EMT Practice Test

1. Question Content...


Question List

Question1: Given the following query:
SELECT * FROM users WHERE UID >= 500;
Which statement is correct?

Question2: An analyst is reviewing an alert in Enterprise EDR from a custom watchlist. The analyst disagrees with the alert severity rating.
How can the analyst change the alert severity value, if this is possible?

Question3: An administrator needs to check configurations using Audit across several policies and locations within the organization.
How can the administrator run the query to only these specific devices?

Question4: Which value should an administrator use when reviewing an alert to determine the file reputation at the time the event occurred?

Question5: An administrator wants to find instances where the binary Is unsigned.
Which term will accomplish this search?

Question6: Review this result after executing a query in the Process Search page, noting the circled black dot:

What is the meaning of the black dot shown under Tags?

Question7: An Endpoint Standard administrator is working with an IT team to explicitly permit specific applications from the environment using both the IT Tools and Certs Approved List features.
Once applied, which reputation would these applications be classified under for processing?

Question8: What is the maximum number of binaries (hashes) that can be banned using the web console?

Question9: What does the Aggressive setting do when configured in Local Scan Settings?

Question10: Which identifier is shared by all events when an alert is investigated?

Question11: An analyst wants to block an application's specific behavior but does not want to kill the process entirely as it is heavily used on workstations. The analyst needs to use a Blocking and Isolation Action to ensure that the process is kept alive while blocking further unwanted activity.
Which Blocking and Isolation Action should the analyst use to accomplish this goal?

Question12: An administrator is reviewing an alert about a known and required application in the environment. The application has been given the reputation of PUP, with the alert reason being that the PUP was detected. As a result, this application is matching policy blocking & isolation rules for PUPs in the environment and Is not behaving as expected.
Which step should the administrator take to remediate this situation?

Question13: A process has created a number of interesting (executable) files in one sequence.
In addition to the event Subtype 'New Unapproved File to Computer', what other event subtype is likely to be associated with this sequence?

Question14: An administrator wants to query the status of the firewall for all endpoints. The administrator will query the registry key found here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\StandardProfile.
To make the results easier to understand, the administrator wants to return either enabled or disabled for the results, rather than the value from the registry key.
Which SQL statement will rewrite the output based on a specific result set returned from the system?

Question15: An Enterprise EDR administrator sees the process in the graphic on the Investigate page but does not see an alert for this process:

How can the administrator generate an alert for future hits against this watchlist?

Question16: An administrator wants to allow files to run from a network share.
Which rule type should the administrator configure?

Question17: Level 3 service desk personnel have been approved to modify computer enforcement levels by security governance.
Which set of steps is required to implement this change?

Question18: Refer to the exhibit, noting the circled red dot:

What is the meaning of the red dot under Hits in the Process Search page?

Question19: An administrator ran the following query.
SELECT name, VERSION, install_location, install_source, publisher, install_date, uninstall_string FROM programs WHERE publisher = "Microsoft Corporation"; The administrator notices a lot of installed programs are not returned.
How can the administrator alter the query to see all results?

Question20: An administrator has updated a Threat Intelligence Report by turning it into a watchlist and needs to disable (Ignore) the old Threat Intelligence Report.
Where in the UI is this action not possible to perform?

Question21: Which statement filters data to only return rows where the publisher of the software includes VMware anywhere in the name?

Question22: When dismissing alerts, when should an administrator select "If alert occurs in the future, automatically dismiss it from all devices"?

Question23: An Enterprise EDR administrator wants to use Watchlists curated by VMware Carbon Black and other threat intelligence specialists.
How should the administrator add these curated Watchlists from the Watchlists page?

Question24: An administrator uses the following Enterprise EDR search query to show web browsers spawning nonbrowser child processes that connect over the network:
(parent_name:chrome.exe OR parent_name:iexplore.exe OR parent_name:firefox.exe) AND (NOT process_name:chrome.exe OR NOT process_name:iexplore.exe OR NOT process_name:firefox.exe) Which field can be added to this query to filter the results by signature status?

Question25: An Enterprise EDR administrator has created a custom Watchlist and wants to add a custom query to a report in the custom Watchlist.
From which page can the administrator add this custom query?

Question26: Which statement is true when searching through the EDR server UI?

Question27: Why would a sensor have a status of "Inactive"?

Question28: An analyst on the security team noticed that several alerts are false positives within Enterprise EDR. The analyst disables the IOC within the report from those alerts.
Which statement correctly explains what disabling the IOC will accomplish?

Question29: Which action is only available for the "Performs any operation" and "Performs any API Operation" operation attempts?

Question30: A watchlist generates a false positive on the Triage Alerts page, so the watchlist must be updated.
How should this task be accomplished?

Question31: An active compromise is detected on an endpoint. Due to current policies, the compromise was detected but not terminated.
What would be an appropriate action to end the current communication between the device and the attacker?

Question32: An administrator is creating a query per policy for Audit and Remediation. The administrator ran several recommended queries already but notices they are unable to run the same recommended query for one of their policies. The run button is grayed out.
Which statement correctly explains why the run button is unavailable?

Question33: An analyst is investigating an alert within Enterprise EDR. The alert is tied to an unusual process name. When navigating to the binary details page, for the binary used in the alert, the analyst sees the following:

The analyst wants to find any instances of this process executing regardless of the process name used.
Which two details from the binary can be used to search for the application regardless of the seen name? (Choose two.)

Question34: Given an event rule: Approve nVidia Drivers, changes the local state to Approved for file writes or execution blocks when the publisher is NVIDIA Corporation.
How is an alert created that is triggered whenever an nVidia driver is approved by the event rule?

Question35: A Carbon Black Cloud analyst needs to identify the Internet Explorer extensions installed on Windows endpoints.
Which Live Query statement will successfully query these items?

Question36: There is a need to ignore all activity at an application path.
Which rule definition should be used to address this need?

Question37: An organization leverages a commonly used software distribution tool to manage deployment of enterprise software and updates. Custom rules are a suitable option to ensure the approval of files delivered by this tool.
Which other trust mechanism could the organization configure for large-scale approval of these files?

Question38: An administrator is interested in upgrading endpoints to the latest release in VMware Carbon Black App Control (V8.1.4+).
What is the first step to make a new agent available for installation or upgrade?