EMT Practice Test

1. Question Content...


Question List

Question1: A McAfee Event Receiver (ERC) will allow for how many Correlation Data Sources to be configured?

Question2: McAfee's SIEM provides awareness of illicit behavior across multiple internal systems via

Question3: Which of the following is the minimum number of CPUs required to build a virtual image Enterprise
Security Manager (ESM)?

Question4: Which of the following features of the Enterprise Log Manager (ELM) can alert the user if any data has
been modified?

Question5: If there is no firewall at the border of the network, which of the following could be used to simulate the
protection a firewall provides?

Question6: Alarms using field match as the condition type allow for selected Actions to be taken when the Alarm
condition is met. Which of the following McAfee ePolicy Orchestrator (ePO) Actions can be selected when
creating such Alarm?

Question7: The security Analyst notices that there has been a large spike for Secure Shell (SSH) drops in the Network
Intrusion Prevention System (NIPS). What other perimeter device will add more insight into what is
happening?

Question8: When the automated system backup is configured to include events, flows and log data, the first backup
will capture all events, flows and logs

Question9: Reports can be created by selecting the ESM System Properties window, the Reports Icon in the top right
of the ESM screen or by which of the following other methods within Alarm Creation?

Question10: Zones allow a user to group devices and the events they generate by

Question11: By default, the McAfee Enterprise Security Manager (ESM) communicates with the McAfee Event
Receiver (ERC) and McAfee Enterprise Log Manager (ELM) over port

Question12: Which of the following are the three default users defined within the Users and Groups option in the ESM
properties?

Question13: Which of the following is the Primary function of the Event Receiver (ERC) in relation to the Enterprise
Security Manager (ESM)?

Question14: While investigating beaconing Malware, an analyst can narrow the search quickly by using which of the
following watchlists in the McAfee SIEM?

Question15: The possibility of both data source Network Interface Cards (NICs) using the shared IP and MAC address
at the same time is eliminated by using which of the following?

Question16: When a Correlation Rule successfully triggers, this occurs at the

Question17: How often does the configuration and policy data from the primary Enterprise Security Manager (ESM) get
synchronized with the redundant ESM?

Question18: The McAfee SIEM baselines daily events over

Question19: An organization notices an increasing number of ESM concurrent connection events. To mitigate risks
related to concurrent sessions which action should the organization take?

Question20: When displaying baseline averages using the automatic time range option, baseline data is correlated by
using the same time period that is being used for the current query for which of the following past number
of intervals?

Question21: The configuration of a receiver has recently been modified and issues occur. Which command will collect
historical data?

Question22: The McAfee SIEM solution satisfies which of the following compliance requirements?

Question23: A SIEM can be effectively used to identify active threats from internal systems by monitoring/correlating
events that occur

Question24: Analysts can effectively use the McAfee SIEM to identify threats by

Question25: The primary function of the Application Data Monitor (ADM) appliance is to decode traffic at layer

Question26: Which of the following is the minimum amount of disk space required to install the McAfee Enterprise
Security Manager (ESM) as a virtual machine?

Question27: In the context of McAfee SIEM, the local protected network address space is a variable referred to as

Question28: The fundamental purpose of the Receiver Correlation Subsystem (RCS) is

Question29: The ESM database is unavailable for use during

Question30: The McAfee Enterprise Security Manager (ESM) system clock is set to

Question31: The McAfee Enterprise Log Manager (ELM) offers three levels of compression (Low, Medium, and High).
By default, the ELM compression level is set to Low. Which of the following is the compression ratio for the
Medium level?

Question32: The historical ACE function allows the user to perform retrospective correlations on older data. In which of
the following devices is the data located that the historical correlation engine uses?

Question33: If the SIEM Administrator deploys the Enterprise Security Manager (ESM) using the Federal Information
Processing Standards (FIPS) encryption mode, which of the following types of user authentication will
NOT be compliant with FIPS?

Question34: Malware performing a network enumeration scan will be visible at the McAfee SIEM as

Question35: Which of the following are the Boolean logic functions that can be used to create Correlation Rules?

Question36: To correlate known vulnerabilities to devices that are currently exposed to such vulnerabilities, which of the
following must be selected on the Receiver?

Question37: The normalization value assigned to each data-source event allows

Question38: Which of the following is the default port used to communicate between McAfee SIEM devices?

Question39: Which of the following are the three compression ratios available for raw logs being handled by the ELM?

Question40: Which options within the Receiver properties should be selected to configure the device to respond to
ICMP echo requests?

Question41: A security administrator is configuring the Enterprise Security Manager (ESM) to comply with corporate
security policy and wishes to restrict access to the ESM to certain users and machines. Which of the
following actions would accomplish this?

Question42: The analyst has created a correlation rule to correlate events from Anti-Virus (AV), Network Intrusion
Prevention (NIPS) and the firewall. While reviewing just firewall events, the analyst notices a large spike in
outbound Command and Control traffic; however, the correlation rule is not triggering. The analyst then
looks at the Network IPS and the Anti-Virus views and notices there are no alerts for this traffic. Which of
the following features of NIPS and AV are most likely turned off?

Question43: When writing custom correlation rules, the analyst should focus on