MA0-104.Passguide PASSGUIDE MA0-104 Intel Security Certified Product Specialist Version 1.0

Size: px

Start display at page:

Download "MA0-104.Passguide PASSGUIDE MA0-104 Intel Security Certified Product Specialist Version 1.0"

Jonathan Bates
5 years ago
Views:

1 MA0-104.Passguide Number: MA0-104 Passing Score: 800 Time Limit: 120 min File Version: 1.0 PASSGUIDE MA0-104 Intel Security Certified Product Specialist Version 1.0

2 Exam A QUESTION 1 A SIEM can be effectively used to identify active threats from internal systems by monitoring/correlating events that occur A. when no one is logged in; for example, after hours or on weekends. B. across an unusual range of ports or destinations; for example, all high ports. C. irregularly; for example, only on Fridays, or only at end-of-quarter. D. in accordance with expected systems use. /Reference: QUESTION 2 While investigating beaconing Malware, an analyst can narrow the search quickly by using which of the following watchlists in the McAfee SIEM? A. MTIE Suspicious and Malicious B. TSI Suspicious and Malicious C. GTI Suspicious and Malicious D. MTI Suspicious and Malicious Correct Answer: C /Reference: QUESTION 3 A backup of the ELM management database captures

3 A. ELM configuration settings B. ELM configuration settings, and the ELM archive index. C. ELM configuration settings, the ELM archive index, and all archived ELM contents. D. ELM configuration settings, the ELM archive index, and all archived ELM contents up to the ESM database retention limit. Correct Answer: B /Reference: QUESTION 4 Which of the following is the name of the Dashboard View that shows correlated events for the selected Data Source? A. Default Summary B. Normalized Dashboard C. Incidents Dashboard D. Triggered Alarms /Reference: QUESTION 5 The McAfee SIEM solution satisfies which of the following compliance requirements? A. Continuous monitoring, Log retention B. Personally Identifiable Information (PII) protection C. Payment Card Industry/ Data Security Standard (PCI/ DSS) protection D. Patch management automation

4 /Reference: QUESTION 6 How often does the configuration and policy data from the primary Enterprise Security Manager (ESM) get synchronized with the redundant ESM? A. Every 2 minutes B. Every 5 minutes C. Every 10 minutes D. This is based on manual selection Correct Answer: B /Reference: QUESTION 7 Which of the following are the three compression ratios available for raw logs being handled by the ELM? A. 10:1, 14:1, 19:1 B. 14:1, 18:1, 20:1 C. 14:1, 17:1, 21:1 D. 14:1, 17:1, 20:1 /Reference: Page: 121

5 QUESTION 8 The McAfee Enterprise Log Manager (ELM) offers three levels of compression (Low, Medium, and High). By default, the ELM compression level is set to Low. Which of the following is the compression ratio for the Medium level? A. 17:1 B. 20:1 C. 10:1 D. 14:1 /Reference: Page: 121 QUESTION 9 Which of the following is the default port used to communicate between McAfee SIEM devices? A. 22 B. 222 C. 21 D. 211 /Reference: QUESTION 10 The McAfee SIEM baselines daily events over

6 A. three days B. five days C. seven days D. nine days /Reference: QUESTION 11 Where can the ESM event database archive inactive partitions? A. Storage on the hard disk of the ESM itself B. Storage on the hard disk of the backup ESM C. Storage on the ELM D. Remote storage connected to the ESM /Reference: QUESTION 12 When a Correlation Rule successfully triggers, this occurs at the A. Correlation Element. B. Correlation Processor. C. Correlation Engine.

7 D. Correlation Manager. Correct Answer: C /Reference: QUESTION 13 The configuration of a receiver has recently been modified and issues occur. Which command will collect historical data? A. htop B. getstatsdata C. snmpget D. df Correct Answer: B /Reference: QUESTION 14 Which of the following operations is NOT an available selection when using Multi-Device Management? A. Reboot B. Update C. Start D. Disable /Reference: Page: 24

8 QUESTION 15 The fundamental purpose of the Receiver Correlation Subsystem (RCS) is A. to analyze data from the ESM and detect matching patterns. B. to collect and consolidate identical data from the ESM into a single summary event. C. to classify or categorize data from the Receiver into related types and sub-types. D. to organize, retrieve and archive data from the Receiver into the SIEM database. /Reference: QUESTION 16 The ESM database is unavailable for use during A. a configuration backup. B. a full backup. C. archiving of inactive partitions. D. synchronization with the redundant ESM. /Reference: QUESTION 17 Which of the following statements about Client Data Sources is TRUE? A. They will have VIPS, Policy and Agent rights B. They will be displayed on the Receiver Properties > Data Sources table C. They will appear on the System Navigation tree D. They can have independent time zones Correct Answer: C

9 /Reference: Page: 72 QUESTION 18 Zones allow a user to group devices and the events they generate by A. Geographical location and IP reputation B. Geographical reputation and IP Address C. Geographical location and IP Address D. Geographical location and File reputation Correct Answer: C /Reference: QUESTION 19 Which of the following are the Boolean logic functions that can be used to create Correlation Rules? A. NOR and AND B. AND and SET C. OR and SET D. OR and AND Correct Answer: C /Reference: QUESTION 20 The normalization value assigned to each data-source event allows

10 A. increased usability via views based on category rather than signature ID. B. more efficient parsing of each event by the McAfee SIEM Receiver. C. quicker ELM searches. D. the McAfee ESM database to retain fewer events overall. /Reference: QUESTION 21 Which authentication methods can be configured to control alarm management privileges? A. SNMP B. SSH Key Pair C. Active Directory D. Access Groups /Reference: Page: 79 QUESTION 22 On the McAfee enterprise Security Manager (ESM), the default data Retention setting specifies that Event and Flow data should be maintained for A. 365 days. B. same value as configured on the ELM.

11 C. 90 Days. D. all data allowed by system. /Reference: QUESTION 23 Which of the following is the minimum amount of disk space required to install the McAfee Enterprise Security Manager (ESM) as a virtual machine? A. 100 GB B. 250 GB C. 500 GB D. 1 TB Correct Answer: B /Reference: Page: 10 QUESTION 24 The possibility of both data source Network Interface Cards (NICs) using the shared IP and MAC address at the same time is eliminated by using which of the following? A. iscsi Adapter B. IPMI Card C. PCI Adapter D. SAN Card Correct Answer: B

12 /Reference: Page: 146 QUESTION 25 To correlate known vulnerabilities to devices that are currently exposed to such vulnerabilities, which of the following must be selected on the Receiver? A. Auto Download VulnEvents B. Enable Vulnerability Event Correlation C. Generate Vulnerability Events D. Enable VA Source /Reference: QUESTION 26 A security administrator is configuring the Enterprise Security Manager (ESM) to comply with corporate security policy and wishes to restrict access to the ESM to certain users and machines. Which of the following actions would accomplish this? A. Configure the Access Control List and setup user accounts B. Define user groups and set permissions based on IP C. Assign AD users to computer assignment groups D. Setup local accounts based on IP Zones /Reference: Page: 174 QUESTION 27 With regard to Data Source configuration and event collection what does the acronym CEF stand for? A. Correlation Event Framing

13 B. Common Event Format C. Common Event Framing D. Condition Event Format Correct Answer: B /Reference: QUESTION 28 The primary function of the Application Data Monitor (ADM) appliance is to decode traffic at layer A. one for inspection. B. three for inspection. C. five for inspection. D. seven for inspection. /Reference: QUESTION 29 Which of the following features of the Enterprise Log Manager (ELM) can alert the user if any data has been modified? A. Integrity Check B. SNMP Trap C. Log Audit D. ELM Database Check /Reference:

14 QUESTION 30 A SIEM allows an organization the ability to correlate seemingly disparate streams of traffic into a central console for analysis. This correlation, in many cases, can point out activities that might otherwise go undetected. This type of detection is also known as A. anomaly based detection. B. behavioral based detection. C. heuristic based detection. D. signature based detection. /Reference: QUESTION 31 If the SIEM Administrator deploys the Enterprise Security Manager (ESM) using the Federal Information Processing Standards (FIPS) encryption mode, which of the following types of user authentication will NOT be compliant with FIPS? A. Windows Active Directory B. Radius C. Lightweight Directory Access Protocol (LDAP) D. Local Authentication Correct Answer: B /Reference: QUESTION 32

15 Which of the following two appliances contain Event databases? A. ELM and REC B. ESM and ELM C. ESM and REC D. REC and ADM Correct Answer: C /Reference: QUESTION 33 Reports can be created by selecting the ESM System Properties window, the Reports Icon in the top right of the ESM screen or by which of the following other methods within Alarm Creation? A. Actions tab B. Conditions tab C. Escalation tab D. Summary tab /Reference: McAfee_SIEM_Best_Practices_for_Alarms.pdf Page: 10

McAfee SIEM Port Usage by Appliance

McAfee SIEM Port Usage by Appliance Application Direction Port(s) Protocol Destination / Description ETM Enterprise Security Manager Active Directory out 389, 3268 tcp Active Directory. Port 3268 is used