EMT Practice Test

1. Question Content...


Question List

Question1: When the automated system backup is configured to include events, flows and log data, the first backup will capture all events, flows and logs

Question2: If the maximum size for the Policy Change History log is reached, which of the following happens to new entries?

Question3: The historical ACE function allows the user to perform retrospective correlations on older data. In which of the following devices is the data located that the historical correlation engine uses?

Question4: If there is no firewall at the border of the network, which of the following could be used to simulate the protection a firewall provides?

Question5: The analyst has created a correlation rule to correlate events from Anti-Virus (AV), Network Intrusion Prevention (NIPS) and the firewall. While reviewing just firewall events, the analyst notices a large spike in outbound Command and Control traffic; however, the correlation rule is not triggering. The analyst then looks at the Network IPS and the Anti-Virus views and notices there are no alerts for this traffic. Which of the following features of NIPS and AV are most likely turned off?

Question6: Analysts can effectively use the McAfee SIEM to identify threats by

Question7: One or more storage allocations, which together specify a total amount of storage, coupled with a data retention time that specifies the maximum number of days a log is to be stored, is known as a

Question8: McAfee's SIEM provides awareness of illicit behavior across multiple internal systems via

Question9: The McAfee SIEM solution satisfies which of the following compliance requirements?

Question10: Which of the following is the minimum amount of disk space required to install the McAfee Enterprise Security Manager (ESM) as a virtual machine?

Question11: Malware performing a network enumeration scan will be visible at the McAfee SIEM as

Question12: Which of the following are the three compression ratios available for raw logs being handled by the ELM?

Question13: What Firewall component is natively used by the McAfee SIEM appliances to protect the appliances from unauthorized communications?

Question14: Which of the following operations is NOT an available selection when using Multi-Device Management?

Question15: The McAfee Advanced Correlation Engine (ACE) can be deployed in one of two modes which are

Question16: Which of the following is the minimum number of CPUs required to build a virtual image Enterprise Security Manager (ESM)?

Question17: The McAfee Enterprise Log Manager (ELM) offers three levels of compression (Low, Medium, and High).
By default, the ELM compression level is set to Low. Which of the following is the compression ratio for the Medium level?

Question18: When writing custom correlation rules, the analyst should focus on

Question19: When viewing the Policy Tree, what four columns are displayed within the Rules Display pane?

Question20: How often does the configuration and policy data from the primary Enterprise Security Manager (ESM) get synchronized with the redundant ESM?

Question21: Which of the following is the name of the Dashboard View that shows correlated events for the selected Data Source?

Question22: To correlate known vulnerabilities to devices that are currently exposed to such vulnerabilities, which of the following must be selected on the Receiver?

Question23: Which of the following is the Primary function of the Event Receiver (ERC) in relation to the Enterprise Security Manager (ESM)?

Question24: Which of the following two appliances contain Event databases?

Question25: A backup of the ELM management database captures

Question26: On the McAfee enterprise Security Manager (ESM), the default data Retention setting specifies that Event and Flow data should be maintained for

Question27: If the SIEM Administrator deploys the Enterprise Security Manager (ESM) using the Federal Information Processing Standards (FIPS) encryption mode, which of the following types of user authentication will NOT be compliant with FIPS?

Question28: By default, the McAfee Enterprise Security Manager (ESM) communicates with the McAfee Event Receiver (ERC) and McAfee Enterprise Log Manager (ELM) over port

Question29: The security Analyst notices that there has been a large spike for Secure Shell (SSH) drops in the Network Intrusion Prevention System (NIPS). What other perimeter device will add more insight into what is happening?

Question30: While investigating beaconing Malware, an analyst can narrow the search quickly by using which of the following watchlists in the McAfee SIEM?

Question31: Which of the following is the default port used to communicate between McAfee SIEM devices?

Question32: Where can the ESM event database archive inactive partitions?

Question33: The fundamental purpose of the Receiver Correlation Subsystem (RCS) is

Question34: Which of the following are the three default users defined within the Users and Groups option in the ESM properties?

Question35: Alarms using field match as the condition type allow for selected Actions to be taken when the Alarm condition is met. Which of the following McAfee ePolicy Orchestrator (ePO) Actions can be selected when creating such Alarm?

Question36: The Database Event Monitor (DEM) appliance prevents disclosure of Personally Identifiable Information (PII) by employing which of the following features to those types of information?

Question37: A SIEM can be effectively used to identify active threats from internal systems by monitoring/correlating events that occur

Question38: Reports can be created by selecting the ESM System Properties window, the Reports Icon in the top right of the ESM screen or by which of the following other methods within Alarm Creation?

Question39: Internet perimeter firewall data-sources provide excellent visibility into

Question40: In the context of McAfee SIEM, the local protected network address space is a variable referred to as

Question41: Which of the following are the Boolean logic functions that can be used to create Correlation Rules?

Question42: Be default, events in McAfee SIEM are aggregated on which of the following three fields?

Question43: Zones allow a user to group devices and the events they generate by

Question44: A SIEM allows an organization the ability to correlate seemingly disparate streams of traffic into a central console for analysis. This correlation, in many cases, can point out activities that might otherwise go undetected. This type of detection is also known as

Question45: The normalization value assigned to each data-source event allows

Question46: An organization notices an increasing number of ESM concurrent connection events. To mitigate risks related to concurrent sessions which action should the organization take?

Question47: A security administrator is configuring the Enterprise Security Manager (ESM) to comply with corporate security policy and wishes to restrict access to the ESM to certain users and machines. Which of the following actions would accomplish this?

Question48: The Global Blacklist feature can be used to block specific traffic from which of the following devices?

Question49: Which of the following statements about Client Data Sources is TRUE?

Question50: The McAfee SIEM baselines daily events over

Question51: When a Correlation Rule successfully triggers, this occurs at the

Question52: The ESM database is unavailable for use during

Question53: The McAfee Enterprise Security Manager (ESM) system clock is set to

Question54: Which of the following ports is the correct choice for use when configuring the database properties of a McAfee Network Security Platform (NSP) Device Data Source?

Question55: Which authentication methods can be configured to control alarm management privileges?

Question56: Flow Aggregation is based on which of the following?

Question57: With regard to Data Source configuration and event collection what does the acronym CEF stand for?

Question58: The primary function of the Application Data Monitor (ADM) appliance is to decode traffic at layer

Question59: Which of the following features of the Enterprise Log Manager (ELM) can alert the user if any data has been modified?

Question60: The ESM supports five Authentication methods. The default login option uses the standard Username and Password format. Which of the following are the other four methods available?

Question61: In the Default Summary view on the Enterprise Security manager (ESM), which of the following panels shows the baseline averages?

Question62: When displaying baseline averages using the automatic time range option, baseline data is correlated by using the same time period that is being used for the current query for which of the following past number of intervals?

Question63: A McAfee Event Receiver (ERC) will allow for how many Correlation Data Sources to be configured?

Question64: The possibility of both data source Network Interface Cards (NICs) using the shared IP and MAC address at the same time is eliminated by using which of the following?

Question65: When preparing to apply a patch to the Enterprise Security Manager (ESM) and completing the ESM checklist, the command cat/proc/mdstat has been issued to determine RAID functionally. The system returns an active drive result identified as [U_]. What action should be taken?

Question66: Which of the following security technologies sits inline on the network and prevents attacks based on signatures and behavioral analysis that can be configured as a data source within the SIEM?

Question67: Event Aggregation is performed on which of the following fields?

Question68: The configuration of a receiver has recently been modified and issues occur. Which command will collect historical data?

Question69: Checkpoint firewalls provide logs to the McAfee SIEM Receiver in which of the following formats?

Question70: Which options within the Receiver properties should be selected to configure the device to respond to ICMP echo requests?