Please select the Non Database user of Oracle installation for Arcsight
sys
system
root
Arcsight
.
Oracle accepts network connections through an Oracle service is known as
TNS Listener
HTTP Listener
Message Listener
Exception Listener
.
_____files contains metadata about the database
data
Control
online redo
configuration
.
The _____ is used to move the partitions out of the database for offline storage
Offline Achiever
Database Achiever
Partition Achiever
Partition Separator
.
To perform the online backup of an Online database, ensure that the database is configured for mode
ARCHIVERLOG
ONLINELOG
OFFLINELOG
BACKUPLOG
.
Which is not the component in the notification structure for Rule Action
Notification Groups
Escalation Levels
Destinations
User Role
.
Which one is not the tablespace in Arcsight DB
arc_system_data
arc_system_index
arc_event_data
arc_data_index
.
By default, a user's account is disabled after _____ failed login attempts
Three
Five
Six
Ten
.
A____ is a temporary certificate used during initial installation
CA Signed Certificate
Self-signed Certificate
Demo Certificate
SSH Certificate
.
A network consists of _____
Zone
Report
Filter
Channel
.
Which log file contains information on Memory, Persistence, time & thread dumps
Server.log
Server.std.log
Server log
Server.sql.log
.
Which log file contains information & errors related to Partitioner Achiever
wrapper.log
Server log
Server.log
Agent log
.
To troubleshoot a problem, start from the ______ and move towards the ____
Console & Source
Source & Console
Connector & Console
Source & Console
.
List the function that is performed by system package
Aggregation
Benchmarking and analysis
Email Alerting and Acknowledgement
Compression and Storage
.
What stores information about logons, user actions, and the resulting events in the most concise way?
Event annotations
Active Lists
Session Lists
Cases
.
Which firewall will generate Outbound TCP connection event even if there is no 3 way hand Shake
ASA
Checkpoint
Juniper
Pal Alto
.
To detect a Brut force Attack effectively, name the field that should be used in the correlation rule
Source User
Destination IP
Source IP
Destination User
.
Name the field that is common in firewall events for "TCP Connection" & NAT Translation in ASA event
Destination Port
Source Port
Destination IP
Command
.
In Windows, the installation directories can be located by selecting the service in the _____
TNS Listener
Service Applet
MSG Applet
Task Manager
.
Services for the ArcSight ESM components must be started in the following order
"Start the Oracle instance
Start the Oracle TNS Listener service
Start the ArcSight Manager service
Start the ArcSight Web service"
"Start the ArcSight Web service
Start the Oracle instance service
Start the Oracle TNS Listener
Start the ArcSight Manager service"
"Start the Oracle instance
Start the ArcSight Web service
Start the Oracle TNS Listener service
Start the ArcSight Manager service"
"Start the ArcSight Manager service
Start the Oracle instance
Start the ArcSight Web service
Start the Oracle TNS Listener service"
.
On Reserve period holds how many partitions?
8
26
14
72
.
Arcsight manager Connects to Oracle installation over TCP port ___
1521
8080
8443
443
.
What is the recommended backup Method for Oracle DB
Offline
online
Both
None of the above
.
List the stage that is not part of partition lifecycle:
Online Reserve Period
Online Retention Period
Offline Retention Period
Offline Reserve Period
.
An encrypted repository on the SSL server that holds the SSL Certificate and the server's private keys called _____
TrustStore:
Key Pair
KeyStore
Masterkey
.
___ file helps to restrict access for Connectors
agents.accept.ips
web.accept.ips
xmlrpc.accept.ips
xmlrpc.reject.ips
.
For applying oracle CPU, on windows , you to need to logon as ____ user
Oracle
sys
sysuser
Administrator
.
the procedure for downloading and running the patch installer on _____ platform Is different in ArcSight
Windows
Mac
Aix
Solaris
.
communication between Arcsight web and client is _____ encrypted
SSH
SSL
TLS
SFTP
.
______ is usually installed on the same server as ArcSight manager
ArcSightDB
Oracle
ArcSight Web
ArcSight Console
.
choose arcsight table which will occupy more space in the DB
ARC_EVENT_DATA
arc_system_index
ARC_SYSTEM_DATA
ARC_EVENT_INDEX
.
which one of the listed here is of least importance during Sizing of ArcSight soultions?
Retention Policy
aggregation ratio
Events per second
Number of users
.
______ offers no parity, stripping or spanning of disk space across multiple disks
Raid 3
Raid 4
Raid 1
Raid 5
.
_____ consists of block - level stripping with distributed parity and is distributed among the drives
Raid 3
Raid 4
Raid 1
Raid 5
.
The Arcsight recommendation for disk sizing is to allow ______ buffer to prevent solutions being undersized
1.5X
3.5X
1.25X
1.55X
.
The ARcSight recommendation for Peak EPS is to allow ______ buffer to prevent soultion being undersized
1.5X
2.0X
1.25X
1.55X
.
In a typical environment, where you would see high EPS per device
Firewall
Windows Server
IPS
Antivirus server
.
the ArcSight recommendation for windows connector sizing is to allow ______ buffer to prevent solution being undersized
1.5X
3.5X
0.5X
2.5X
.
For Optimal performance, Arcsight database required dedicated _____
WAN link
Instance & Machine
CPU Cores
Disk space
.
Raid level recommendation from Arcsight to Storage is ______
1+1
0+1
5
4.
Arcsight database constantly performs a lot of random ____ because of large number of event insertions
Writes
Reads
Query
Search
.
In _____ two disks fail, all data is lost
1+1
0+1
5 4.
Most I/O load will be on ____ db table due to random read/writes
ARC_EVENT_DATA
arc_system_index
ARC_SYSTEM_DATA
ARC_EVENT_INDEX
.
A separate volume in Db server is required if Arcsight is running ______
Webserver
Usecases
Partition Achiever
Partition Separator
.
What is considered to be "Good persistence" when troubleshooting performance on Arcsight DB
Post EPS filter count is 0
Post aggregation count is 0
Estimated Cache size is 0
post filter count is 0
.
How can Write performance issue can be resolved ?
Raid level changes in Storage
Event filtering at the device
Usecsae modification
Changing the retension policy
.
what is integration method used to integrate remedy ticket system to Arcsight
ARP
TNS
ARS
DNS.
Post integration of remedy ticketing system what is stored in case "External ID attribute"
Source IP
Attacker IP
Remedy ticket Number
Remed Assest ID
.
Events are partitoned by _______, hence Oracle would know exactly which partition to scan
Manager Receipt time
End time
Connector receipt time
Device start time
.
Asset based variables are heavier and consume more system resource than ______ based variable
Event
Log
Time
List
.
Chained rules same as join rules , except they utilize ______ to retain event details, often for longer periods of time
active lists
active channel
filter
Rule
.
If the manager Receipt time 1-2 min is more than Agent receipt time,what could be the possible issue which closely matches
log source has an issue in event processing
Network latency
Arcsight service is down
Webserver is down
.
When all conditions in a rule are satisfied, a rule can be configured to take ______ actions
Add to an existing case
create a new rule
create a active channel
create a report
.
Rules can write, read and remove entires dynamically in ______
active lists
active channel
filter
Rule
.
Where do you set max. # of correlated alerts per min limit to minimize rule recursive issues?
Server.log
server default.properties
Server1.log
Server.sql.log
.
To Avoid excessive rule firing for repetitive events in case of an attack , in action and if you set "On time unit" to a value what will happen
will notify end of attack
will periodically notify that the attack is still going on
will notify start of attack
will notify whenever alert is triggered
.
Use active lists to correlate information from events will limit ______ consumption
Memory
CPU
Drive Space
DB records
.
The usage of performance datamonitors can be monitered from ____
Packages
CapsManager
Services.MSC
Foundation
.
what is the pre-requisite when configure a usecase "to identify inactive user accounts" through a Wizard ?
Network & Asset Model
Vulnerablility data
Enriched data
Time based variables
.
Which one listed here is not a Jump start package?
PCI
SOX
Perimeter monitoring
Db Monitoring
.
For all perimeter monitoring use cases _____ to be detained
Zone
Asset
Network
Vulnerablility
.
To configure a usecase to detect users not performing "Two factor authentication" if they are from untrusted realms, which of the listed below is least pre-requisite
Network Modelling
Zone management
Log source integration
Third party integration
.
When you build a report based on the query, by clicking on which field you will schedule it?
Attributes
Templates
Jobs
Parameters
.
The communication through Arcsight manager center & Connector is through ______, if there is no ARcMC agent
HTTPS
SSH
API
FTP
.
As a best practice, when to schedule regular configuration backup for all Arcsight Appliance
Same time
with a Gap of 6 hours
with a Gap of 34 hours
with a Gap of 48 hours
.
_____ rules are defined to generate alerts against health data metrics
Health
Datasource
Breach
Manager
.
A _________ is a managed Arcsight product (ie, Connector logger etc)
Host
Node
Asset
Resource
.
when logger report to generated _____ to view, copy , modify, run
Parameter explorer
Report Explorer
Category explorer
Favorite explorer
.
Logger report and its performance cannot be affected by _____
Data distribution
Server load
Querry complexity
Aggregation settings
.
when the compression ratio is higher for the rawlog storage, the data retrieval rate would be _______
Faster
slower
Normal
None
.
If the raw log data in Syslog FlexConnector contains nonASCII characters, where do you configure character encoding?
agent.properties
agent.default.properties
JVM options
Server.properties
.
To tune the advance configuration parameters in file Rotation for the flex connectors, where do you make changes
agent.properties
agent.default.properties
JVM options
Server.properties
.
during key field assignment when you build a flex connector which filed you will use for custom fields
flexcustom
devicecustom
deviceVendor
deviceProduct
.
Please select from the following which is not a Arcsight syslog Smart connectors
Syslog Daemon
Syslog Pipe
Syslog Package
Syslog File
.
After modification in syslog.conf file in the log source what else should be done at the log source level to start receiving the event to syslog connector
Restart the log source
No other actions required
Restart the Syslog server
Restart the network service
.
events not being received at Syslog Smartconnector, mark the correct troubleshooting step
run a Packet Sniffer at log source level
telnet to port 514 to log source
telnet to port 514 to Smart connector
Check webservice is up
.
In Cisco secure IPS SDEE integration with smart connector, which field would not be retrieved & stored by default?
Device Vendor
Device Payload
Device Severity
Threat category
.
How do you turn off SSL for troubleshooting for SDEE connections in smart connectors?
Modify agent.properties
Modify agent.default.properties
Modify JVM options
Modify server.properties
.
During integration of apache webservers ___________ can be used to get the logs if data rotation is confifured at OS level
File contents
File name pattern
time stamp of logs
Agent receipt time
.
If Database auditing is enabled , what it’s the database related operations oracle writes to the operating system audit file as an event ?
Database start up
Table creation
Table Delete
Insert record
.
what is the Arcsight recommended Syslog audit level that need to be set for Oracle DB integration
Warning
Debug
Informational
Notice
.
which one is not a Audit trail in Oracle DB?
OS
XML
D3
DB ML
.
For Checkpoint integration _______ Arcsight smartconnector is being used
File smart connetor
LEA
WMI
Syslog
.
The Oracle RDA Tool gathers configuration information on your oracle installation and writes the output to a series of ______ files
XML
HTML
CSV
TXT
.
From the get status output for specific connector peformance, what does "Sent (SLC)" Denotes
The number of events per second processed by the connector in the last few minutes
The number of events sent to the manager
The number of events in the connector cache
Any exception in the connector that pervents events from being sent
.
if the server.std.log file repeatedly reports the arcsight manager is running out of memory ____ may need to be increased
CPU Cores
Heap size
Procure additional Manager
Aggregation
.
Events to the Arcsight console flow from _____
Arcsight Manager
Arcsight connector
Device
Logger
.
where will you check to troubleshoot or confirm if the arcsight manager is able to connect to the Arcsight database
Server.log
Server.std.log
Server.log
Server.sql.log
.
_____ log file name contains information & related errors on partition achiever
Server.log
Agent.log
Wrapper log
Server.sql.log
.
what is the command to be executed to find any error in the TNSListener service
tnsctl
listctl
parserctl
Isnrctl
.
|
