actions.Is this something you should check? (Check the authentication service being used in ClearPass for theLogin - Logout enforcement policy.)
Question40: Refer to the exhibit.You have been assigned a task to monitor, analyze, and find those entities who are trying to accessinternal resources without having valid user credentials. You are creating an AD-based use case to look forthis activity. Could you use this entity type to accomplish this? (Host name.)
Question41: You are one of the system administrators in your company, and you are assigned to monitor the IntroSpectsystem for alarms. Is this a correct statement about alarms? (A memory_full alarm will fire when there isless than 1 GB of free memory for more than thirty minutes.)
Question42: An administrator scheduled a maintenance window for upgrading an IntroSpect system. Is this a truestatement about upgrading the IntroSpect system? (All Packer Processors should be upgraded first, thenthe IntroSpect Analyzer should be upgraded.)
Question43: The company has a DMZ with an application server where customers can upload and access their productorders. The security admin wants to know how you configure IntroSpect to monitor this server. Should thisbe part of your plan? (Configure the server in the DMZ as a High Value Asset inMenu>Configuration>Analytics>Correlator Config>so that IntroSpect will monitor the server for accesspatterns.)
Question44: While looking in the IntroSpect Analyzer Conversations screen you see there are a large number of DNSsessions coming from one IP address on the data center network VLAN. Would this be a logical next step?(The device at the IP address could be infected with malware seeking Command and Control. You shouldaudit the device.)
Question45: You receive an email alert that a Packet Processor forwarding AMON data at a remote site to a cloud-based Analyzer has stopped communicating.Is this a valid step to try to fix the issue? (Log into the Packet Processor and check the Alerts page to makesure that the alert is still valid.)
Question46: While looking at the conversation page you notice some strange network behavior, such as DNS requestscoming inbound from external DNS servers. Could this be the reason why? (One of your PacketProcessors may be over subscribed and is dropping packets.)
Question47: Refer to the exhibit.You are monitoring a new virtual packet processor with a network tap. You run the command "cli statsSERVER_PRE | gre-a1 drop' and then return an hour later and run the same command, but notice there isa significant increase in the number dropped packets.Could this be a reason for the increase? (The Packet Processor may not be allocated the proper numberof CPUs allocated on the VM server for the size of the TAP.)
Question48: You need to deploy IntroSpect Analyzer in your existing network. You are planning to configure logs fromrdmultiple systems around your network. Can this 3 -party tool collect the logs and push them to Analyzer?(IBM QRadar SIEM will push logs to IntroSpect.)
Question49: Refer to the exhibit.Would this be a correct option when configuring a user account for a ClearPass to use to communicatewith IntroSpect? (The email address needs to match the username used in ClearPass.)
Question50: You are configuring a ClearPass Cluster to send endpoint context to an IntroSpect Analyzer for thewireless network. You want to test the setup after you have installed the XML file with the enforcementprofiles and actions. Can this method be used to test that the setup is functioning correctly?(Connect to the wireless network, and send a test authentication from a test device/user in the network.Observe the results in Access Tracker.)
Question51: You are an administrator who made a few configuration changes in the IntroSpect Packet Processor, anda restart is required after those changes. Is this a valid method to restart the Packet Processor? (Issue thecommand #>shutdown -r now from the CLI of the Packet Processor.)
Question52: Refer to the exhibit.You are monitoring network traffic and considering DNS flow patterns. Where is a good location to placethe Network Tap or Taps? (Location B will capture wired clients DNS requests while Location A willcapture wireless client DNS.)
Question53: A security analyst is monitoring the traffic which is accessing internal and external resources. They findabnormal activity, indicating communication between a compromised internal user(host) and internalinfrastructure, and found a suspicious malware activity. Is this a correct attack stage classification for thisactivity? (Exfiltration.)
Question54: A customer is asking you to explain the difference between a data breach and a data leak. Does thisexplain the difference? (In both cases, data has left your network for the outside. A data breach isexecuted by an outside attacker, while a data leak is executed either deliberately or accidentally by aninside actor.)
Question55: You are visiting a site configured with IntroSpect, and the on-site admin tells you that they do not think thatone of their database servers has fired any alerts for large download or strange access patterns. Could thisbe a reason? (The database server needs to be listed under Configuration>Analytics>User CorrelationConfig.)
Question56: Refer to the exhibit.You are logged into the IntroSpect and have navigated to the Alerts list. You are trying to filter the alerts toshow all malware alerts for users. Is this a correct search query? (alertcategory:malware* ANDusername:any)
Question57: An alert goes off for the internal DNS server, and while investigating the logs you notice that thehostnames in the queries are random alphanumeric characters. Is this a logical investigation step?(Contact the DNS admin and request that they enable root hints in the DNS server.)
Question58: You need to deploy IntroSpect Analyzer in your existing network. You are planning to configure logs fromrdmultiple systems around your network. Can this 3 -party tool collect the logs and push them to Analyzer?(Splunk Enterprise will allow push notifications.)
Question59: Refer to the exhibit.You are monitoring network traffic and considering DNS flow patterns. Where is a good location to placethe Network Tap or Taps? (Location C.)
Question60: You deploy IntroSpect Analyzer in your existing network. You want to monitor email for suspect malwareactivity. Would this action be supported by IntroSpect? (Deploy a supported DNP like Proofpoint EmailProtection, and integrate with The IntroSpect Analyzer.)