EMT Practice Test

1. Question Content...


Question List

Question1: Your company has found some suspicious conversations for some internal users. The security team
suspects those users are communicating with entities in other countries. You have been assigned the task
of identifying those users who are either uploading or downloading files from servers in other countries. Is
this the best way to visualize conversations of suspected users in this scenario? (Visualizing conversation
graphs.)

Question2: A network administrator is looking for an option to set the maximum data retention period to 180 days in
the IntroSpect Analyzer. Is this a correct statement about data retention in IntroSpect? (The default data
retention period is set at 30 days, and this cannot be changed.)

Question3: You are looking in the conversation page on the IntroSpect Analyzer. Is this a valid method for determining
which source the conversation data come from? (Click on the different options under Applications to filter
for application types like DNS and HTTP.)

Question4: You receive an email alert that a Packet Processor forwarding AMON data at a remote site to a cloud-
based Analyzer has stopped communicating.
Is this a valid step to try to fix the issue? (Contact the firewall administrator from the site and see if any
rules have changed that may be blocking TCP port 389.)

Question5: While investigating alerts in the Analyzer you notice a host desktop with a low risk score has been sending
regular emails from an internal account to the same external account. Upon investigation you see that the
emails all have attachments. Would this be correct assessment of the situation? (Your next step should be
to find what user account logs into this desktop, and look at activity of their devices this user has access
to.)

Question6: You are a security analyst for a company where an Aruba infrastructure, such as Controllers, ClearPass,
and Airwave, has been deployed. The company has recently deployed Aruba IntroSpect for security
analytics. You are trying to understand the functionality of three components: Analyzer, Compute Node
(CN), and Packet Processor of the IntroSpect system. Is this a good description of the functions of the
Analyzer Node in the system? (The Analyzer Node is the center of the system, providing all of the control
and interface to the other components.)

Question7: While troubleshooting integration between ClearPass and IntroSpect, you notice that there are no log
events for either THROUGHPUT or ERROR in the ClearPass log source on the IntroSpect Analyzer. You
are planning your troubleshooting actions.
Is this something you should check? (Under Cluster-Wide Parameters on the ClearPass Publisher, make
sure Post-Auth v2 is enabled.)

Question8: A customer with approximately 200 users in Active Directory, is running Aruba Mobility Controllers, Palo
Alto firewalls, and Pulse Secure VPN and InfoBlox DNS on their network. They would like to implement the
2RU Fixed Configuration Analyzer Standard Edition.
Would this be a good response to the customer? (The 2RU Fixed Configuration Analyzer should work for
this smaller customer. However, they will need the Advanced Edition to monitor the DNS server.)

Question9: You are a system admin with a company where Aruba infrastructure, such as Controllers, ClearPass, and
Airwave, have been deployed. The company has integrated an Aruba Introspect 2-RU appliance in the
Network Infrastructure. Recently, you are seeing overload issues with the IntroSpect system. So, you want
to add five more Compute Nodes to meet the requirements.
Is this a correct solution for adding more Compute Nodes? (With a 2-RU system, you can add a maximum
4 Compute Nodes.)

Question10: The company has a DMZ with an application server where customers can upload and access their product
orders. The security admin wants to know how you configure IntroSpect to monitor this server. Should this
be part of your plan? (List the IP subnet of the DMZ as "External" under the Main Menu > Analytics>Global
Config>so that alerts for the server will show up as IN-to-OUT traffic.)

Question11: You are a system admin with a company where Aruba infrastructure, such as Controllers, ClearPass, and
Airwave, have been deployed. The company has integrated an Aruba Introspect 2-RU appliance in the
Network Infrastructure. Recently, you are seeing overload issues with the IntroSpect system. So, you want
to add five more Compute Nodes to meet the requirements.
Is this a correct solution for adding more Compute Nodes? (2-RU is a single appliance that does not scale,
and you cannot add any more Compute Nodes to it.)

Question12: You are planning to configure ClearPass to send endpoint context to IntroSpect. You need to create a
checklist of functions that must be enabled in ClearPass to support this. Is this an option that is required?
(Time Source Now as part of the authorization in the service.)

Question13: While investigating alerts you notice an entity has triggered a peer alert for visiting recruiting websites. Two
days later the same user accessed the office for the first time in the late evening. You also noticed that
they downloaded more data than their peers through the VPN session. Based on these conditions, is this a
possible cause? (The user's account could have been compromised and is now being used by an attacker
to exfiltrate company information.)

Question14: You were called into a customer site to do an evaluation of installing IntroSpect for a small business.
During the discovery process, the customer asks you to explain when they would need to deploy a Packet
Processor. Does this explain the function of the Packet Processor? (They always need the Packet
Processor to process AMON data from the Aruba Networks Mobility Controller.)

Question15: You are planning to configure ClearPass to send endpoint context to IntroSpect. You need to create a
checklist of functions that must be enabled in ClearPass to support this. Is this an option that is required?
(System Monitor Service.)

Question16: An IntroSpect installation has been up for a day. While validating the log sources, you see an Aruba
Firewall log source configured on a Packet Processor that has shown up on the interface in the analyzer.
While evaluating conversation data you notice there is no eflow data from AMON. You log into the
controller and confirm there is user activity in the dashboard. Would this be a correct statement about this
situation? (The log source on the Packet Processor may not be pointed to the analyzer IP address.)

Question17: In a meeting with a customer that runs a fully automated manufacturing facility that is connected to the
business and corporate offices, the operations manager asks why they need IntroSpect to monitor the
manufacturing network. Is this a reason they should monitor the manufacturing network security?
(Because the controllers and sensors do not store customer data or corporate intellectual property, even if
the automation network was to be breached it would not expose anything valuable.)

Question18: While investigating alerts you notice a user entity has triggered a historical alert for Large Internal Data
Download. While investigating the alert, you notice that the download came from a different device than
normal for the user. Based on these conditions, is this a possible cause? (This is a classic user account
take over pattern.)

Question19: An admin is evaluating entity activity alerts for large internal downloads, excessive host access, accessing
hosts with SSH, and host and port scans. Is this a correct reason for these types of alerts? (an attacker
conducting reconnaissance on the network.)

Question20: While looking at the conversations page you notice one user account logging into a number of servers on a
regular basis. Is this information that you can draw from this activity? (This could be a service account and
should be excluded from correlating Logon events with devices, or every device it logs into will be credited
to it as the owner.)

Question21: You are one of the system administrators in your company, and you are assigned to monitor the IntroSpect
system for alarms. Is this a correct statement about alarms? (The alarm bell icon on the header bar
indicates active alarms, and clicking on it will take you to the Alerts>page.)

Question22: You have been asked to provide a Bill of Materials (BoM) for a mature small business with two sites. The
IT Director prefers all hardware to be on-premise but is open to cloud-based solution. In conversations with
the IT staff, you determine that the main site has approximately 550 network devices and 400 users. All
users are in Active Directory. Eighty of the users use a Pulse Secure VPN to work remotely.
The second site is a warehouse operation with approximately 40 users and another 10 users that use
Pulse Secure VPN. All wireless is using Aruba Networks Instant APs. There are Active Directory servers at
both sites. All logs are currently being gathered into Splunk. The team feels that they can properly monitor
the corporate site network with a single tap port on a central switch at the main office. There will be a
network tap at the remote site.
Is this a suggestion you would make to the customer? (The customer should install the Fixed Configuration
Analyzer at the main site, along with a Packet Processor in the data center and a single Packet Processor
at the warehouse site.)

Question23: Refer to the exhibit.

You are a security analyst for a company that has deployed an Aruba infrastructure, such as Mobility
Controllers, ClearPass, and Airwave. Recently they have deployed Aruba IntroSpect for security analytics.
You are looking at the conversation details of an entity. Is this statement correct about the details
highlighted? (These details came from the ClearPass server and it has been integrated as a context server
in the IntroSpect.)

Question24: Refer to the exhibit.

Would this be a correct option when configuring a user account for a ClearPass to use to communicate
with IntroSpect? (The username and email address must match.)

Question25: You are deploying a new IntroSpect Packet Processor in your data center. It is not communicating with the
analyzer in the same data center. You think that you have entered the host name of the analyzer
incorrectly while bootstrapping the packet processor. Would this be a logical next step? (Just restart the
system by executing "shutdown -r now" command during the reboot; when prompted, select the option for
"reset processor".)

Question26: While discussing network security with an associate, the associate asks why a company would need
internal monitoring when they have firewalls and Wireless Intrusion Protection configured. Is this an
appropriate response? (You point out that while these security measures are required, there are other
attack vectors in a network that are simply not protected by these.)

Question27: You are troubleshooting ClearPass with IntroSpect, and you notice that in Access Tracker the IntroSpect
Logon Logoff actions profile is executing. However, the ClearPass Log Source on the IntroSpect Analyzer
is showing dropped entries.
Would this be a good troubleshooting step? (Confirm that the ClearPass context action is sending the User
name, MAC Address, Entity Type, and User Role)

Question28: Would this be a proper correlation between entity and attack stage? (There is an alert for port scans by an
entity, and you correlate that to a malware doing recon.)

Question29: Refer to the exhibit.

An IntroSpect admin is configuring an Aruba IntroSpect Packet Processor to add Microsoft AD server as a
log source for analyzing the AD server logs. Are these correct Format and Source options? (Format
Standard, and Source Type = Syslog.)

Question30: During a discovery at a large company, the customer asks if they can run IntroSpect on a segment of the
network and only monitor a small group of users and servers as a trial. As their IT staff becomes familiar
with the analytics, they want to expand the installation to the entire enterprise. Would this be a valid option
for the customer? (The customer can deploy the analyzer at the first site and use whitelist/blacklist
functions to contain the scope of the analytics to the smaller site.)

Question31: Refer to the exhibit.

You have been assigned a task to monitor, analyze, and find those entities who are trying to access
internal resources without having valid user credentials. You are creating an AD-based use case to look for
this activity. Could you use this entity type to accomplish this? (Dest IP.)

Question32: You are working on an IntroSpect Analyzer to fix an issue, and a restart is required after fixing the issue. Is
this the correct procedure to restart? (From the Analyzer Menu navigate to Configuration ->System-
>Cluster Start/Stop->Restart Cluster.)

Question33: Refer to the exhibit.

Which alert is not supported by AD-based use case? (Privilege escalation.)

Question34: You are an administrator who made a few configuration changes in the IntroSpect Packet Processor, and
a restart is required after those changes. Is this a valid method to restart the Packet Processor? (SSH into
the Packet Processor, and log in as "admin" and issue the command #> shutdown -s now.)

Question35: Would this be a proper correlation between entity and attack stage? (You see an alert for a user sending
DNS requests for TOR sites, and correlate this to data exfiltration.)

Question36: You have been asked to provide a Bill of Materials (BoM) for a mature small business with two sites. The
IT Director prefers all hardware to be on-premise but is open to cloud-based solution. In conversations with
the IT staff, you determine that the main site has approximately 550 network devices and 400 users. All
users are in Active Directory. Eighty of the users use a Pulse Secure VPN to work remotely.
The second site is a warehouse operation with approximately 40 users and another 10 users that use
Pulse Secure VPN. All wireless is using Aruba Networks Instant APs. There are Active Directory servers at
both sites. All logs are currently being gathered into Splunk. The team feels that they can properly monitor
the corporate site network with a single tap port on a central switch at the main office. There will be a
network tap at the remote site.
Is this a suggestion you would make to the customer? (The customer should install the Fixed Configuration
Analyzer in the data center to manage the tap and Splunk logs for the main site and a single Packet
Processor at the warehouse site.)

Question37: Refer to the exhibit.

You are working with an IntroSpect Analyzer which is configured to monitor your network. You have
navigated to the “Config Subnets” page to verify whether the internal and external subnets
are configured properly. Is this a correct assessment of the screen? (The 10.100.120 subnet is incorrectly
listed as external.)

Question38: You were called into a customer site to do an evaluation of installing IntroSpect for a small business.
During the discovery process, the customer asks you to explain when they would need to deploy a Packet
Processor. Does this explain the function of the Packet Processor? (The packet Processor helps if they are
using the analyzer deployed in the cloud by forwarding log data over HTTPS.)

Question39: While troubleshooting integration between ClearPass and IntroSpect, you notice that there are no log
events for either THROUGHPUT or ERROR in the ClearPass log source on the IntroSpect Analyzer. You
are planning your troubleshooting actions.
Is this something you should check? (Check the authentication service being used in ClearPass for the
Login - Logout enforcement policy.)

Question40: Refer to the exhibit.

You have been assigned a task to monitor, analyze, and find those entities who are trying to access
internal resources without having valid user credentials. You are creating an AD-based use case to look for
this activity. Could you use this entity type to accomplish this? (Host name.)

Question41: You are one of the system administrators in your company, and you are assigned to monitor the IntroSpect
system for alarms. Is this a correct statement about alarms? (A memory_full alarm will fire when there is
less than 1 GB of free memory for more than thirty minutes.)

Question42: An administrator scheduled a maintenance window for upgrading an IntroSpect system. Is this a true
statement about upgrading the IntroSpect system? (All Packer Processors should be upgraded first, then
the IntroSpect Analyzer should be upgraded.)

Question43: The company has a DMZ with an application server where customers can upload and access their product
orders. The security admin wants to know how you configure IntroSpect to monitor this server. Should this
be part of your plan? (Configure the server in the DMZ as a High Value Asset in
Menu>Configuration>Analytics>Correlator Config>so that IntroSpect will monitor the server for access
patterns.)

Question44: While looking in the IntroSpect Analyzer Conversations screen you see there are a large number of DNS
sessions coming from one IP address on the data center network VLAN. Would this be a logical next step?
(The device at the IP address could be infected with malware seeking Command and Control. You should
audit the device.)

Question45: You receive an email alert that a Packet Processor forwarding AMON data at a remote site to a cloud-
based Analyzer has stopped communicating.
Is this a valid step to try to fix the issue? (Log into the Packet Processor and check the Alerts page to make
sure that the alert is still valid.)

Question46: While looking at the conversation page you notice some strange network behavior, such as DNS requests
coming inbound from external DNS servers. Could this be the reason why? (One of your Packet
Processors may be over subscribed and is dropping packets.)

Question47: Refer to the exhibit.

You are monitoring a new virtual packet processor with a network tap. You run the command "cli stats
SERVER_PRE | gre-a1 drop' and then return an hour later and run the same command, but notice there is
a significant increase in the number dropped packets.
Could this be a reason for the increase? (The Packet Processor may not be allocated the proper number
of CPUs allocated on the VM server for the size of the TAP.)

Question48: You need to deploy IntroSpect Analyzer in your existing network. You are planning to configure logs from
rd
multiple systems around your network. Can this 3 -party tool collect the logs and push them to Analyzer?
(IBM QRadar SIEM will push logs to IntroSpect.)

Question49: Refer to the exhibit.

Would this be a correct option when configuring a user account for a ClearPass to use to communicate
with IntroSpect? (The email address needs to match the username used in ClearPass.)

Question50: You are configuring a ClearPass Cluster to send endpoint context to an IntroSpect Analyzer for the
wireless network. You want to test the setup after you have installed the XML file with the enforcement
profiles and actions. Can this method be used to test that the setup is functioning correctly?
(Connect to the wireless network, and send a test authentication from a test device/user in the network.
Observe the results in Access Tracker.)

Question51: You are an administrator who made a few configuration changes in the IntroSpect Packet Processor, and
a restart is required after those changes. Is this a valid method to restart the Packet Processor? (Issue the
command #>shutdown -r now from the CLI of the Packet Processor.)

Question52: Refer to the exhibit.

You are monitoring network traffic and considering DNS flow patterns. Where is a good location to place
the Network Tap or Taps? (Location B will capture wired clients DNS requests while Location A will
capture wireless client DNS.)

Question53: A security analyst is monitoring the traffic which is accessing internal and external resources. They find
abnormal activity, indicating communication between a compromised internal user(host) and internal
infrastructure, and found a suspicious malware activity. Is this a correct attack stage classification for this
activity? (Exfiltration.)

Question54: A customer is asking you to explain the difference between a data breach and a data leak. Does this
explain the difference? (In both cases, data has left your network for the outside. A data breach is
executed by an outside attacker, while a data leak is executed either deliberately or accidentally by an
inside actor.)

Question55: You are visiting a site configured with IntroSpect, and the on-site admin tells you that they do not think that
one of their database servers has fired any alerts for large download or strange access patterns. Could this
be a reason? (The database server needs to be listed under Configuration>Analytics>User Correlation
Config.)

Question56: Refer to the exhibit.

You are logged into the IntroSpect and have navigated to the Alerts list. You are trying to filter the alerts to
show all malware alerts for users. Is this a correct search query? (alertcategory:malware* AND
username:any)

Question57: An alert goes off for the internal DNS server, and while investigating the logs you notice that the
hostnames in the queries are random alphanumeric characters. Is this a logical investigation step?
(Contact the DNS admin and request that they enable root hints in the DNS server.)

Question58: You need to deploy IntroSpect Analyzer in your existing network. You are planning to configure logs from
rd
multiple systems around your network. Can this 3 -party tool collect the logs and push them to Analyzer?
(Splunk Enterprise will allow push notifications.)

Question59: Refer to the exhibit.

You are monitoring network traffic and considering DNS flow patterns. Where is a good location to place
the Network Tap or Taps? (Location C.)

Question60: You deploy IntroSpect Analyzer in your existing network. You want to monitor email for suspect malware
activity. Would this action be supported by IntroSpect? (Deploy a supported DNP like Proofpoint Email
Protection, and integrate with The IntroSpect Analyzer.)