ArcSight Question Answers


Hello friends in this post we are going to discuss about ArcSight MCQ with answers | ArcSight Multiple choice questions | ArcSight Objective type questions | ArcSight Wipro Question Answers | ArcSight TrendNXT Myskillz


If you are looking for more Dumps for MYSKILLZ Visit Here

SL.NOQuestionsChoice AChoice BChoice CChoice D
1What is an IP address? It is the address embedded in the network adapter.Ans)It is a logical address to identify a node in the network It is an address assigned by the antivirus software. 
2UDP is a connection oriented protocol. TrueAns)FALSE  
3What are all the types of logs available in Windows operating system?Ans)System Log, Application Log, Security Log OS Log, Connection Log, Error Log System Log, User Log, Application Log Type A log, Type B Log, Type C log
4The command to identify the IP address of the Windows system,fconfigAns)ipconfig address –ipipaddress
5The term, “Vulnerability” refers to,An attempt to gain unauthorized access to system services, resources, or information Simply listening to a private conversation which may reveal information which can provide access to a facility or network.A threat action whereby sensitive data is directly released to an unauthorized entityAns)Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
6Telnetused to send email uses telephone lines is part of Netscapeans)is a protocol that allows for remote login
7what is SIEM Security Index and Event Management Tool Log Analysis ToolAns)Log Management and Event Management Tool Security incident and Error Management Tool
8which one is not a part of ArcSight architecture Flex Connector Oracle DBAns)MySQL ArcSight Web
9Which one is not a ArcSight Resource PartitionsAns)Annotations Notifications Lists
10ArcSight Console is ? Thin Client Windows ServiceSoftwareAns)Thick Client
11which one is not a user group in ArcSight Admin  SystemAns)Analyst Sys
12A firewall isused to protect a computer room from fires and floods a form of virus a screen saver programAns)none of the above
13Oracle DB is optional in ArcSight Setup.TRUEAns)FALSE  
14A Kb corresponds to1024 bits1000 bytesAns)2^10 bytes 2^10 bits
15, what is the default port used when connecting to the ArcSight Web interface?Ans)TCP 9443UDP 9443 TCP 8443UDP 8443
16At most, a zone can belong to how many networks? 0 (Zones do not belong to networks, zones contain networks.)Ans)12 as many as needed based on the Network Model
17What is Zero day attack? Attacks happening on Jan 1st of every year. First attack detected within an organizationAn attack that exploits a previously unknown vulnerability in a computer applicationAns)An attempt to make a machine or network resource unavailable to its intended users
18, How does the port scan works?By analysing all logs generated by firewallAns)By sending framed IP packets and analysing the replyBy generating abnormal traffic targeted against particular network and consuming all available bandwidth 
19The ArcSight component that performs Normalization isArcSight WebAns)SmartConnectorConsole ArcSight DB
20which are operators in the ArcSight Common Conditions Editor (CCE)? (Select two.) ELSEAns)ANDAns)OR IF
21Which functions are on the right-click menu for an event? (Select two.) Correlate EventsAns)Show Event DetailsAns)Annotate Events Prioritize Events
22Which string function is used to join two data fields?AddAns)Concatenate Join Find
23TTL meansTotal Time LagTime Threshold LagAns)Time To Live Total Time Left
24What can ArcSight ESM Dashboards display?Ans)multiple Data Monitors multiple Casesmultiple Stages multiple Reports
25Using SSL technology, information can be communicated over an encrypted channel. What is SSL? Ans)Secure Sockets LayerSecurity Standards Layer Smart Stealth Layer Standard Security Layer
26Which are clients of the ArcSight Manager? (Select two.)ArcSight Correlation EngineAns)Arcsight webAns)ArcSight Smart ConnectorsArcSight Database
27What is the default port used by the ArcSight ESM Console to connect to the ArcSight Manager?Ans)TCP 8443UDP 8443TCP 9443UDP 9443
28What is the default port used to connect the ArcSight Manager to the ArcSight ESM Database (Oracle)?4431443Ans)15218443
29ArcSight Smart Connectors send event data directly to what?Ans)ArcSight Manager ArcSight ConsoleArcSight Web Server ArcSight Database
30what are typical jobs of L1 analyst in ArcSight ? (write 3 interfaces , they need to watch/use every day).    
31Which are operators in the ArcSight Common Conditions Editor (CCE)?   ELSEans)ANDNOTIF
32What stores information about logons, user actions, and the resulting events in the most concise way?Event annotationsans)Session ListsActive ListsCases
33Which statements are true about Session Lists?   They must have a key file and a valueThey can share entries with other Session Lists.They can be used to populate Active Lists.ans)They always have Start Time, End Time, and Creation Time fields.
34Report run start time, output format for report results, email distribution for report results, and report filters are all examples of what?ans)report parametersreport formatsreport data sourcesreport attributes
35When using the Query Editor, three sub-tabs provide the options you need to properly set up the query. What information do these sub-tabs require?when the query should be run; which format the query output should take; how many data elements should be includedwhen the query should be run; what the query should be called; how long the data should be archivedwhich data fields to select; how the data should be displayed; how long the data should be archivedans)which data fields to select; how the data should be ordered; how the data should be grouped
36What is the “focus” of a Focus report?the differences between two similar reportsans)a subset of a larger (e.g., monthly or quarterly) reportevents that have been missedhigh priority Correlation events only
37What do field sets correspond to?Variables in a rule configurationcomponents in a Network Modelattributes in a Query Viewerans)columns in an Active Channel Grid view
38How are baselines established and used in Query Viewers?Baselines are created using rules. After the rule is triggered, the resulting action establishes a baseline against which future rules are evaluated in the Query Viewer.Baselines are created using query results. The baseline from the query is used to create a new field set definition that can be run against future events.Baselines are created using query results. When a query has one or more baselines available, you can compare the current results with the baseline.ans)Baselines are created using query results and fed into the Image Editor for the related Data Monitor.
39At most, a zone can belong to how many networks?012as many as needed based on the Network Model
40In network modeling, what are SmartConnectors bound to?   AssetsAssets RangesZoneans)Customer
41Which role does the Active Channel play in testing a rule?The rule can be replayed and verified against real-time events in the Active Channel.ans)The rule can be replayed against historical events in the Active Channel.The rule cannot be tested with the Active Channel because it will create additional invalid Correlation events.ans)None
42What must be done to a local Variable before it can be used with multiple resources?It must be renamed.It must be copied.It must be moved it to a new resource.ans)It must be promoted to a Global Variable.
43Which resource defines what a report will look like when generated?layoutqueryans)Template & reportNone
44Which resources can be displayed in the ArcSight Web interface?   Stages, AnnotationQueries and Partitionsans)Cases, Notifications, and Active ChannelsKnowledge Base articles and Templates
45Which functions are on the right-click menu for an event?   Correlate Eventsans)Show Event DetailsKnowledge BasePrioritize Events
46Active Channel views and Dashboard views are examples of Viewer Panel views. Which other views are associated with the Viewer Panel?   Asset viewsans)Resource views & Results viewsCombined viewsSimple views
47What are functions of Query Viewers?   present detailed comparisons of report elements, not possible with the reporting toolans)provide a baseline analysis of events against which future queries can be compared provide a quick way to run SQL queries and identify trends without running reportsdetermine which devices are off-line at any given point in time by querying their statusdisplay the Boolean logic behind filters and rules
48What happens if a notification requiring a response within 24 hours is not acknowledged within that time?ans)The notification is escalated to the next level of notification.The notification is added to the Session List.An error message appears on the ArcSight Console.The condition generating the notification is escalated to a higher priority.
49Why would you lock a Case?to close and archive a Caseans)to prevent others from modifying the Case while you edit or attach something to the Caseto prevent the Case from being seen in the Resource Listto preserve the state of the Case
50What represents the current status in the investigation of a Case?Notificationsans)stagesCaseAnnotation
51There are 17 event field groups defined in the ArcSight Event SchemIn which group would you look for data fields describing an event’s importance as assessed by ArcSight ESM?CategoryAttackerans)ThreatEvent
52Which Event Schema group contains data fields, which describe the connector reporting an event?Eventans)Device & AgentSourceNone
53Which output formats are available when running a report?   XMLans)HTMLMP4JPEG
54What does a Network Model include?   ans)assetsdestinationsNetworkfile resources
55Which statement is true about inline filters?ans)An inline filter applies only to its current Active Channel.An inline filter applies only as long as the Active Channel is open, and cannot be saved.An inline filter cannot use AND or OR conditions.An inline filter is created using Boolean logic in the Inspect/Edit panel.
56Which tools are used to view events in ArcSight ESM?   Knowledge Base articleans)Active ChannelKnowledge BaseAnnotations
57What is a good way for an operator or analyst to quickly determine which events must be addressed first?ans)check the priority rating in a Dashboard or Active Channelrun a report of High Priority Threatsask more senior analysts or architectsview the Event Grid and Correlation categories
58What can ArcSight ESM Dashboards display?ans)multiple Data Monitorsmultiple Casesmultiple Stagesmultiple Reports
59How do asset categorization and event categorization relate to each other?Asset categorization and event categorization are the same.Asset categorization and event categorization use the same field set to apply categories to assets and events.Asset categorization requires custom FlexConnectors; event categorization uses standard SmartConnectors.ans)Asset categorization is the fingerprint of an asset; event categorization is a set of criteria that describes an event.
60Which process uncovers the relationship between events, infers the significance of those relationships, prioritizes them, and then provides a framework for taking action?Categorizationaggregationans)CorrelationFilteration
61What is a criteria factor within the ArcSight Priority Formula?AssuranceAsset PrioritySeriousnessans)Model confidence
62What does the Priority Formula calculation run on?Flex connectorSmart connector onlyans)Manager onlyBoth manager and smart connector
63Which statements are true about event lifecycle data collection and the event processing phase?   Model confidence is determined, based on details provided by the event source.ans)Each line of incoming log data is processed as a separate eventEvent severity is determined, based on an Active List of recent severity factors.ans)Values are normalized and entered into the ArcSight Event Schema.
64Using SSL technology, information can be communicated over an encrypted channel. What is SSL?Standard Security LayerSmart Stealth Layerans)Secure Sockets LayerSecurity Standards Layer
65You want your Active Channel to automatically display new events as they arrive at ESM. Which time parameter should you use to accomplish this?Evaluate Once at Attach TimeEvaluate $NOW-1hans)Continuously EvaluateEvaluate Continuously from Attach Time
66Which ArcSight ESM Resource enables you to perform live monitoring of events?Casesans)Active ChannelsKnowledge BaseStages
67What is a function of the Variable GetSessionData?ans)retrieves data fields from a Session Listsends session details to the ArcSight Managerans)populates a Session Listinvestigates session details in the audit log
68Which string function is used to join two data fields?SubstringFindans)Concatenatecorrelate
69What is the primary function of the ArcSight Manager?It accepts correlated, prioritized events from SmartConnectors with instructions from the ArcSight Console, and writes events to the database.It manages bottlenecks between the connectors, the ArcSight Console, and the ESM Database.It restores the rule definitions that drive the functioning of ArcSight ESM.ans)It writes incoming events to the database while simultaneously processing events through the Correlation engine.
70Which ESM components collect event data?NodeResourceans)SmartconnectorWhich ESM components collect event data?
71Which statement is true about a join rule?ans)It recognizes patterns that involve more than one type of event.It is triggered by events that match a single set of conditions.It rejects partial matches but can be set for aggregationIt matches the output of more than one simple rule to an Active List.
72Which statement is true about join rules and chained rules?JOINrules use Session Lists; chained rules use Active Lists.ans)Chained rules may or may not be join rules that also use Active Lists or rely on Correlation events generated by other rulesJoin rules link simple rules together; chained rules link join rules.Chained rules result in detailed chains; join rules result in simple chains.
73Which statement is true about the ArcSight Web interface?ans)Data Monitors cannot be added to a Dashboard in the ArcSight Web interface.Reports cannot be formatted in the ArcSight Web interface.Inline filters cannot be used in the ArcSight Web interface.Cases cannot be modified in the ArcSight Web interface.
74When specifying the attributes of a new Active List, you can set TTL days, hours, and minutes. What is TTL?Time Threshold LagTotal Time LagTotal Time LEFTans)TimeTo live
75What can you use to change the stage of a Case?Event annotationsans)Case EditorCommon Conditions EditorQuery Viewer
76Which type of event is displayed in an Active Channel with the following Inline Filter applied? Category Behavior = /Authentication/Verify Category Outcome = /FailureLogout eventsLogin Success eventsAccount Locked eventsans)Logon failure event
77What are valid actions for a rule to take?   ans)send notificationSend a Reportgenerate reportadd to filter
78Event correlation, event reconciliation, moving average, session reconciliation, and statistics are all examples of which type of Data Monitors?Event basedNon-Event Basedans)Correlationsystem status
79What are the three types of Data Monitors?event type, matching conditions, and non-eventevent type, correlation, and aggregation matchingevent-based, event graph, and non-event basedans)event-based, correlation, and non-event based
80What is an example of an event-based Data Monitor?moving averagerules partial matchans)Last N countsession reconciliation
81Click the Exhibit button. Which type of diagram is shown in the exhibit?a geographic hierarchy mapans)an event graphan image viewer mapa query topology
82Asset categories can be assigned to zones as well as assets. What happens to the assets that belong to a zone with a category of “Critical”?All assets in the zone inherit the zone’s category.Assets with a category that matches the zone category are grouped into a “Critical” asset group.ans)Nothing happens. Assets in the zone maintain their own individual category identities.Assets in the zone inherit the zone’s category and are grouped into a “Critical” asset group.
83What is the name of the resource you can use to override the default ArcSight mapping of IP addresses to geographic regions?zonesans)LocationscategoriesDestination
84In network modeling, which resource is used by MSSP or by users with different cost centers?networkszoneans)CustomerAsset Group
85In network modeling, what is a set of nodes with similar characteristics that have IPs enumerated one after the other?ans)Asset RangeAsset IPIP rangeAsset group
86What do you use to establish identity, ownership, and criticality of the assets you have installed on your network?asset typesasset groupsans)asset categoriesasset ranges
87Which statements are true about assets?   Assets can be grouped in folders called asset ranges.Assets require a MAC address to be categorized properly.ans)Assets can include bridges, routers, web servers, or anything with an IP or MAC address.An asset is a Building
88Which user role is responsible for building content within ESM?ans)AuthorAnalystoperatorAdmin
89With regard to SmartConnectors, what is roll back?collecting cached data after a communication failureuninstallation of a package in the event of failureans)a way to revert to the previous version of a Connector when a Connector upgrade failsa way to gather data that has moved beyond the archive window
90What must be done first to restore the database from an online backup?run the Oracle restore wizardans) ensure that the archived redo logs are located in the archive log destinationbring the affected tablespaces onlinereinstall the Oracle installation
91Where is the trust store located by default?the preferred source for obtaining signed certificatesans) a list of trusted Certificate Authoritiesthe location of a system’s private keysthe set of backup files containing SSL information
92Which key pair types are valid selections when using the Manager Setup Wizard to create an SSL key pair? (Select two.)non-expiring SSL key pairans)self-signed key pairans) demo key pairrandom generator key pair
93During Connector install, which statement is true about the ArcSight Manager’s host name or IP address?ans) It must match the host name or IP address in the ArcSight Manager’s SSL certificate.The host name or IP address is used as an encryption key.It can be any legitimate host name or IP address.It must contain a combination of alpha-numeric characters.
94Which file types MUST be included in an Oracle backup? (Select two.)table filesans)data filesprogram filesans) configuration files
95How can you restore a new ArcSight Web installation to a previous configuration?ans) copy the old ArcSight Web installation’s config directory and cacerts file into the new installationcopy the ArcSight Manager’s config directory into the new installationmanually reconfigure the new installationconnect to the Manager and download the saved configuration
96Package bundles are exported with which file extension?.xml file.exe file.msc fileans) .arb file
97Which command is used to modify retention periods?Arcsight archive installArcsight database createArcsight retention createans)Arcsight database pc
98When configuring the ArcSight Database, what is the result of setting the offline archive period (Days) to Zero?Partition Archiving is enableans)Partition Archiving is disableOnline retention is enableOnline reserved period is enabled.
99Which command should you use to configure notification acknowledgements after the initial configuration of ArcSight ESM?ans)arcsight managersetuparcsight notifysetuparcsight notifyconfigarcsight setupnotify
100Which command is used to add a secondary destination to a Connector’s configuration?arcsight destinations -nans)arcsight connectorsetup -warcsight connectionwizardarcsight connector -d
101Which actions might the whine daemon initiate? (Select two.)ans)sending a message to the admin consolessending SNMP traps to a monitoring stationsending syslog messages to a syslog serverans)writing an event to the server.log file
102Which command is used to check the status of the TNS Listener?ans)lsnrctl statuslistener statustnsstatoralistener status
103Which ArcSight Manager directory should be backed up in order to preserve the server.properties file?user directoryans)config directoryproperties directoryjre directory
104What happens when a Connector upgrade that was initiated from within the ArcSight Console fails?ans)The Connector automatically rolls back to the previously working version.The Connector does not respond to the failed upgrade.The Connector reports to the Manager that the upgrade failed and then dieThe Connector automatically attempts the upgrade again.
105What happens when smartconnector is rolled back?collecting cached data after a communication failureuninstallation of a package in the event of failureans)a way to revert to the previous version of a Connector when a Connector upgrade failsa way to gather data that has moved beyond the archive window
106Which statement is true about starting and stopping ArcSight SmartConnector services?ans)They are started and stopped independently of the other ArcSight component services.The order in which they are started and stopped is based on event flow.How they are started and stopped depends on whether or not the ArcSight Manager is running.They are started and stopped in conjunction with the Oracle database services.
107During Connector install, which statement is true about the ArcSight Manager’s host name or IP address?ans)It must match the host name or IP address in the ArcSight Manager’s SSL certificate.The host name or IP address is used as an encryption key.It can be any legitimate host name or IP address.It must contain a combination of alpha-numeric characters.
108There are three types of ArcSight SmartConnectors. Which type is used primarily to execute commands on a device to retrieve, modify, or analyze its configuration?Event ConnectorsScanner Connectorsans)CounterACT ConnectorsSNMP Connectors
109When you need to map a subnet, what do you do in network modelling ?ans)zonenetworkAsset RangeNetwork Range
110How do you recognize a offline partition?a partition that resides within the databaseans)a partition that exceeds the online retention threshold and is therefore archiveda partition reserved for a future datedata that is no longer needed by ESM
111How are retention areas configured?Retention policies cannot be changed once they are set.ans)Retention areas can be configured using the Partition Management WizarIf the size of a retention area is reduced, the data outside of the retention area is automatically backed up.ans)Archived partitions outside the offline archive period become invalid.
112When configuring the ArcSight Database, what is the result of setting the offline archive period (Days) to Zero?Partition Archiving is enableans)Partition Archiving is disableOnline retention is enableOnline reserved period is enabled.
113How do you find out the reserve period?the amount of time to allow before compressing event data for storageans)the number of future partitions to be maintainedthe amount of time to wait before determining that a device is not operatingthe maximum length of time archived partitions will be stored
114When can the online partition compression task fail? (Select two.)when the partition being compressed is too oldans)when events are inserted into the partition that is being compressedans)when the compression task takes more than two hours to completewhen the partition compressor does not have the necessary file permissions
115You are unable to see events from a specific device in the Console. The Active Channel filters are not the cause. Which component should you examine next in order to troubleshoot this issue?Databaseans)SmartConnectorConsoleDevice
116What are the elements that are used to process a batch?ans)Batches can be sent when they reach a certain size.Batches can be sent on commanans)Batches can be sent in priority order by severity.Batches can be sent by Connector type.
117Preserve Raw Events, Turbo Mode, and Limit Event Processing Rate are all examples of which type of Connector options?ans)Processing optionsAggregation optionsFilter conditionsPreservation options
118How do you compile a bundle?a set of resources that makes up a packagea data transmission containing SSL informationa set of raw log events before they are parsedans)a container for one or more packages
119Which method is used to back up an Oracle database without shutting down the database?sequential backupstandalone backupans)online backupoffline backup
120What is the default port used when connecting to the ArcSight Web interface?ans)TCP 9443UDP 9443TCP 8443UDP 8443
121What is the default port used by the ArcSight ESM Console to connect to the ArcSight Manager?ans)TCP 8443UDP 8443TCP 9443UDP 9443
122What is the default port used to connect the ArcSight Manager to the ArcSight ESM Database (Oracle)?4431443ans)15218443
123The ArcSight Web release version must be the same version as what?ans)ArcSight ManagerArcSight DatabaseArcSight SmartConnectorsArcSight Console
124What must you do prior to applying a patch to the ArcSight Manager?ans)Stop the ArcSight Manager serviceshut down all ArcSight SmartConnectorsdelete all files in the tmp directorydisconnect the network cable
125Which command is used to check the status of the TNS Listener?ans)lsnrctl statuslistener statustnsstatoralistener status
126Which tablespace is used by ArcSight to store resources?ARC_EVENT_DATAARC_SYSTEM_INDEXans)ARC_SYSTEM_DATAARC_EVENT_INDEX


Leave a Reply

Your email address will not be published. Required fields are marked *