SL.
NO Questions
1 What is an IP address?
2 UDP is a connection oriented
protocol.
3 What are all the types of logs Ans)System Log,
available in Windows
operating system?
4 The command to identify the
IP address of the Windows
system,
5 The term, Vulnerability
refers to,
6 Telnet
7 what is SIEM
8 which one is not a part of
ArcSight architecture
9 Which one is not a ArcSight
Resource
10 ArcSight Console is ?
Choice A Choice B Choice C Choice D
It is the address Ans)It is a logical It is an address assigned
embedded in the address to by the antivirus software.
network adapter. identify a node in
the network
True Ans)FALSE
OS Log, System Log, User Log, Type A log, Type B Log, Type C
Application Log, Connection Log, Application Log log
Security Log Error Log
fconfig Ans)ipconfig address ip ipaddress
An attempt to gain Simply listening to A threat action whereby Ans)Weakness in an
unauthorized access a private sensitive data is directly information system, system
to system services, conversation which released to an security procedures, internal
resources, or may reveal unauthorized entity controls, or implementation
information information which that could be exploited or
can provide access triggered by a threat source.
to a facility or
network.
used to send email uses telephone is part of Netscape ans)is a protocol that allows
lines for remote login
Security Index and Log Analysis Tool Ans)Log Management Security incident and Error
Event Management and Event Management Tool
Tool Management Tool
Flex Connector Oracle DB Ans)MySQL ArcSight Web
Partitions Ans)Annotations Notifications Lists
Thin Client Windows Service Software Ans)Thick Client
11 which one is not a user Admin System Ans)Analyst Sys
group in ArcSight

12 A firewall is used to protect a a form of virus a screen saver program Ans)none of the above
computer room
from fires and
floods

13 Oracle DB is optional in TRUE Ans)FALSE

ArcSight Setup.

14 A Kb corresponds to 1024 bits 1000 bytes Ans)2^10 bytes 2^10 bits

15 , what is the default port Ans)TCP 9443 UDP 9443 TCP 8443 UDP 8443
used when connecting to the
ArcSight Web interface?

16 At most, a zone can belong 0 (Zones do not Ans)1 2 as many as needed based on the
to how many networks? belong to networks, Network Model
zones contain
networks.)

17 What is Zero day attack? Attacks happening First attack An attack that exploits a Ans)An attempt to make a
on Jan 1st of every detected within an previously unknown machine or network resource
year. organization vulnerability in a unavailable to its intended
computer application users

18 , How does the port scan By analysing all logs Ans)By sending By generating abnormal
works? generated by framed IP traffic targeted against
firewall packets and particular network and
analysing the consuming all available
reply bandwidth

19 The ArcSight component that ArcSight Web Ans)SmartConnec Console ArcSight DB

performs Normalization is tor

20 which are operators in the ELSE Ans)AND Ans)OR IF

ArcSight Common Conditions
Editor (CCE)? (Select two.)

21 Which functions are on the Correlate Events Ans)Show Event Ans)Annotate Events Prioritize Events
 right-click menu for an Details
event? (Select two.)

22 Which string function is used Add Ans)Concatenate Join Find

to join two data fields?

23 TTL means Total Time Lag Time Threshold Lag Ans)Time To Live Total Time Left

24 What can ArcSight ESM Ans)multiple Data multiple Cases multiple Stages multiple Reports
Dashboards display? Monitors

25 Using SSL technology, Ans)Secure Security Standards Smart Stealth Layer Standard Security Layer
information can be Sockets Layer Layer
communicated over an
encrypted channel. What is
SSL?

26 Which are clients of the ArcSight Correlation Ans)Arcsight web Ans)ArcSight Smart ArcSight Database
ArcSight Manager? (Select Engine Connectors
two.)

27 What is the default port used Ans)TCP 8443 UDP 8443 TCP 9443 UDP 9443
by the ArcSight ESM Console
to connect to the ArcSight
Manager?

28 What is the default port used 443 1443 Ans)1521 8443

to connect the ArcSight
Manager to the ArcSight ESM
Database (Oracle)?

29 ArcSight Smart Connectors Ans)ArcSight ArcSight Console ArcSight Web Server ArcSight Database
send event data directly to Manager
what?

30 what are typical jobs of L1

analyst in ArcSight ? (write 3
interfaces , they need to
watch/use every day).

31 Which are operators in the ELSE ans)AND NOT IF

 ArcSight Common
Conditions Editor (CCE)?

32 What stores information Event annotations ans)Session Active Lists Cases

about logons, user Lists
actions, and the resulting
events in the most
concise way?

33 Which statements are true They must have a They can share They can be used to ans)They always have
about Session Lists? key file and a entries with other populate Active Lists. Start Time, End Time, and
value Session Lists. Creation Time fields.

34 Report run start time, ans)report report formats report data sources report attributes
output format for report parameters
results, email distribution
for report results, and
report filters are all
examples of what?

35 When using the Query when the query when the query which data fields to ans)which data fields to
Editor, three sub-tabs should be run; should be run; select; how the data select; how the data
provide the options you which format what the query should be displayed; should be ordered; how
need to properly set up the query should be called; how long the data the data should be
the query. What output should how long the data should be archived grouped
information do these sub- take; how many should be
tabs require? data elements archived
should be
included

36 What is the "focus" of a the differences ans)a subset of events that have been high priority Correlation
Focus report? between two a larger (e.g., missed events only
similar reports monthly or
quarterly)
report

37 What do field sets Variables in a rule components in a attributes in a Query ans)columns in an Active
correspond to? configuration Network Model Viewer Channel Grid view
38 How are baselines
established and used in
Query Viewers?
Baselines are Baselines are Baselines are created ans)Baselines are created
created using created using using query results. using query results and
rules. After the query results. The When a query has one fed into the Image Editor
rule is triggered, baseline from the or more baselines for the related Data
the resulting query is used to available, you can Monitor.
action establishes create a new field compare the current
a baseline against set definition that results with the
which future rules can be run baseline.
are evaluated in against future
the Query Viewer. events.

39 At most, a zone can 0 1 2 as many as needed based on

belong to how many the Network Model
networks?

40 In network modeling, what Assets Assets Ranges Zone ans)Customer

are SmartConnectors
bound to?

41 Which role does the Active The rule can be ans)The rule The rule cannot be ans)None
Channel play in testing a replayed and can be replayed tested with the Active
rule? verified against against Channel because it will
real-time events historical create additional
in the Active events in the invalid Correlation
Channel. Active Channel. events.

42 What must be done to a It must be It must be copied. It must be moved it to ans)It must be promoted
local Variable before it can renamed. a new resource. to a Global Variable.
be used with multiple
resources?

43 Which resource defines layout query ans)Template & None

what a report will look like report
when generated?

44 Which resources can be Stages, Queries and ans)Cases, Knowledge Base articles and
displayed in the ArcSight Annotation Partitions Notifications, and Templates
Web interface? Active Channels
45 Which functions are on Correlate Events ans)Show Event Knowledge Base Prioritize Events
the right-click menu for an Details
event?

46 Active Channel views and Asset views ans)Resource Combined views Simple views
Dashboard views are views & Results
examples of Viewer Panel views
views. Which other views
are associated with the
Viewer Panel?

47 What are functions of present detailed ans)provide a determine which display the Boolean logic
Query Viewers? comparisons of baseline devices are off-line at behind filters and rules
report elements, analysis of any given point in time
not possible with events against by querying their
the reporting tool which future status
queries can be
compared

provide a quick
way to run SQL
queries and
identify trends
without running
reports

48 What happens if a
notification requiring a
response within 24 hours
is not acknowledged
within that time?
ans)The The notification is An error message The condition generating the
notification is added to the appears on the notification is escalated to a
escalated to the Session List. ArcSight Console. higher priority.
next level of
notification.

49 Why would you lock a to close and ans)to prevent to prevent the Case to preserve the state of the
Case? archive a Case others from from being seen in the Case
modifying the Resource List
Case while you
edit or attach
something to
 the Case

50 What represents the Notifications ans)stages Case Annotation

current status in the
investigation of a Case?

51 There are 17 event field Category Attacker ans)Threat Event

groups defined in the
ArcSight Event SchemIn
which group would you
look for data fields
describing an event's
importance as assessed
by ArcSight ESM?

52 Which Event Schema Event ans)Device & Source None

group contains data fields, Agent
which describe the
connector reporting an
event?

53 Which output formats are XML ans)HTML MP4 JPEG

available when running a
report?

54 What does a Network ans)assets destinations Network file resources

Model include?

55 Which statement is true ans)An inline An inline filter An inline filter cannot An inline filter is created using
about inline filters? filter applies applies only as use AND or OR Boolean logic in the
only to its long as the Active conditions. Inspect/Edit panel.
current Active Channel is open,
Channel. and cannot be
saved.

56 Which tools are used to Knowledge Base ans)Active Knowledge Base Annotations
view events in ArcSight article Channel
ESM?
57 What is a good way for an ans)check the run a report of ask more senior view the Event Grid and
operator or analyst to priority rating High Priority analysts or architects Correlation categories
quickly determine which in a Dashboard Threats
events must be addressed or Active
first? Channel

58 What can ArcSight ESM ans)multiple multiple Cases multiple Stages multiple Reports
Dashboards display? Data Monitors

59 How do asset Asset Asset Asset categorization ans)Asset categorization

categorization and event categorization categorization requires custom is the fingerprint of an
categorization relate to and event and event FlexConnectors; event asset; event
each other? categorization categorization categorization uses categorization is a set of
are the same. use the same standard criteria that describes an
field set to apply SmartConnectors. event.
categories to
assets and
events.

60 Which process uncovers Categorization aggregation ans)Correlation Filteration

the relationship between
events, infers the
significance of those
relationships, prioritizes
them, and then provides a
framework for taking
action?

61 What is a criteria factor Assurance Asset Priority Seriousness ans)Model confidence

within the ArcSight Priority
Formula?

62 What does the Priority Flex connector Smart connector ans)Manager only Both manager and smart
Formula calculation run only connector
on?

63 Which statements are true Model confidence ans)Each line of Event severity is ans)Values are normalized
about event lifecycle data is determined, incoming log determined, based on and entered into the
collection and the event based on details data is an Active List of recent ArcSight Event Schema.
 processing phase? provided by the processed as a severity factors.
event source. separate event

64 Using SSL technology, Standard Security Smart Stealth ans)Secure Sockets Security Standards Layer
information can be Layer Layer Layer
communicated over an
encrypted channel. What
is SSL?

65 You want your Active Evaluate Once at Evaluate $NOW- ans)Continuously Evaluate Continuously from
Channel to automatically Attach Time 1h Evaluate Attach Time
display new events as
they arrive at ESM. Which
time parameter should
you use to accomplish
this?

66 Which ArcSight ESM Cases ans)Active Knowledge Base Stages

Resource enables you to Channels
perform live monitoring of
events?

67 What is a function of the ans)retrieves sends session ans)populates a investigates session details in
Variable GetSessionData? data fields from details to the Session List the audit log
a Session List ArcSight Manager

68 Which string function is Substring Find ans)Concatenate correlate

used to join two data
fields?

69 What is the primary It accepts It manages It restores the rule ans)It writes incoming
function of the ArcSight correlated, bottlenecks definitions that drive events to the database
Manager? prioritized events between the the functioning of while simultaneously
from connectors, the ArcSight ESM. processing events through
SmartConnectors ArcSight Console, the Correlation engine.
with instructions and the ESM
from the ArcSight Database.
Console, and
writes events to
 the database.

70 Which ESM components Node Resource ans)Smartconnector Which ESM components

collect event data? collect event data?

71 Which statement is true ans)It It is triggered by It rejects partial It matches the output of more
about a join rule? recognizes events that matches but can be than one simple rule to an
patterns that match a single set for aggregation Active List.
involve more set of conditions.
than one type
of event.

72 Which statement is true JOINrules use ans)Chained Join rules link simple Chained rules result in
about join rules and Session Lists; rules may or rules together; chained detailed chains; join rules
chained rules? chained rules use may not be join rules link join rules. result in simple chains.
Active Lists. rules that also
use Active Lists
or rely on
Correlation
events
generated by
other rules

73 Which statement is true ans)Data Reports cannot Inline filters cannot be Cases cannot be modified in
about the ArcSight Web Monitors cannot be formatted in used in the ArcSight the ArcSight Web interface.
interface? be added to a the ArcSight Web Web interface.
Dashboard in interface.
the ArcSight
Web interface.

74 When specifying the Time Threshold Total Time Lag Total Time LEFT ans)TimeTo live
attributes of a new Active Lag
List, you can set TTL days,
hours, and minutes. What
is TTL?

75 What can you use to Event annotations ans)Case Editor Common Conditions Query Viewer
change the stage of a Editor
Case?
76 Which type of event is Logout events Login Success Account Locked events ans)Logon failure event
displayed in an Active events
Channel with the following
Inline Filter applied?
Category Behavior =
/Authentication/Verify
Category Outcome =
/Failure

77 What are valid actions for ans)send Send a Report generate report add to filter
a rule to take? notification

78 Event correlation, event Event based Non-Event Based ans)Correlation system status
reconciliation, moving
average, session
reconciliation, and
statistics are all examples
of which type of Data
Monitors?

79 What are the three types event type, event type, event-based, event ans)event-based,
of Data Monitors? matching correlation, and graph, and non-event correlation, and non-event
conditions, and aggregation based based
non-event matching

80 What is an example of an moving average rules partial ans)Last N count session reconciliation
event-based Data match
Monitor?

81 Click the Exhibit button. a geographic ans)an event an image viewer map a query topology
Which type of diagram is hierarchy map graph
shown in the exhibit?

82 Asset categories can be
assigned to zones as well
as assets. What happens
to the assets that belong
to a zone with a category
of "Critical"?
All assets in the Assets with a ans)Nothing Assets in the zone inherit the
zone inherit the category that happens. Assets in zone's category and are
zone's category. matches the zone the zone maintain grouped into a "Critical" asset
category are their own individual group.
grouped into a category identities.
"Critical" asset
 group.

83 What is the name of the zones ans)Locations categories Destination

resource you can use to
override the default
ArcSight mapping of IP
addresses to geographic
regions?

84 In network modeling, networks zone ans)Customer Asset Group

which resource is used by
MSSP or by users with
different cost centers?

85 In network modeling, what ans)Asset Asset IP IP range Asset group

is a set of nodes with Range
similar characteristics that
have IPs enumerated one
after the other?

86 What do you use to asset types asset groups ans)asset categories asset ranges
establish identity,
ownership, and criticality
of the assets you have
installed on your network?

87 Which statements are true Assets can be Assets require a ans)Assets can An asset is a Building
about assets? grouped in folders MAC address to include bridges,
called asset be categorized routers, web
ranges. properly. servers, or anything
with an IP or MAC
address.

88 Which user role is ans)Author Analyst operator Admin

responsible for building
content within ESM?

89 With regard to collecting cached uninstallation of a ans)a way to revert a way to gather data that has
SmartConnectors, what is data after a package in the to the previous moved beyond the archive
 roll back? communication event of failure version of a window
failure Connector when a
Connector upgrade
fails

90 What must be done first run the Oracle ans) ensure bring the affected reinstall the Oracle
to restore the database restore wizard that the tablespaces online installation
from an online backup? archived redo
logs are
located in the
archive log
destination
91 Where is the trust store the preferred ans) a list of the location of a the set of backup files
located by default? source for trusted system's private containing SSL information
obtaining signed Certificate keys
certificates Authorities
92 Which key pair types non-expiring ans)self- ans) demo key random generator key pair
are valid selections SSL key pair signed key pair
when using the pair
Manager Setup Wizard
to create an SSL key
pair? (Select two.)
93 During Connector ans) It must The host name It can be any It must contain a
install, which statement match the or IP address is legitimate host name combination of alpha-
is true about the host name or used as an or IP address. numeric characters.
ArcSight Manager's host IP address in encryption key.
name or IP address? the ArcSight
Manager's SSL
certificate.
94 Which file types MUST table files ans)data files program files ans) configuration files
be included in an
Oracle backup? (Select
 two.)
95 How can you restore a ans) copy the copy the manually reconfigure connect to the Manager
new ArcSight Web old ArcSight ArcSight the new installation and download the saved
installation to a Web Manager's configuration
previous configuration? installation's config directory
config into the new
directory and installation
cacerts file
into the new
installation
96 Package bundles are .xml file .exe file .msc file ans) .arb file
exported with which file
extension?
97 Which command is Arcsight archive Arcsight Arcsight retention ans)Arcsight database
used to modify install database create create pc
retention periods?
98 When configuring the Partition ans)Partition Online retention is Online reserved period is
ArcSight Database, Archiving is Archiving is enable enabled.
what is the result of enable disable
setting the offline
archive period (Days) to
Zero?
99 Which command should ans)arcsight arcsight arcsight notifyconfig arcsight setupnotify
you use to configure managersetup notifysetup
notification
acknowledgements
after the initial
configuration of
ArcSight ESM?
100 Which command is arcsight ans)arcsight arcsight arcsight connector -d
 used to add a destinations -n connectorsetu connectionwizard
secondary destination p -w
to a Connector's
configuration?
101 Which actions might ans)sending a sending SNMP sending syslog ans)writing an event to
the whine daemon message to traps to a messages to a the server.log file
initiate? (Select two.) the admin monitoring syslog server
consoles station
102 Which command is ans)lsnrctl listener status tnsstat oralistener status
used to check the status
status of the TNS
Listener?
103 Which ArcSight user directory ans)config properties directory jre directory
Manager directory directory
should be backed up in
order to preserve the
server.properties file?
104 What happens when a ans)The The Connector The Connector The Connector
Connector upgrade that Connector does not reports to the automatically attempts the
was initiated from automatically respond to the Manager that the upgrade again.
within the ArcSight rolls back to failed upgrade. upgrade failed and
Console fails? the previously then die
working
version.
105 What happens when collecting uninstallation of ans)a way to a way to gather data that
smartconnector is rolled cached data a package in revert to the has moved beyond the
back? after a the event of previous version archive window
communication failure of a Connector
failure when a Connector
upgrade fails
106 Which statement is true ans)They are The order in How they are started They are started and
about starting and started and which they are and stopped stopped in conjunction with
stopping ArcSight stopped started and depends on whether the Oracle database
SmartConnector independently stopped is or not the ArcSight services.
services? of the other based on event Manager is running.
ArcSight flow.
component
services.
107 During Connector ans)It must The host name It can be any It must contain a
install, which statement match the or IP address is legitimate host name combination of alpha-
is true about the host name or used as an or IP address. numeric characters.
ArcSight Manager's host IP address in encryption key.
name or IP address? the ArcSight
Manager's SSL
certificate.
108 There are three types of Event Scanner ans)CounterACT SNMP Connectors
ArcSight Connectors Connectors Connectors
SmartConnectors.
Which type is used
primarily to execute
commands on a device
to retrieve, modify, or
analyze its
configuration?
109 When you need to map ans)zone network Asset Range Network Range
a subnet, what do you
do in network modelling
?
110 How do you recognize a a partition that ans)a a partition reserved data that is no longer
offline partition? resides within partition that for a future date needed by ESM
the database exceeds the
 online
retention
threshold and
is therefore
archived
111 How are retention areas Retention ans)Retention If the size of a ans)Archived partitions
configured? policies cannot areas can be retention area is outside the offline
be changed configured reduced, the data archive period become
once they are using the outside of the invalid.
set. Partition retention area is
Management automatically
Wizar backed up.
112 When configuring the Partition ans)Partition Online retention is Online reserved period is
ArcSight Database, Archiving is Archiving is enable enabled.
what is the result of enable disable
setting the offline
archive period (Days) to
Zero?
113 How do you find out the the amount of ans)the the amount of time the maximum length of
reserve period? time to allow number of to wait before time archived partitions
before future determining that a will be stored
compressing partitions to device is not
event data for be maintained operating
storage
114 When can the online when the ans)when ans)when the when the partition
partition compression partition being events are compression task compressor does not have
task fail? (Select two.) compressed is inserted into takes more than the necessary file
too old the partition two hours to permissions
that is being complete
compressed
115 You are unable to see Database ans)SmartCon Console Device
events from a specific nector
device in the Console.
The Active Channel
filters are not the
cause. Which
component should you
examine next in order
to troubleshoot this
issue?
116 What are the elements ans)Batches Batches can be ans)Batches can Batches can be sent by
that are used to process can be sent sent on be sent in priority Connector type.
a batch? when they comman order by severity.
reach a
certain size.
117 Preserve Raw Events, ans)Processin Aggregation Filter conditions Preservation options
Turbo Mode, and Limit g options options
Event Processing Rate
are all examples of
which type of
Connector options?
118 How do you compile a a set of a data a set of raw log ans)a container for one
bundle? resources that transmission events before they or more packages
makes up a containing SSL are parsed
package information
119 Which method is used sequential standalone ans)online backup offline backup
to back up an Oracle backup backup
database without
shutting down the
database?
120 What is the default port ans)TCP 9443 UDP 9443 TCP 8443 UDP 8443
used when connecting
to the ArcSight Web
interface?
121 What is the default port ans)TCP 8443 UDP 8443 TCP 9443 UDP 9443
used by the ArcSight
ESM Console to connect
to the ArcSight
Manager?
122 What is the default port 443 1443 ans)1521 8443
used to connect the
ArcSight Manager to the
ArcSight ESM Database
(Oracle)?
123 The ArcSight Web ans)ArcSight ArcSight ArcSight ArcSight Console
release version must be Manager Database SmartConnectors
the same version as
what?
124 What must you do prior ans)Stop the shut down all delete all files in the disconnect the network
to applying a patch to ArcSight ArcSight tmp directory cable
the ArcSight Manager? Manager SmartConnector
service s
125 Which command is ans)lsnrctl listener status tnsstat oralistener status
used to check the status
status of the TNS
Listener?
126 Which tablespace is ARC_EVENT_DAT ARC_SYSTEM_IN ans)ARC_SYSTEM_ ARC_EVENT_INDEX
used by ArcSight to A DEX DATA
store resources?