HP0-M54 - ArcSight ESM Security Analyst
Go back to HP
What is the "focus" of a Focus report?
a subset of a larger (e.g., monthly or quarterly) report
Which statement is true about join rules and chained rules?
Chained rules may or may not be join rules that also use Active Lists or rely on Correlation events generated by other rules.
Which functions are on the right-click menu for an event? (Select two.)
Show Event Details
What do field sets correspond to?
columns in an Active Channel Grid view
Which statements are true about assets? (Select two.)
Assets can include bridges, routers, web servers, or anything with an IP or MAC address.
An asset is any endpoint considered significant enough to characterize with details to help with correlation and reporting.
In network modeling, which resource is used by MSSP or by users with different cost centers?
Report run start time, output format for report results, email distribution for report results, and report filters are all examples of what?
Which ArcSight ESM Resource enables you to perform live monitoring of events?
What happens if a notification requiring a response within 24 hours is not acknowledged within that time?
The notification is escalated to the next level of notification.
What do you use to establish identity, ownership, and criticality of the assets you have installed on your network?
What is the name of the resource you can use to override the default ArcSight mapping of IP addresses to geographic regions?
What are functions of Query Viewers? (Select two.)
provide a baseline analysis of events against which future queries can be compared
provide a quick way to run SQL queries and identify trends without running reports
Which statement is true about inline filters?
An inline filter applies only to its current Active Channel.
What can you use to change the stage of a Case?
Which output formats are available when running a report? (Select two.)
At most, a zone can belong to how many networks?
What must be done to a local Variable before it can be used with multiple resources?
It must be promoted to a Global Variable.
What stores information about logons, user actions, and the resulting events in the most concise way?
In network modeling, what is a set of nodes with similar characteristics that have IPs enumerated one after the other?
What is an example of an event-based Data Monitor?
last n events
What are the three types of Data Monitors?
event-based, correlation, and non-event based
Asset categories can be assigned to zones as well as assets. What happens to the assets that belong to a zone with a category of "Critical"?
Nothing happens. Assets in the zone maintain their own individual category identities.
Event correlation, event reconciliation, moving average, session reconciliation, and statistics are all examples of which type of Data Monitors?
What represents the current status in the investigation of a Case?
What does the Priority Formula calculation run on?
the Manager only
How are baselines established and used in Query Viewers?
Baselines are created using query results. When a query has one or more baselines available, you can compare the current results with thebaseline.
When using the Query Editor, three sub-tabs provide the options you need to properly set up the query. What information do these sub-tabs require?
which data fields to select; how the data should be ordered; how the data should be grouped
How do asset categorization and event categorization relate to each other?
Asset categorization is the fingerprint of an asset; event categorization is a set of criteria that describes an event.
Using SSL technology, information can be communicated over an encrypted channel. What is SSL?
Secure Sockets Layer
Which are operators in the ArcSight Common Conditions Editor (CCE)? (Select two.)
Which command is a valid investigate command?
Add [Attribute=Value] to Filter
Active Channel views and Dashboard views are examples of Viewer Panel views. Which other views are associated with the Viewer Panel? (Select two.)
Which role does the Active Channel play in testing a rule?
The rule can be replayed against historical events in the Active Channel.
Which process uncovers the relationship between events, infers the significance of those relationships, prioritizes them, and then provides a framework for taking action?
What can ArcSight ESM Dashboards display?
multiple Data Monitors
Which tools are used to view events in ArcSight ESM? (Select two.)
Which resource defines what a report will look like when generated?
What is the primary function of the ArcSight Manager?
It writes incoming events to the database while simultaneously processing events through the Correlation engine.
Which statement is true about a join rule?
It recognizes patterns that involve more than one type of event.
What are valid actions for a rule to take? (Select two.)
Which statement is true about the ArcSight Web interface?
Data Monitors cannot be added to a Dashboard in the ArcSight Web interface.
Why would you lock a Case?
to prevent others from modifying the Case while you edit or attach something to the Case
Which statement is true about how filters are applied by the Connector or by the Manager?
Events that match the Connector filter are excluded and not forwarded further; events that match the Manager filter are selected for furtheranalysis.
Which statements are true about event lifecycle data collection and the event processing phase? (Select two.)
Each line of incoming log data is processed as a separate event.
Values are normalized and entered into the ArcSight Event Schema.
Which resources can be displayed in the ArcSight Web interface? (Select two.)
Reports and Dashboards
Cases, Notifications, and Active Channels
Which string function is used to join two data fields?
What does a Network Model include? (Select two.)
Which type of event is displayed in an Active Channel with the following Inline Filter applied? Category Behavior = /Authentication/Verify Category Outcome = /Failure
Login Failure events
You want your Active Channel to automatically display new events as they arrive at ESM. Which time parameter should you use to accomplish this?
Which ESM components collect event data?