Crack4sure Logo
While validating the data sources in a new IntroSpect installation, you have confirmed that the network tap data is correct and there are AMON log sources for both firewall and DNS.
When you lock in the Entity360, you see the usernames from Active Directory.
However, when you look under E360 > activity > for any user accounts there is no information under “Activity Card” and “Authentication” for any user. When you filter the Entity360 for IP address and look at the Activity screen you do see activity on the “Activity Card”.
Could this be a reason why you do not see the information but do not see activity? (The log broker could be configured incorrectly and not sending authentication logs to IntroSpect.)
While investigating alerts in the Analyzer you notice a host desktop with a low risk score has been sendingregular emails from an internal account to the same external account. Upon investigation you see that theemails all have attachments. Would this be correct assessment of the situation? (This desktop should beadded to a watch list and audited for a time to determine if this is real threat activity.)
During a discovery at a large company, the customer asks if they can run IntroSpect on a segment of the network and only monitor a small group of users and servers as a trial. As their IT staff becomes familiar with the analytics, they want to expand the installation to the entire enterprise. Would this be a valid option for the customer? (It is easy to support growth with the Scale-out Analyzer appliance, as Analyzer Nodes may be added over time to support the larger demand from the full environment.)
During a conversation with one of your colleagues, they bring up the subject of small business security and ask you to explain why a small business would be interested in a product like IntroSpect. Is this a reason they would purchase IntroSpect? (Most small business that suffer a data breach will go out of business as a result
of the breach.
The company has a DMZ with an application server where customers can upload and access their productorders. The security admin wants to know how you configure IntroSpect to monitor this server. Should this bepart of your plan? (Configure the server in the DMZ as a High Value Asset in
Menu>Configuration>Analytics>Correlator Config>so that IntroSpect will monitor the server for access
patterns.)
Refer to the exhibit.
You have been assigned a task to monitor, analyze, and find those entities who are trying to access internal resources without having valid user credentials. You are creating an AD-based use case to look for this activity. Could you use this entity type to accomplish this? (Dest Host.)
You were called into a customer site to do an evaluation of installing IntroSpect for a small business. During
the discovery process, the customer asks you to explain when they would need to deploy a Packet Processor.
Does this explain the function of the Packet Processor? (The packet Processor helps if they are using the
analyzer deployed in the cloud by forwarding log data over HTTPS.)
A customer with approximately 200 users in Active Directory, is running Aruba Mobility Controllers, Palo Alto firewalls, and Pulse Secure VPN and InfoBlox DNS on their network. They would like to implement the 2RU Fixed Configuration Analyzer Standard Edition.
Would this be a good response to the customer? (The Standard Edition will work for this customer as long as they do not want to capture the InfoBlox DNS logs.)
Refer to the exhibit.
An IntroSpect admin is configuring an Aruba IntroSpect Packet Processor to add Microsoft AD server as a log source for analyzing the AD server logs. Are these correct Format and Source options? (Format = Snare, and Source Type = Syslog.)
You receive an email alert that a Packet Processor forwarding AMON data at a remote site to a cloud-based Analyzer has stopped communicating.
Is this a valid step to try to fix the issue? (Log into the Packet Processor and check the Alerts page to make sure that the alert is still valid.)
Refer to the exhibit.
Which alert is not supported by AD-based use case? (Suspicious user login.)
Refer to the exhibit.
You are monitoring network traffic and considering DNS flow patterns. Where is a good location to place the Network Tap or Taps? (Location B will capture wired clients DNS requests while Location A will capture wireless client DNS.)
TESTED 27 Apr 2024