Hello friends in this post we are going to discuss about ArcSight MCQ with answers | ArcSight Multiple choice questions | ArcSight Objective type questions | ArcSight Wipro Question Answers | ArcSight TrendNXT Myskillz
If you are looking for more Dumps for MYSKILLZ Visit Here
| SL.NO | Questions | Choice A | Choice B | Choice C | Choice D |
| 1 | What is an IP address? | It is the address embedded in the network adapter. | Ans)It is a logical address to identify a node in the network | It is an address assigned by the antivirus software. | |
| 2 | UDP is a connection oriented protocol. | True | Ans)FALSE | ||
| 3 | What are all the types of logs available in Windows operating system? | Ans)System Log, Application Log, Security Log | OS Log, Connection Log, Error Log | System Log, User Log, Application Log | Type A log, Type B Log, Type C log |
| 4 | The command to identify the IP address of the Windows system, | fconfig | Ans)ipconfig | address –ip | ipaddress |
| 5 | The term, “Vulnerability” refers to, | An attempt to gain unauthorized access to system services, resources, or information | Simply listening to a private conversation which may reveal information which can provide access to a facility or network. | A threat action whereby sensitive data is directly released to an unauthorized entity | Ans)Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. |
| 6 | Telnet | used to send email | uses telephone lines | is part of Netscape | ans)is a protocol that allows for remote login |
| 7 | what is SIEM | Security Index and Event Management Tool | Log Analysis Tool | Ans)Log Management and Event Management Tool | Security incident and Error Management Tool |
| 8 | which one is not a part of ArcSight architecture | Flex Connector | Oracle DB | Ans)MySQL | ArcSight Web |
| 9 | Which one is not a ArcSight Resource | Partitions | Ans)Annotations | Notifications | Lists |
| 10 | ArcSight Console is ? | Thin Client | Windows Service | Software | Ans)Thick Client |
| 11 | which one is not a user group in ArcSight | Admin | System | Ans)Analyst | Sys |
| 12 | A firewall is | used to protect a computer room from fires and floods | a form of virus | a screen saver program | Ans)none of the above |
| 13 | Oracle DB is optional in ArcSight Setup. | TRUE | Ans)FALSE | ||
| 14 | A Kb corresponds to | 1024 bits | 1000 bytes | Ans)2^10 bytes | 2^10 bits |
| 15 | , what is the default port used when connecting to the ArcSight Web interface? | Ans)TCP 9443 | UDP 9443 | TCP 8443 | UDP 8443 |
| 16 | At most, a zone can belong to how many networks? | 0 (Zones do not belong to networks, zones contain networks.) | Ans)1 | 2 | as many as needed based on the Network Model |
| 17 | What is Zero day attack? | Attacks happening on Jan 1st of every year. | First attack detected within an organization | An attack that exploits a previously unknown vulnerability in a computer application | Ans)An attempt to make a machine or network resource unavailable to its intended users |
| 18 | , How does the port scan works? | By analysing all logs generated by firewall | Ans)By sending framed IP packets and analysing the reply | By generating abnormal traffic targeted against particular network and consuming all available bandwidth | |
| 19 | The ArcSight component that performs Normalization is | ArcSight Web | Ans)SmartConnector | Console | ArcSight DB |
| 20 | which are operators in the ArcSight Common Conditions Editor (CCE)? (Select two.) | ELSE | Ans)AND | Ans)OR | IF |
| 21 | Which functions are on the right-click menu for an event? (Select two.) | Correlate Events | Ans)Show Event Details | Ans)Annotate Events | Prioritize Events |
| 22 | Which string function is used to join two data fields? | Add | Ans)Concatenate | Join | Find |
| 23 | TTL means | Total Time Lag | Time Threshold Lag | Ans)Time To Live | Total Time Left |
| 24 | What can ArcSight ESM Dashboards display? | Ans)multiple Data Monitors | multiple Cases | multiple Stages | multiple Reports |
| 25 | Using SSL technology, information can be communicated over an encrypted channel. What is SSL? | Ans)Secure Sockets Layer | Security Standards Layer | Smart Stealth Layer | Standard Security Layer |
| 26 | Which are clients of the ArcSight Manager? (Select two.) | ArcSight Correlation Engine | Ans)Arcsight web | Ans)ArcSight Smart Connectors | ArcSight Database |
| 27 | What is the default port used by the ArcSight ESM Console to connect to the ArcSight Manager? | Ans)TCP 8443 | UDP 8443 | TCP 9443 | UDP 9443 |
| 28 | What is the default port used to connect the ArcSight Manager to the ArcSight ESM Database (Oracle)? | 443 | 1443 | Ans)1521 | 8443 |
| 29 | ArcSight Smart Connectors send event data directly to what? | Ans)ArcSight Manager | ArcSight Console | ArcSight Web Server | ArcSight Database |
| 30 | what are typical jobs of L1 analyst in ArcSight ? (write 3 interfaces , they need to watch/use every day). | ||||
| 31 | Which are operators in the ArcSight Common Conditions Editor (CCE)? | ELSE | ans)AND | NOT | IF |
| 32 | What stores information about logons, user actions, and the resulting events in the most concise way? | Event annotations | ans)Session Lists | Active Lists | Cases |
| 33 | Which statements are true about Session Lists? | They must have a key file and a value | They can share entries with other Session Lists. | They can be used to populate Active Lists. | ans)They always have Start Time, End Time, and Creation Time fields. |
| 34 | Report run start time, output format for report results, email distribution for report results, and report filters are all examples of what? | ans)report parameters | report formats | report data sources | report attributes |
| 35 | When using the Query Editor, three sub-tabs provide the options you need to properly set up the query. What information do these sub-tabs require? | when the query should be run; which format the query output should take; how many data elements should be included | when the query should be run; what the query should be called; how long the data should be archived | which data fields to select; how the data should be displayed; how long the data should be archived | ans)which data fields to select; how the data should be ordered; how the data should be grouped |
| 36 | What is the “focus” of a Focus report? | the differences between two similar reports | ans)a subset of a larger (e.g., monthly or quarterly) report | events that have been missed | high priority Correlation events only |
| 37 | What do field sets correspond to? | Variables in a rule configuration | components in a Network Model | attributes in a Query Viewer | ans)columns in an Active Channel Grid view |
| 38 | How are baselines established and used in Query Viewers? | Baselines are created using rules. After the rule is triggered, the resulting action establishes a baseline against which future rules are evaluated in the Query Viewer. | Baselines are created using query results. The baseline from the query is used to create a new field set definition that can be run against future events. | Baselines are created using query results. When a query has one or more baselines available, you can compare the current results with the baseline. | ans)Baselines are created using query results and fed into the Image Editor for the related Data Monitor. |
| 39 | At most, a zone can belong to how many networks? | 0 | 1 | 2 | as many as needed based on the Network Model |
| 40 | In network modeling, what are SmartConnectors bound to? | Assets | Assets Ranges | Zone | ans)Customer |
| 41 | Which role does the Active Channel play in testing a rule? | The rule can be replayed and verified against real-time events in the Active Channel. | ans)The rule can be replayed against historical events in the Active Channel. | The rule cannot be tested with the Active Channel because it will create additional invalid Correlation events. | ans)None |
| 42 | What must be done to a local Variable before it can be used with multiple resources? | It must be renamed. | It must be copied. | It must be moved it to a new resource. | ans)It must be promoted to a Global Variable. |
| 43 | Which resource defines what a report will look like when generated? | layout | query | ans)Template & report | None |
| 44 | Which resources can be displayed in the ArcSight Web interface? | Stages, Annotation | Queries and Partitions | ans)Cases, Notifications, and Active Channels | Knowledge Base articles and Templates |
| 45 | Which functions are on the right-click menu for an event? | Correlate Events | ans)Show Event Details | Knowledge Base | Prioritize Events |
| 46 | Active Channel views and Dashboard views are examples of Viewer Panel views. Which other views are associated with the Viewer Panel? | Asset views | ans)Resource views & Results views | Combined views | Simple views |
| 47 | What are functions of Query Viewers? | present detailed comparisons of report elements, not possible with the reporting tool | ans)provide a baseline analysis of events against which future queries can be compared provide a quick way to run SQL queries and identify trends without running reports | determine which devices are off-line at any given point in time by querying their status | display the Boolean logic behind filters and rules |
| 48 | What happens if a notification requiring a response within 24 hours is not acknowledged within that time? | ans)The notification is escalated to the next level of notification. | The notification is added to the Session List. | An error message appears on the ArcSight Console. | The condition generating the notification is escalated to a higher priority. |
| 49 | Why would you lock a Case? | to close and archive a Case | ans)to prevent others from modifying the Case while you edit or attach something to the Case | to prevent the Case from being seen in the Resource List | to preserve the state of the Case |
| 50 | What represents the current status in the investigation of a Case? | Notifications | ans)stages | Case | Annotation |
| 51 | There are 17 event field groups defined in the ArcSight Event SchemIn which group would you look for data fields describing an event’s importance as assessed by ArcSight ESM? | Category | Attacker | ans)Threat | Event |
| 52 | Which Event Schema group contains data fields, which describe the connector reporting an event? | Event | ans)Device & Agent | Source | None |
| 53 | Which output formats are available when running a report? | XML | ans)HTML | MP4 | JPEG |
| 54 | What does a Network Model include? | ans)assets | destinations | Network | file resources |
| 55 | Which statement is true about inline filters? | ans)An inline filter applies only to its current Active Channel. | An inline filter applies only as long as the Active Channel is open, and cannot be saved. | An inline filter cannot use AND or OR conditions. | An inline filter is created using Boolean logic in the Inspect/Edit panel. |
| 56 | Which tools are used to view events in ArcSight ESM? | Knowledge Base article | ans)Active Channel | Knowledge Base | Annotations |
| 57 | What is a good way for an operator or analyst to quickly determine which events must be addressed first? | ans)check the priority rating in a Dashboard or Active Channel | run a report of High Priority Threats | ask more senior analysts or architects | view the Event Grid and Correlation categories |
| 58 | What can ArcSight ESM Dashboards display? | ans)multiple Data Monitors | multiple Cases | multiple Stages | multiple Reports |
| 59 | How do asset categorization and event categorization relate to each other? | Asset categorization and event categorization are the same. | Asset categorization and event categorization use the same field set to apply categories to assets and events. | Asset categorization requires custom FlexConnectors; event categorization uses standard SmartConnectors. | ans)Asset categorization is the fingerprint of an asset; event categorization is a set of criteria that describes an event. |
| 60 | Which process uncovers the relationship between events, infers the significance of those relationships, prioritizes them, and then provides a framework for taking action? | Categorization | aggregation | ans)Correlation | Filteration |
| 61 | What is a criteria factor within the ArcSight Priority Formula? | Assurance | Asset Priority | Seriousness | ans)Model confidence |
| 62 | What does the Priority Formula calculation run on? | Flex connector | Smart connector only | ans)Manager only | Both manager and smart connector |
| 63 | Which statements are true about event lifecycle data collection and the event processing phase? | Model confidence is determined, based on details provided by the event source. | ans)Each line of incoming log data is processed as a separate event | Event severity is determined, based on an Active List of recent severity factors. | ans)Values are normalized and entered into the ArcSight Event Schema. |
| 64 | Using SSL technology, information can be communicated over an encrypted channel. What is SSL? | Standard Security Layer | Smart Stealth Layer | ans)Secure Sockets Layer | Security Standards Layer |
| 65 | You want your Active Channel to automatically display new events as they arrive at ESM. Which time parameter should you use to accomplish this? | Evaluate Once at Attach Time | Evaluate $NOW-1h | ans)Continuously Evaluate | Evaluate Continuously from Attach Time |
| 66 | Which ArcSight ESM Resource enables you to perform live monitoring of events? | Cases | ans)Active Channels | Knowledge Base | Stages |
| 67 | What is a function of the Variable GetSessionData? | ans)retrieves data fields from a Session List | sends session details to the ArcSight Manager | ans)populates a Session List | investigates session details in the audit log |
| 68 | Which string function is used to join two data fields? | Substring | Find | ans)Concatenate | correlate |
| 69 | What is the primary function of the ArcSight Manager? | It accepts correlated, prioritized events from SmartConnectors with instructions from the ArcSight Console, and writes events to the database. | It manages bottlenecks between the connectors, the ArcSight Console, and the ESM Database. | It restores the rule definitions that drive the functioning of ArcSight ESM. | ans)It writes incoming events to the database while simultaneously processing events through the Correlation engine. |
| 70 | Which ESM components collect event data? | Node | Resource | ans)Smartconnector | Which ESM components collect event data? |
| 71 | Which statement is true about a join rule? | ans)It recognizes patterns that involve more than one type of event. | It is triggered by events that match a single set of conditions. | It rejects partial matches but can be set for aggregation | It matches the output of more than one simple rule to an Active List. |
| 72 | Which statement is true about join rules and chained rules? | JOINrules use Session Lists; chained rules use Active Lists. | ans)Chained rules may or may not be join rules that also use Active Lists or rely on Correlation events generated by other rules | Join rules link simple rules together; chained rules link join rules. | Chained rules result in detailed chains; join rules result in simple chains. |
| 73 | Which statement is true about the ArcSight Web interface? | ans)Data Monitors cannot be added to a Dashboard in the ArcSight Web interface. | Reports cannot be formatted in the ArcSight Web interface. | Inline filters cannot be used in the ArcSight Web interface. | Cases cannot be modified in the ArcSight Web interface. |
| 74 | When specifying the attributes of a new Active List, you can set TTL days, hours, and minutes. What is TTL? | Time Threshold Lag | Total Time Lag | Total Time LEFT | ans)TimeTo live |
| 75 | What can you use to change the stage of a Case? | Event annotations | ans)Case Editor | Common Conditions Editor | Query Viewer |
| 76 | Which type of event is displayed in an Active Channel with the following Inline Filter applied? Category Behavior = /Authentication/Verify Category Outcome = /Failure | Logout events | Login Success events | Account Locked events | ans)Logon failure event |
| 77 | What are valid actions for a rule to take? | ans)send notification | Send a Report | generate report | add to filter |
| 78 | Event correlation, event reconciliation, moving average, session reconciliation, and statistics are all examples of which type of Data Monitors? | Event based | Non-Event Based | ans)Correlation | system status |
| 79 | What are the three types of Data Monitors? | event type, matching conditions, and non-event | event type, correlation, and aggregation matching | event-based, event graph, and non-event based | ans)event-based, correlation, and non-event based |
| 80 | What is an example of an event-based Data Monitor? | moving average | rules partial match | ans)Last N count | session reconciliation |
| 81 | Click the Exhibit button. Which type of diagram is shown in the exhibit? | a geographic hierarchy map | ans)an event graph | an image viewer map | a query topology |
| 82 | Asset categories can be assigned to zones as well as assets. What happens to the assets that belong to a zone with a category of “Critical”? | All assets in the zone inherit the zone’s category. | Assets with a category that matches the zone category are grouped into a “Critical” asset group. | ans)Nothing happens. Assets in the zone maintain their own individual category identities. | Assets in the zone inherit the zone’s category and are grouped into a “Critical” asset group. |
| 83 | What is the name of the resource you can use to override the default ArcSight mapping of IP addresses to geographic regions? | zones | ans)Locations | categories | Destination |
| 84 | In network modeling, which resource is used by MSSP or by users with different cost centers? | networks | zone | ans)Customer | Asset Group |
| 85 | In network modeling, what is a set of nodes with similar characteristics that have IPs enumerated one after the other? | ans)Asset Range | Asset IP | IP range | Asset group |
| 86 | What do you use to establish identity, ownership, and criticality of the assets you have installed on your network? | asset types | asset groups | ans)asset categories | asset ranges |
| 87 | Which statements are true about assets? | Assets can be grouped in folders called asset ranges. | Assets require a MAC address to be categorized properly. | ans)Assets can include bridges, routers, web servers, or anything with an IP or MAC address. | An asset is a Building |
| 88 | Which user role is responsible for building content within ESM? | ans)Author | Analyst | operator | Admin |
| 89 | With regard to SmartConnectors, what is roll back? | collecting cached data after a communication failure | uninstallation of a package in the event of failure | ans)a way to revert to the previous version of a Connector when a Connector upgrade fails | a way to gather data that has moved beyond the archive window |
| 90 | What must be done first to restore the database from an online backup? | run the Oracle restore wizard | ans) ensure that the archived redo logs are located in the archive log destination | bring the affected tablespaces online | reinstall the Oracle installation |
| 91 | Where is the trust store located by default? | the preferred source for obtaining signed certificates | ans) a list of trusted Certificate Authorities | the location of a system’s private keys | the set of backup files containing SSL information |
| 92 | Which key pair types are valid selections when using the Manager Setup Wizard to create an SSL key pair? (Select two.) | non-expiring SSL key pair | ans)self-signed key pair | ans) demo key pair | random generator key pair |
| 93 | During Connector install, which statement is true about the ArcSight Manager’s host name or IP address? | ans) It must match the host name or IP address in the ArcSight Manager’s SSL certificate. | The host name or IP address is used as an encryption key. | It can be any legitimate host name or IP address. | It must contain a combination of alpha-numeric characters. |
| 94 | Which file types MUST be included in an Oracle backup? (Select two.) | table files | ans)data files | program files | ans) configuration files |
| 95 | How can you restore a new ArcSight Web installation to a previous configuration? | ans) copy the old ArcSight Web installation’s config directory and cacerts file into the new installation | copy the ArcSight Manager’s config directory into the new installation | manually reconfigure the new installation | connect to the Manager and download the saved configuration |
| 96 | Package bundles are exported with which file extension? | .xml file | .exe file | .msc file | ans) .arb file |
| 97 | Which command is used to modify retention periods? | Arcsight archive install | Arcsight database create | Arcsight retention create | ans)Arcsight database pc |
| 98 | When configuring the ArcSight Database, what is the result of setting the offline archive period (Days) to Zero? | Partition Archiving is enable | ans)Partition Archiving is disable | Online retention is enable | Online reserved period is enabled. |
| 99 | Which command should you use to configure notification acknowledgements after the initial configuration of ArcSight ESM? | ans)arcsight managersetup | arcsight notifysetup | arcsight notifyconfig | arcsight setupnotify |
| 100 | Which command is used to add a secondary destination to a Connector’s configuration? | arcsight destinations -n | ans)arcsight connectorsetup -w | arcsight connectionwizard | arcsight connector -d |
| 101 | Which actions might the whine daemon initiate? (Select two.) | ans)sending a message to the admin consoles | sending SNMP traps to a monitoring station | sending syslog messages to a syslog server | ans)writing an event to the server.log file |
| 102 | Which command is used to check the status of the TNS Listener? | ans)lsnrctl status | listener status | tnsstat | oralistener status |
| 103 | Which ArcSight Manager directory should be backed up in order to preserve the server.properties file? | user directory | ans)config directory | properties directory | jre directory |
| 104 | What happens when a Connector upgrade that was initiated from within the ArcSight Console fails? | ans)The Connector automatically rolls back to the previously working version. | The Connector does not respond to the failed upgrade. | The Connector reports to the Manager that the upgrade failed and then die | The Connector automatically attempts the upgrade again. |
| 105 | What happens when smartconnector is rolled back? | collecting cached data after a communication failure | uninstallation of a package in the event of failure | ans)a way to revert to the previous version of a Connector when a Connector upgrade fails | a way to gather data that has moved beyond the archive window |
| 106 | Which statement is true about starting and stopping ArcSight SmartConnector services? | ans)They are started and stopped independently of the other ArcSight component services. | The order in which they are started and stopped is based on event flow. | How they are started and stopped depends on whether or not the ArcSight Manager is running. | They are started and stopped in conjunction with the Oracle database services. |
| 107 | During Connector install, which statement is true about the ArcSight Manager’s host name or IP address? | ans)It must match the host name or IP address in the ArcSight Manager’s SSL certificate. | The host name or IP address is used as an encryption key. | It can be any legitimate host name or IP address. | It must contain a combination of alpha-numeric characters. |
| 108 | There are three types of ArcSight SmartConnectors. Which type is used primarily to execute commands on a device to retrieve, modify, or analyze its configuration? | Event Connectors | Scanner Connectors | ans)CounterACT Connectors | SNMP Connectors |
| 109 | When you need to map a subnet, what do you do in network modelling ? | ans)zone | network | Asset Range | Network Range |
| 110 | How do you recognize a offline partition? | a partition that resides within the database | ans)a partition that exceeds the online retention threshold and is therefore archived | a partition reserved for a future date | data that is no longer needed by ESM |
| 111 | How are retention areas configured? | Retention policies cannot be changed once they are set. | ans)Retention areas can be configured using the Partition Management Wizar | If the size of a retention area is reduced, the data outside of the retention area is automatically backed up. | ans)Archived partitions outside the offline archive period become invalid. |
| 112 | When configuring the ArcSight Database, what is the result of setting the offline archive period (Days) to Zero? | Partition Archiving is enable | ans)Partition Archiving is disable | Online retention is enable | Online reserved period is enabled. |
| 113 | How do you find out the reserve period? | the amount of time to allow before compressing event data for storage | ans)the number of future partitions to be maintained | the amount of time to wait before determining that a device is not operating | the maximum length of time archived partitions will be stored |
| 114 | When can the online partition compression task fail? (Select two.) | when the partition being compressed is too old | ans)when events are inserted into the partition that is being compressed | ans)when the compression task takes more than two hours to complete | when the partition compressor does not have the necessary file permissions |
| 115 | You are unable to see events from a specific device in the Console. The Active Channel filters are not the cause. Which component should you examine next in order to troubleshoot this issue? | Database | ans)SmartConnector | Console | Device |
| 116 | What are the elements that are used to process a batch? | ans)Batches can be sent when they reach a certain size. | Batches can be sent on comman | ans)Batches can be sent in priority order by severity. | Batches can be sent by Connector type. |
| 117 | Preserve Raw Events, Turbo Mode, and Limit Event Processing Rate are all examples of which type of Connector options? | ans)Processing options | Aggregation options | Filter conditions | Preservation options |
| 118 | How do you compile a bundle? | a set of resources that makes up a package | a data transmission containing SSL information | a set of raw log events before they are parsed | ans)a container for one or more packages |
| 119 | Which method is used to back up an Oracle database without shutting down the database? | sequential backup | standalone backup | ans)online backup | offline backup |
| 120 | What is the default port used when connecting to the ArcSight Web interface? | ans)TCP 9443 | UDP 9443 | TCP 8443 | UDP 8443 |
| 121 | What is the default port used by the ArcSight ESM Console to connect to the ArcSight Manager? | ans)TCP 8443 | UDP 8443 | TCP 9443 | UDP 9443 |
| 122 | What is the default port used to connect the ArcSight Manager to the ArcSight ESM Database (Oracle)? | 443 | 1443 | ans)1521 | 8443 |
| 123 | The ArcSight Web release version must be the same version as what? | ans)ArcSight Manager | ArcSight Database | ArcSight SmartConnectors | ArcSight Console |
| 124 | What must you do prior to applying a patch to the ArcSight Manager? | ans)Stop the ArcSight Manager service | shut down all ArcSight SmartConnectors | delete all files in the tmp directory | disconnect the network cable |
| 125 | Which command is used to check the status of the TNS Listener? | ans)lsnrctl status | listener status | tnsstat | oralistener status |
| 126 | Which tablespace is used by ArcSight to store resources? | ARC_EVENT_DATA | ARC_SYSTEM_INDEX | ans)ARC_SYSTEM_DATA | ARC_EVENT_INDEX |