While troubleshooting integration between ClearPass and IntroSpect, you notice that there are no log events for either THROUGHPUT or ERROR in the ClearPass log source on the IntroSpect Analyzer. You are planning your troubleshooting actions.
Is this something you should check? (Check the authentication service being used in ClearPass for the Login - Logout enforcement policy.)
A. Yes
B. No
While looking at the conversation page you notice some strange network behavior, such as DNS requests coming inbound from external DNS servers. Could this be the reason why? (One of your Packet Processors may be over subscribed and is dropping packets.)
A. Yes
B. No
Refer to the exhibit.
An IntroSpect admin is configuring an Aruba IntroSpect Packet Processor to add Microsoft AD server as a log source for analyzing the AD server logs. Are these correct Format and Source options? (Format = Snare, and Source Type = Syslog.)
A. Yes
B. No
Refer to the exhibit.
An IntroSpect admin is configuring an Aruba IntroSpect Packet Processor to add Microsoft AD server as a log source for analyzing the AD server logs. Are these correct Format and Source options? (Format = Standard, and Source Type = Syslog.)
A. Yes
B. No
You are one of the system administrators in your company, and you are assigned to monitor the IntroSpect system for alarms. Is this a correct statement about alarms? (A memory_full alarm will fire when there is less than 1 GB of free memory for more than thirty minutes.)
A. Yes
B. No
In a meeting with a customer that runs a fully automated manufacturing facility that is connected to the business and corporate offices, the operations manager asks why they need IntroSpect to monitor the manufacturing network. Is this a reason they should monitor the manufacturing network security? (Because the controllers and sensors do not store customer data or corporate intellectual property, even if the automation network was to be breached it would not expose anything valuable.)
A. Yes
B. No
You deploy IntroSpect Analyzer in your existing network. You want to monitor email for suspect malware activity. Would this action be supported by IntroSpect? (Deploy a supported DNP like Proofpoint Email Protection, and integrate with The IntroSpect Analyzer.)
A. Yes
B. No
A company wants to integrate ClearPass with the IntroSpect. Is this a supported version? (ClearPass 6.7.4.)
A. Yes
B. No
While reviving the logs at a customer site you notice that one particular device is accessing multiple
servers in the environment, using a number of different user accounts. When you question the IT admin,
they tell you that the computer is a JumpBox and running software used to monitor all of the servers in the
environment.
Would this be a logical next step? (As a next step, you should audit all of the accounts that are being used
on the JumpBox to determine if the JumpBox is being accessed by unauthorized accounts.)
A. Yes
B. No
A customer is asking you to explain the difference between a data breach and a data leak. Does this explain the difference? (In both cases, data has left your network for the outside. A data breach is executed by an outside attacker, while a data leak is executed either deliberately or accidentally by an inside actor.)
A. Yes
B. No
While investigating alerts in the Analyzer you notice a host desktop with a low risk score has been sending regular emails from an internal account to the same external account. Upon investigation you see that the emails all have attachments. Would this be correct assessment of the situation? (The user on this host spends way too much time sending email, but should not be considered a risk until the risk score climbs above 60.)
A. Yes
B. No
While looking at the conversations page you notice one user account logging into a number of servers on a regular basis. Is this information that you can draw from this activity? (This could be a service account and should be excluded from correlating Logon events with devices, or every device it logs into will be credited to it as the owner.)
A. Yes
B. No
You are visiting a site configured with IntroSpect, and the on-site admin tells you that they do not think that one of their database servers has fired any alerts for large download or strange access patterns. Could this be a reason? (The database server needs to be listed under Configuration>Analytics>User Correlation Config.)
A. Yes
B. No
Arube IntroSpect establishes different types of baselines to perform user or device behavior analysis. Is this a correct description of a baseline that IntroSpect establishes? (Individual history baseline: this typically takes 10 to 14 days to establish a "steady state" that can be used.)
A. Yes
B. No
While talking to an associate, they ask you to describe how different alerts in IntroSpect indicate compromise on the network. Would this be a correct statement? (An entity that scans known TCP ports on a large number of IP addresses in a subnet could be a malware gathering information.)
A. Yes
B. No