5V0-91.20 Online Practice Questions and Answers

An Enterprise EDR administrator sees the process in the graphic on the Investigate page but does not see an alert for this process:

How can the administrator generate an alert for future hits against this watchlist?

A. select the watchlist on the watchlists page, select the Scheduled Task Created report, and use Take Action to select Alert on hit for the report.

B. Select the watchlist on the watchlists page, select the Scheduled Task Created report, and use Take Action to toggle Alert on hit to On.

C. Select the watchlist on the watchlists page and click on Alerts: Off to toggle the alerts to On.

D. Select the watchlist on the watchlists page, use Take Action to select Edit, and select Alert on hit.

An administrator has configured a policy to run a standard background scan.

How long does this one-time scan take to complete on endpoints assigned to that policy?

A. 180 days

B. 30 days

C. 3-5 days

D. 1 day

Review this EDR query:

childproc_name:whoami.exe AND childproc_name:hostname.exe AND childproc_name:tasklist.exe AND childproc_name:ipconfig.exe

Which process would show in the query results?

A. Any process invoked by whoami.exe, hostname.exe, tasklist.exe, and ipconfig.exe

B. Any process invoked by whoami.exe, hostname.exe, tasklist.exe, or ipconfig.exe

C. Any process invoking whoami.exe, hostname.exe, tasklist.exe, or ipconfig.exe

D. Any process invoking whoami.exe, hostname.exe, tasklist.exe, and ipconfig.exe

Carbon Black App Control maintains an inventory of all interesting (executable) files on endpoints where the agent is installed.

What is the initial inventory procedure called, and how can this process be triggered?

A. Inventorying; enable Discovery mode

B. Baselining; install the agent

C. Discovery; place agent into Disabled mode

D. Initialization; move agent out of Disabled mode

An Endpoint Standard analyst runs the query in the graphic below:

Which three statements are true from the results shown? (Choose three.)

A. The process is a PowerShell process running a script with a .ps1 extension.

B. The process has a threat score greater than 4.

C. The process made a network connection to another system.

D. The process had a NOT_LISTED reputation at the time the event occurred.

E. The process was run under the NT_AUTHORITY\SYSTEM user context.

F. The process was able to inject code into another process.

Which statement is true when searching through the EDR server UI?

A. The backslash \ is the character to escape characters.

B. Whitespaces between search terms imply the OR operator.

C. The percent symbol % is the character to represent a wildcard.

D. The exclamation point ! is the character to represent negation.

An administrator wants to find instances where the binary Is unsigned. Which term will accomplish this search?

A. NOT process_publisher:FILE_SIGNATURE_STATE_SIGNED

B. NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED

C. process_publisher_state:FILE_SIGNATURE_STATE_NOT_SIGNED

D. process_publisher:FILE_SIGNATURE_STATE_NOT_SIGNED

An analyst is investigating an alert within Enterprise EDR. The alert is tied to an unusual process name. When navigating to the binary details page, for the binary used in the alert, the analyst sees the following:

The analyst wants to find any instances of this process executing regardless of the process name used.

Which two details from the binary can be used to search for the application regardless of the seen name? (Choose two.)

A. The binary's hash

B. The path

C. The original filename

D. The product version

E. The publisher name

Management has directed that the SOC team be enabled to create global file bans via the App Control API.

How would this be configured in the App Control Console?

A. Create a Role, map to corresponding SOC group, and add permission "Manage files" to Role.

B. Add permission "Manage files" and create an API token for each SOC user.

C. Create a Role, map to the corresponding SOC group, add permission "Manage files", and create API token for the Role.

D. Create a Role, map it to the corresponding SOC group, add permission "Manage files" to Role, and create an API token for each user in group.

An analyst on the security team noticed that several alerts are false positives within Enterprise EDR. The analyst disables the IOC within the report from those alerts.

Which statement correctly explains what disabling the IOC will accomplish?

A. That specific IOC in the report will no longer generate hits or alerts on the device from the alert.

B. The report will no longer generate hits or alerts on the device from the alert.

C. That specific IOC in the report will no longer generate hits or alerts.

D. The report will no longer generate hits or alerts.

An administrator has updated a Threat Intelligence Report by turning it into a watchlist and needs to disable (Ignore) the old Threat Intelligence Report.

Where in the UI is this action not possible to perform?

A. Search Threat Reports Page

B. Threat Intelligence Feeds Page

C. Threat Report Page

D. Triage Alerts Page

An Enterprise EDR administrator is reviewing the Investigate page and believes they are receiving false positive hits from specific watchlist.

Which three options reduce future false positive hits from this watchlist? (Choose three.)

A. Disable/remove the IOC associated with the false positives.

B. Disable/remove the report associated with the false positives.

C. Dismiss the watchlist hit.

D. Select edit watchlist and uncheck alert on hits.

E. Modify policy rules to exclude the false positive directory.

F. Disable the watchlist associated with the false positives.

At which three frequencies may a Carbon Black Audit and Remediation administrator schedule the run of Live Queries? (Choose three.)

A. Monthly

B. Daily

C. Bi-Weekly

D. Weekly

E. Hourly

F. Any frequency

Which wildcard configuration applies a policy to all files and subfolders in a specific folder in Endpoint Standard?

A. C:\Program Files\example\$$

B. C:\Program Files\example\**

C. C:\Program Files\example\$

D. C:\Program Files\example\*

An administrator runs the following query in Audit and Remediation:

SELECT *

FROM users

WHERE UID >= 500;

How long will this query stay active and accept data from the sensors?

A. 1 day

B. 7 days

C. 14 days

D. 30 days