MA0-104.Passguide Number: MA0-104 Passing Score: 800 Time Limit: 120 min File Version: 1.0 http://www.gratisexam.com/ PASSGUIDE MA0-104 Intel Security Certified Product Specialist Version 1.0 http://www.gratisexam.com/ Exam A QUESTION 1 A SIEM can be effectively used to identify active threats from internal systems by monitoring/correlating events that occur http://www.gratisexam.com/ A. when no one is logged in; for example, after hours or on weekends. B. across an unusual range of ports or destinations; for example, all high ports. C. irregularly; for example, only on Fridays, or only at end-of-quarter. D. in accordance with expected systems use. Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 2 While investigating beaconing Malware, an analyst can narrow the search quickly by using which of the following watchlists in the McAfee SIEM? A. MTIE Suspicious and Malicious B. TSI Suspicious and Malicious C. GTI Suspicious and Malicious D. MTI Suspicious and Malicious Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 3 A backup of the ELM management database captures http://www.gratisexam.com/ A. ELM configuration settings B. ELM configuration settings, and the ELM archive index. C. ELM configuration settings, the ELM archive index, and all archived ELM contents. D. ELM configuration settings, the ELM archive index, and all archived ELM contents up to the ESM database retention limit. Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 4 Which of the following is the name of the Dashboard View that shows correlated events for the selected Data Source? A. Default Summary B. Normalized Dashboard C. Incidents Dashboard D. Triggered Alarms Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 5 The McAfee SIEM solution satisfies which of the following compliance requirements? http://www.gratisexam.com/ A. Continuous monitoring, Log retention B. Personally Identifiable Information (PII) protection C. Payment Card Industry/ Data Security Standard (PCI/ DSS) protection D. Patch management automation http://www.gratisexam.com/ Correct Answer: A Section: (none) Explanation Explanation/Reference: References: http://www.mcafee.com/uk/resources/solution-briefs/sb-compliance-made-easy.pdf QUESTION 6 How often does the configuration and policy data from the primary Enterprise Security Manager (ESM) get synchronized with the redundant ESM? A. Every 2 minutes B. Every 5 minutes C. Every 10 minutes D. This is based on manual selection Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 7 Which of the following are the three compression ratios available for raw logs being handled by the ELM? A. 10:1, 14:1, 19:1 B. 14:1, 18:1, 20:1 C. 14:1, 17:1, 21:1 D. 14:1, 17:1, 20:1 Correct Answer: D Section: (none) Explanation Explanation/Reference: References: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24719/en_US/esm_930_product%20guide_en-us.pdf Page: 121 http://www.gratisexam.com/ QUESTION 8 The McAfee Enterprise Log Manager (ELM) offers three levels of compression (Low, Medium, and High). By default, the ELM compression level is set to Low. Which of the following is the compression ratio for the Medium level? A. 17:1 B. 20:1 C. 10:1 D. 14:1 Correct Answer: A Section: (none) Explanation Explanation/Reference: References: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24719/en_US/esm_930_product%20guide_en-us.pdf Page: 121 QUESTION 9 Which of the following is the default port used to communicate between McAfee SIEM devices? A. 22 B. 222 C. 21 D. 211 Correct Answer: A Section: (none) Explanation Explanation/Reference: References: https://kc.mcafee.com/corporate/index?page=content&id=KB81957&actp=null&viewlocale=en_US QUESTION 10 The McAfee SIEM baselines daily events over http://www.gratisexam.com/ http://www.gratisexam.com/ A. three days B. five days C. seven days D. nine days Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 11 Where can the ESM event database archive inactive partitions? A. Storage on the hard disk of the ESM itself B. Storage on the hard disk of the backup ESM C. Storage on the ELM D. Remote storage connected to the ESM Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 12 When a Correlation Rule successfully triggers, this occurs at the A. Correlation Element. B. Correlation Processor. C. Correlation Engine. http://www.gratisexam.com/ D. Correlation Manager. Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 13 The configuration of a receiver has recently been modified and issues occur. Which command will collect historical data? A. htop B. getstatsdata C. snmpget D. df Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 14 Which of the following operations is NOT an available selection when using Multi-Device Management? A. Reboot B. Update C. Start D. Disable Correct Answer: D Section: (none) Explanation Explanation/Reference: References: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25226/en_US/esm_940_pg_en-us.pdf Page: 24 http://www.gratisexam.com/ QUESTION 15 The fundamental purpose of the Receiver Correlation Subsystem (RCS) is A. to analyze data from the ESM and detect matching patterns. B. to collect and consolidate identical data from the ESM into a single summary event. C. to classify or categorize data from the Receiver into related types and sub-types. D. to organize, retrieve and archive data from the Receiver into the SIEM database. Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 16 The ESM database is unavailable for use during A. a configuration backup. B. a full backup. C. archiving of inactive partitions. D. synchronization with the redundant ESM. Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 17 Which of the following statements about Client Data Sources is TRUE? A. They will have VIPS, Policy and Agent rights B. They will be displayed on the Receiver Properties > Data Sources table C. They will appear on the System Navigation tree D. They can have independent time zones Correct Answer: C http://www.gratisexam.com/ Section: (none) Explanation Explanation/Reference: References: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25748/en_US/esm_950_pg_0-00_en-us.pdf Page: 72 QUESTION 18 Zones allow a user to group devices and the events they generate by A. Geographical location and IP reputation B. Geographical reputation and IP Address C. Geographical location and IP Address D. Geographical location and File reputation Correct Answer: C Section: (none) Explanation Explanation/Reference: References: https://community.mcafee.com/docs/DOC-6220 QUESTION 19 Which of the following are the Boolean logic functions that can be used to create Correlation Rules? A. NOR and AND B. AND and SET C. OR and SET D. OR and AND Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 20 The normalization value assigned to each data-source event allows http://www.gratisexam.com/ http://www.gratisexam.com/ A. increased usability via views based on category rather than signature ID. B. more efficient parsing of each event by the McAfee SIEM Receiver. C. quicker ELM searches. D. the McAfee ESM database to retain fewer events overall. Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 21 Which authentication methods can be configured to control alarm management privileges? A. SNMP B. SSH Key Pair C. Active Directory D. Access Groups Correct Answer: D Section: (none) Explanation Explanation/Reference: References: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24394/en_US/9_2_0_McAfeeESMUserGuide.pdf Page: 79 QUESTION 22 On the McAfee enterprise Security Manager (ESM), the default data Retention setting specifies that Event and Flow data should be maintained for A. 365 days. B. same value as configured on the ELM. http://www.gratisexam.com/ C. 90 Days. D. all data allowed by system. Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 23 Which of the following is the minimum amount of disk space required to install the McAfee Enterprise Security Manager (ESM) as a virtual machine? A. 100 GB B. 250 GB C. 500 GB D. 1 TB Correct Answer: B Section: (none) Explanation Explanation/Reference: References: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25749/en_US/esm_950_ig_0-00_en-us.pdf Page: 10 QUESTION 24 The possibility of both data source Network Interface Cards (NICs) using the shared IP and MAC address at the same time is eliminated by using which of the following? A. iSCSI Adapter B. IPMI Card C. PCI Adapter D. SAN Card Correct Answer: B Section: (none) Explanation http://www.gratisexam.com/ Explanation/Reference: References: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25226/en_US/esm_940_pg_en-us.pdf Page: 146 QUESTION 25 To correlate known vulnerabilities to devices that are currently exposed to such vulnerabilities, which of the following must be selected on the Receiver? A. Auto Download VulnEvents B. Enable Vulnerability Event Correlation C. Generate Vulnerability Events D. Enable VA Source Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 26 A security administrator is configuring the Enterprise Security Manager (ESM) to comply with corporate security policy and wishes to restrict access to the ESM to certain users and machines. Which of the following actions would accomplish this? A. Configure the Access Control List and setup user accounts B. Define user groups and set permissions based on IP C. Assign AD users to computer assignment groups D. Setup local accounts based on IP Zones Correct Answer: A Section: (none) Explanation Explanation/Reference: References: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25748/en_US/esm_950_pg_0-00_en-us.pdf Page: 174 QUESTION 27 With regard to Data Source configuration and event collection what does the acronym CEF stand for? A. Correlation Event Framing http://www.gratisexam.com/ B. Common Event Format C. Common Event Framing D. Condition Event Format Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 28 The primary function of the Application Data Monitor (ADM) appliance is to decode traffic at layer A. one for inspection. B. three for inspection. C. five for inspection. D. seven for inspection. Correct Answer: D Section: (none) Explanation Explanation/Reference: QUESTION 29 Which of the following features of the Enterprise Log Manager (ELM) can alert the user if any data has been modified? A. Integrity Check B. SNMP Trap C. Log Audit D. ELM Database Check Correct Answer: A Section: (none) Explanation Explanation/Reference: http://www.gratisexam.com/ QUESTION 30 A SIEM allows an organization the ability to correlate seemingly disparate streams of traffic into a central console for analysis. This correlation, in many cases, can point out activities that might otherwise go undetected. This type of detection is also known as http://www.gratisexam.com/ A. anomaly based detection. B. behavioral based detection. C. heuristic based detection. D. signature based detection. Correct Answer: A Section: (none) Explanation Explanation/Reference: QUESTION 31 If the SIEM Administrator deploys the Enterprise Security Manager (ESM) using the Federal Information Processing Standards (FIPS) encryption mode, which of the following types of user authentication will NOT be compliant with FIPS? A. Windows Active Directory B. Radius C. Lightweight Directory Access Protocol (LDAP) D. Local Authentication Correct Answer: B Section: (none) Explanation Explanation/Reference: QUESTION 32 http://www.gratisexam.com/ Which of the following two appliances contain Event databases? A. ELM and REC B. ESM and ELM C. ESM and REC D. REC and ADM Correct Answer: C Section: (none) Explanation Explanation/Reference: QUESTION 33 Reports can be created by selecting the ESM System Properties window, the Reports Icon in the top right of the ESM screen or by which of the following other methods within Alarm Creation? http://www.gratisexam.com/ A. Actions tab B. Conditions tab C. Escalation tab D. Summary tab Correct Answer: A Section: (none) Explanation Explanation/Reference: References: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25349/en_US/ McAfee_SIEM_Best_Practices_for_Alarms.pdf Page: 10 http://www.gratisexam.com/ http://www.gratisexam.com/