An administrator wants to query the status of the firewall for all endpoints. The administrator will query the registry key found here HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParameter sFirewallPolicy
StandardProfile.
To make the results easier to understand, the administrator wants to return either enabled or disabled for the results, rather than the value from the registry key.
Which SQL statement will rewrite the output based on a specific result set returned from the system?
- A . CASE
- B . AS
- C . ALTER
- D . SELECT
A
Explanation:
Reference: https://www.carbonblack.com/blog/8-live-queries-that-will-speed-up-your-next-pci-audit/l
An analyst navigates to the alerts page in Endpoint Standard and sees the following:
What does the yellow color represent on the left side of the row?
- A . It is an alert from a watchlist rather than the analytics engine.
- B . It is a threat alert and warrants immediate investigation.
- C . It is an observed alert and may indicate suspicious behavior.
- D . It is a dismissed alert within the user interface.
An Enterprise EDR administrator sees the process in the graphic on the Investigate page but does not see an alert for this process:
How can the administrator generate an alert for future hits against this watchlist?
- A . select the watchlist on the watchlists page, select the Scheduled Task Created report, and use Take Action to select Alert on hit for the report.
- B . Select the watchlist on the watchlists page, select the Scheduled Task Created report, and use Take Action to toggle Alert on hit to On.
- C . Select the watchlist on the watchlists page and click on Alerts: Off to toggle the alerts to On.
- D . Select the watchlist on the watchlists page, use Take Action to select Edit, and select Alert on hit.
An administrator runs multiple queries on tables and combines the results after the fact to correlate data. The administrator needs to combine rows from multiple tables based on data from a related column in each table.
Which SQL statement should be used to achieve this goal?
- A . JOIN
- B . WHERE
- C . AS
- D . COMBINE
An administrator wants to allow files to run from a network share.
Which rule type should the administrator configure?
- A . Execute Prompt (Shared Path)
- B . Trusted Path
- C . Network Execute (Allow)
- D . Write Approve (Network)
What are the three available methods in VMware Carbon Black App Control by which an endpoint (agent) can be assigned to a specific policy? (Choose three.)
- A . By pushing the designated GPO script
- B . Via DASCLI command
- C . By installing the agent via SCCM
- D . Manual policy assignment
- E . By branded/policy-specific installer
- F . By Active Directory Mapping
Which Live Query statement is properly constructed?
- A . SELECT * FROM ‘users’
- B . select * from *:
- C . select from users;
- D . SELECT * FROM users;
An administrator has configured a policy to run a standard background scan.
How long does this one-time scan take to complete on endpoints assigned to that policy?
- A . 180 days
- B . 30 days
- C . 3-5 days
- D . 1 day
An analyst is investigating an alert within the Enterprise EDR console and needs to take action on it.
Which three actions are available to take on the alert? (Choose three.)
- A . Ignore alert
- B . Dismiss
- C . Dismiss on all devices if grouping is enabled
- D . Edit watchlist
- E . Save report
- F . Notifications history
B,C,E
Explanation:
Reference: https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-How-to-Dismiss-Alerts/ta-p/51766
Review this EDR query:
childproc_name:whoami.exe AND childproc_name:hostname.exe AND childproc_name:tasklist.exe AND childproc_name:ipconfig.exe
Which process would show in the query results?
- A . Any process invoked by whoami.exe, hostname.exe, tasklist.exe, and ipconfig.exe
- B . Any process invoked by whoami.exe, hostname.exe, tasklist.exe, or ipconfig.exe
- C . Any process invoking whoami.exe, hostname.exe, tasklist.exe, or ipconfig.exe
- D . Any process invoking whoami.exe, hostname.exe, tasklist.exe, and ipconfig.exe
An administrator is searching for any child processes of email clients with this query in Carbon Black Enterprise EDR:
parent_name:outlook.exe OR parent_name:thunderbird.exe OR parent_name:eudora.exe
The administrator would like to modify this query to only show child processes that do not have a known reputation in the Carbon Black Cloud.
Which search field can be added to the query to show the desired results?
- A . process_integrity_level
- B . process_reputation
- C . process_privileges
- D . process_cloud_reputation
An analyst is reviewing an alert in Enterprise EDR from a custom watchlist. The analyst disagrees with the alert severity rating.
How can the analyst change the alert severity value, if this is possible?
- A . The alert severity is assigned by the backend analytics.
- B . The alert severity is not configurable.
- C . Change the alert severity on the watchlist.
- D . Change the alert severity on the report.
How long will Live Queries in Carbon Black Audit and Remediation run before timing out?
- A . 30 days
- B . 14 days
- C . 180 days
- D . 7 days
Which reputation is processed with the lowest priority for Endpoint Standard?
- A . Local White
- B . Known Malware
- C . Trusted White
- D . Common White
Which value should an administrator use when reviewing an alert to determine the file reputation at the time the event occurred?
- A . Cloud Reputation (Initial)
- B . Effective Reputation
- C . Local Reputation
- D . Cloud Reputation (Current)
App Control System Health email alerts for excessive agent backlog are occurring hourly. This is overwhelming the analysts, and they would like to reduce the notifications.
How can the analyst reduce the unneeded alerts?
- A . Set the email address for subscribers to an invalid email.
- B . Change reminder email to daily or disabled.
- C . Disable the alert.
- D . Delete the alert.
Which statement filters data to only return rows where the publisher of the software includes VMware anywhere in the name?
- A . WHERE publisher = "%VMware%"
- B . WHERE publisher = "%VMware"
- C . WHERE publisher LIKE "VMware%"
- D . WHERE publisher LIKE "%VMware%"
A company wants to implement the strictest security controls for computers on which the software seldom changes (i.e., servers or single-purpose systems).
Which Enforcement Level is the most fitting?
- A . Low Enforcement
- B . Medium Enforcement
- C . High Enforcement
- D . None (Visibility)
Review this result after executing a query in the Process Search page, noting the circled black dot:
What is the meaning of the black dot shown under Tags?
- A . The execution of the process resulted in watchlist hits.
- B . The events for the process were tagged in an investigation.
- C . The events for the process were also sent to the Syslog Server.
- D . The execution of the process resulted in feed hits.
How often do watchlists run?
- A . Every 10 minutes
- B . Every 5 minutes
- C . Watchlists can be configured to run at scheduled intervals
- D . Every 30 minutes
Which ID in Endpoint Standard is associated with one specific action, involves up to three different hashes (Parent, Process, Target), and occurs on a single device at a specific time?
- A . Threat ID
- B . Process ID
- C . Alert ID
- D . Event ID
There is a requirement to block ransomware when a sensor is offline.
Which blocking and isolation rule fulfills this requirement?
- A . Known Malware ―> Performs ransomware-like behavior ―> Terminate process
- B . Not Listed Application ―> Performs ransomware-like behavior ―> Deny operation
- C . Suspect Malware ―> Performs ransomware-like behavior ―> Deny operation
- D . Unknown Application ―> Performs ransomware-like behavior ―> Terminate process
Carbon Black App Control maintains an inventory of all interesting (executable) files on endpoints where the agent is installed.
What is the initial inventory procedure called, and how can this process be triggered?
- A . Inventorying; enable Discovery mode
- B . Baselining; install the agent
- C . Discovery; place agent into Disabled mode
- D . Initialization; move agent out of Disabled mode
Review the following query:
path:c:program files (x86)microsoft
How would this query input term be interpreted?
- A . c:program files x86microsoft
- B . c:rogram files (x86)icrosoft
- C . c:rogramfilesx86icrosoft
- D . c:program files (x86)microsoft
Which action is only available for the “Performs any operation” and “Performs any API Operation” operation attempts?
- A . Bypass
- B . Allow & Log
- C . Runs or is Running
- D . Allow
A
Explanation:
Reference: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjClN7SwoXvAhViqnEKHbXpChUQFjAAegQIARAD&url=https%3A%2F%2Fcommunity.carbonblack.com%2Fgbouw27325%2Fattachments%2Fgbouw27325%2Fproduct-docs-news%2F1413%2F3%2Fcbd-userguide.pdf&usg=AOvVaw1CU0_RmjfwbwAh68IuEKAd(90)
An incorrectly constructed watchlist generates 10,000 incorrect alerts.
How should an administrator resolve this issue?
- A . Delete the watchlist to automatically clear the alerts, and then create a new watchlist with the correct criteria.
- B . From the Triage Alerts Page, use the facets to select the watchlist, click the Wrench button to “Mark all as Resolved False Positive”, and then update the watchlist with the correct criteria.
- C . Update the Triage Alerts Page to show 200 alerts, click the Select All Checkbox, click the “Dismiss Alert(s)” button for each page, and then update the watchlist with the correct criteria.
- D . From the Watchlists Page, select the offending watchlist, click “Clear Alerts” from the Action menu, and then update the watchlist with the correct criteria.
A process has created a number of interesting (executable) files in one sequence.
In addition to the event Subtype ‘New Unapproved File to Computer’, what other event subtype is likely to be associated with this sequence?
- A . File Upload Completed
- B . New File Discovered on Startup
- C . File Group Created
- D . File Properties Modified
CORRECT TEXT
Why would a sensor have a status of "Inactive"?
- A . The sensor has not checked in within the last 30 days.
- B . The sensor has been uninstalled from the endpoint for more than 30 days.
- C . The device has been put in bypass for the last 30 days.
- D . The sensor has been in disabled mode for more than 30 days.
An Endpoint Standard analyst runs the query in the graphic below:
Which three statements are true from the results shown? (Choose three.)
- A . The process is a PowerShell process running a script with a .ps1 extension.
- B . The process has a threat score greater than 4.
- C . The process made a network connection to another system.
- D . The process had a NOT_LISTED reputation at the time the event occurred.
- E . The process was run under the NT_AUTHORITYSYSTEM user context.
- F . The process was able to inject code into another process.
A process wrote an executable file as detailed in the following event:
Which rule type should be used to ensure that files of the same name and path, written by that process in the future, will not be blocked when they execute?
- A . Trusted Path
- B . File Creation Control
- C . Advances (Write-Ignore)
- D . Trusted Publisher
What is the meaning, if any, of the event Report write (removable media)?
- A . This event would never occur. App Control does not report activity on removable media.
- B . A Policy’s device control setting ‘Block writes to unapproved removable media’ is set to Report Only. The event details show the process, file name, and hash modified or deleted on the removable media.
- C . A Policy’s device control setting ‘Block writes to unapproved removable media’ is set to Report Only. The event details show the process and file name modified or deleted on the unapproved removable media.
- D . A Policy’s device control setting ‘Block writes to unapproved removable media’ is set to Enabled. The event details show the process, file name, and hash modified or deleted on the removable media.
Which statement is true when searching through the EDR server UI?
- A . The backslash is the character to escape characters.
- B . Whitespaces between search terms imply the OR operator.
- C . The percent symbol % is the character to represent a wildcard.
- D . The exclamation point ! is the character to represent negation.
An organization leverages a commonly used software distribution tool to manage deployment of enterprise software and updates. Custom rules are a suitable option to ensure the approval of files delivered by this tool.
Which other trust mechanism could the organization configure for large-scale approval of these files?
- A . Windows Update
- B . Trusted Distributor
- C . Local Approval Mode
- D . Rapid Config
C
Explanation:
Reference: https://uit.stanford.edu/service/cbprotect/approval-mechanisms
An administrator receives an alert with the TTP DATA_TO_ENCRYPTION.
What is known about the alert based on this TTP even if other parts of the alert are unknown?
- A . A process attempted to delete encrypted data on the disk.
- B . A process attempted to write a file to the disk.
- C . A process attempted to modify a monitored file written by the sensor.
- D . A process attempted to transfer encrypted data on the disk over the network.
An administrator wants to find instances where the binary Is unsigned.
Which term will accomplish this search?
- A . NOT process_publisher:FILE_SIGNATURE_STATE_SIGNED
- B . NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED
- C . process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED
- D . process_publisher:FILE_SIGNATURE_STATE_NOT_SIGNED
A Carbon Black administrator received an alert for an untrusted hash executing in the environment.
Which two information items are found in the alert pane? (Choose two.)
- A . Launch Live Query
- B . Launch process analysis
- C . User quarantine
- D . Add hash to banned list
- E . IOC short name
What is the maximum number of binaries (hashes) that can be banned using the web console?
- A . 500
- B . 600
- C . 300
- D . 400
Refer to the exhibit:
Which two logic statements correctly explain filtering within the UI? (Choose two.)
- A . Filtering between fields is a logical OR
- B . Filtering within the same field is a logical AND
- C . Filtering between fields is a logical AND
- D . Filtering between fields is a logical XOR
- E . Filtering within the same field is a logical OR
When executing a program in App Control, the notification message informs the user that the file is not approved with an option to request approval.
Which Enforcement level is currently enacted?
- A . High
- B . Low
- C . Medium
- D . Default
An alert for a device running a proprietary application is tied to a vital business operation.
Which action is appropriate to take?
- A . Add the application to the Approved List.
- B . Terminate the process.
- C . Deny the operation.
- D . Quarantine the device.