You are visiting a site configured with IntroSpect, and the on-site admin tells you that they do not think that oneof their database servers has fired any alerts for large download or strange access patterns. Could this be areason? (The database server needs to be listed under Configuration>Analytics>User Correlation Config.)
Refer to the exhibit.
You are monitoring a new virtual packet processor with a network tap. You run the command “cli stats SERVER_PRE | gre-a1 drop’ and then return an hour later and run the same command, but notice there is a significant increase in the number dropped packets.
Could this be a reason for the increase? (The Packet Processor may not be allocated the proper number of CPUs allocated on the VM server for the size of the TAP.)
You are troubleshooting ClearPass with IntroSpect, and you notice that in Access Tracker the IntroSpect Logon Logoff actions profile is executing. However, the ClearPass Log Source on the IntroSpect Analyzer is showing dropped entries.
Would this be a good troubleshooting step? (Confirm that the ClearPass context action is sending the User name, MAC Address, IP Address, and Time Stamp)
While reviving the logs at a customer site you notice that one particular device is accessing multiple servers in the environment, using a number of different user accounts. When you QUESTION NO: the IT admin, they tell you that the computer is a JumpBox and running software used to monitor all of the servers in the environment.
Would this be a logical next step? (As a next step, you should audit all of the accounts that are being used on
the JumpBox to determine if the JumpBox is being accessed by unauthorized accounts.)
You were called into a customer site to do an evaluation of installing IntroSpect for a small business. During
the discovery process, the customer asks you to explain when they would need to deploy a Packet Processor.
Does this explain the function of the Packet Processor? (The packet Processor helps if they are using the
analyzer deployed in the cloud by forwarding log data over HTTPS.)
An admin is evaluating entity activity alerts for large internal downloads, excessive host access, accessing hosts with SSH, and host and port scans. Is this a correct reason for these types of alerts? (a malware seeking command and control.)
While looking in the IntroSpect Analyzer Conversations screen you see there are a large number of DNS sessions coming from one IP address on the data center network VLAN. Would this be a logical next step? (The device at the IP address could be infected with malware seeking Command and Control. You should audit the device.)
An IntroSpect installation has been up for a day. While validating the log sources, you see an Aruba Firewall log source configured on a Packet Processor that has shown up on the interface in the analyzer.
While evaluating conversation data you notice there is no eflow data from AMON. You log into the controller and confirm there is user activity in the dashboard. Would this be a correct statement about this situation? (The log source on the Packet Processor may not be pointed to the analyzer IP address.)
In a conversation with a colleague you are asked to give them an idea of what type of monitor source you would use for each attack stage.
Would this be a correct correlation? (For “Command and Control” you can monitor DNS through AMON on the Aruba Mobility Controllers.)
You are deploying a new IntroSpect Packet Processor in your data center. It is not communicating with the analyzer in the same data center. You think that you have entered the host name of the analyzer incorrectly while bootstrapping the packet processor. Would this be a logical next step? (Clear out the bootstrap data and restart the system. After the restart, rerun the bootstrap.)
While investigating alerts in the Analyzer you notice a host desktop with a low risk score has been sendingregular emails from an internal account to the same external account. Upon investigation you see that theemails all have attachments. Would this be correct assessment of the situation? (This desktop should beadded to a watch list and audited for a time to determine if this is real threat activity.)
Refer to the exhibit.
You are logged into the IntroSpect and have navigated to the Alerts list. You are trying to filter the alerts to show all malware alerts for users. Is this a correct search query? (alertcategory:malware* AND username:any)
You are an administrator who made a few configuration changes in the IntroSpect Packet Processor, and arestart is required after those changes. Is this a valid method to restart the Packet Processor? (Issue thecommand #>shutdown –r now from the CLI of the Packet Processor.)
While investigating alerts you notice a user entity has triggered a historical alert for Large Internal Data
Download. While investigating the alert, you notice that the download came from a different device than normalfor the user. Based on these conditions, is this a possible cause? (This is a classic user account take overpattern.)
While troubleshooting integration between ClearPass and IntroSpect, you notice that there are no log events for either THROUGHPUT or ERROR in the ClearPass log source on the IntroSpect Analyzer. You are planning your troubleshooting actions.
Is this something you should check? (Check the authentication service being used in ClearPass for the Login – Logout enforcement policy.)
Refer to the exhibit.
Would this be a correct option when configuring a user account for a ClearPass to use to communicate with IntroSpect? (The username and email address must match.)
You were called into a customer site to do an evaluation of installing IntroSpect for a small business. During
the discovery process, the customer asks you to explain when they would need to deploy a Packet Processor.
Does this explain the function of the Packet Processor? (They always need the Packet Processor to process
AMON data from the Aruba Networks Mobility Controller.)
Copyright © 2021-2025 CertsTopics. All Rights Reserved
