EMT Practice Test

1. Question Content...


Question List

Question1: Review this result after executing a query in the Process Search page, noting the circled black dot:

What is the meaning of the black dot shown under Tags?

Question2: A process is writing numerous interesting files that never actually execute.
Which rule type can the administrator define that will prevent reporting these file creations?

Question3: A Carbon Black Cloud Endpoint Standard analyst is testing different search operator combinations.
Which two queries produce the same result? (Choose two.)

Question4: How long will Live Queries in Carbon Black Audit and Remediation run before timing out?

Question5: A watchlist generates a false positive on the Triage Alerts page, so the watchlist must be updated.
How should this task be accomplished?

Question6: An analyst navigates to the alerts page in Endpoint Standard and sees the following:

What does the yellow color represent on the left side of the row?

Question7: An administrator has updated a Threat Intelligence Report by turning it into a watchlist and needs to disable (Ignore) the old Threat Intelligence Report.
Where in the UI is this action not possible to perform?

Question8: Review the following EDR query:
(parent_name:powershell.exe OR parent_name:cmd.exe) AND netconn_count:[l TO *] Which process would show in the query results?

Question9: An administrator is concerned that someone may be using unauthorized commands from cmd.exe. These commands are not considered suspicious or malicious, and there is no policy based around them.
Which page should the administrator use to find these commands?

Question10: An administrator is reviewing an alert about a known and required application in the environment. The application has been given the reputation of PUP, with the alert reason being that the PUP was detected. As a result, this application is matching policy blocking & isolation rules for PUPs in the environment and Is not behaving as expected.
Which step should the administrator take to remediate this situation?

Question11: An active compromise is detected on an endpoint. Due to current policies, the compromise was detected but not terminated.
What would be an appropriate action to end the current communication between the device and the attacker?

Question12: Given the following query:
SELECT hostname, cpu_type, cpu_brand, cpu_physical_cores, cpu_logical_cores, cpu_microcode, (1.0 * physical_memory / (1000*1000*1000)) AS physical_mem_gb, hardware_vendor, hardware_model, hardware_version, hardware_serial FROM system_info; Which statement Is correct?

Question13: Which statement filters data to only return rows where the publisher of the software includes VMware anywhere in the name?

Question14: An analyst is investigating an alert within Enterprise EDR. The alert is tied to an unusual process name. When navigating to the binary details page, for the binary used in the alert, the analyst sees the following:

The analyst wants to find any instances of this process executing regardless of the process name used.
Which two details from the binary can be used to search for the application regardless of the seen name?
(Choose two.)

Question15: Which actions are available for Permissions?

Question16: Why would a sensor have a status of "Inactive"?

Question17: An analyst has investigated multiple alerts on a number of HR workstations and found that java.exe is attempting to PowerShell. Of the Windows workstations in question, the analyst has also found that Java is installed in multiple locations. The analyst needs to block java.exe from this type of operation.
Which rule meets this need?

Question18: Which enforcement level does not block unapproved files but will block files that have been specifically banned?

Question19: Refer to the exhibit, noting the circled red dot:

What is the meaning of the red dot under Hits in the Process Search page?

Question20: An administrator has configured a policy to run a standard background scan.
How long does this one-time scan take to complete on endpoints assigned to that policy?