5V0-93.22 Exam Dumps : VMware Carbon Black Cloud Endpoint Standard Skills

 The Investigate page in the VMware Carbon Black Cloud Endpoint Standard console is where the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. The Investigate page allows the administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. The administrator can also use the processtree view to visualize the process execution and the event details to examine the process activity. For example, the administrator can use the following search query to find all the processes that have a file type of Excel VBA:

file_type:EXCEL_VBA

This query will return all the processes that have a file type of EXCEL_VBA, which is a file type that indicates the file contains Excel VBA code. The file_type field is a string that indicates the type of the file based on its content and format. The possible values for this field are:

• EXE: Executable file
• DLL: Dynamic-link library file
• SYS: System file
• BAT: Batch file
• CMD: Command file
• VBS: Visual Basic Script file
• JS: JavaScript file
• PS1: PowerShell Script file
• HTA: HTML Application file
• MSI: Windows Installer file
• DOC: Microsoft Word document file
• XLS: Microsoft Excel spreadsheet file
• PPT: Microsoft PowerPoint presentation file
• PDF: Portable Document Format file
• SWF: Shockwave Flash file
• JAR: Java Archive file
• CLASS: Java class file
• PY: Python script file
• SH: Shell script file
• PL: Perl script file
• RB: Ruby script file
• PHP: PHP script file
• ASP: Active Server Pages file
• ASPX: Active Server Pages Extended file
• HTML: HyperText Markup Language file
• XML: Extensible Markup Language file
• DOCM: Microsoft Word document with macros file
• XLAM: Microsoft Excel add-in with macros file
• XLSM: Microsoft Excel spreadsheet with macros file
• XLTM: Microsoft Excel template with macros file
• PPTM: Microsoft PowerPoint presentation with macros file
• POTM: Microsoft PowerPoint template with macros file
• PPAM: Microsoft PowerPoint add-in with macros file
• EXCEL_VBA: Excel Visual Basic for Applications file
• WORD_VBA: Word Visual Basic for Applications file
• POWERPOINT_VBA: PowerPoint Visual Basic for Applications file
• OUTLOOK_VBA: Outlook Visual Basic for Applications file
• ACCESS_VBA: Access Visual Basic for Applications file
• PROJECT_VBA: Project Visual Basic for Applications file
• VISIO_VBA: Visio Visual Basic for Applications file
• PUBLISHER_VBA: Publisher Visual Basic for Applications file
• INFOPATH_VBA: InfoPath Visual Basic for Applications file
• ONENOTE_VBA: OneNote Visual Basic for Applications file
• UNKNOWN: Unknown file type

Therefore, by using the Investigate page in the VMware Carbon Black Cloud Endpoint Standard console, the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Advanced Search Techniques - VMware Docs, Using Fields section, file_type subsection.

 A security benefit of VMware Carbon Black Cloud Endpoint Standard is that it provides visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems. Endpoint Standard uses behavioral analytics to detect and prevent malicious activity on endpoints, and also collects comprehensive event data that can be used to investigate and respond to incidents. Endpoint Standard also allows administrators to customize their threat intelligence feeds and alerts, and integrate with other security tools and platforms. This way, administrators can gain a deeper understanding of the threats facing their organization and take appropriate actions to mitigate them. The other options are incorrect because they are not security benefits of Endpoint Standard. Option A is incorrect because a flexible query scheduler is a feature of VMware Carbon Black Audit and Remediation, not Endpoint Standard. Option C is incorrect because customizable threat feeds are a feature of VMware Carbon Black Enterprise EDR, not Endpoint Standard. Option D is incorrect because policy rules that can be tested by selecting test rule next to the desired operation attempt are a feature of VMware Carbon Black App Control, not Endpoint Standard. References: VMware Carbon Black Cloud Endpoint Standard Datasheet, Carbon Black Cloud Endpoint Standard - Technical Overview

 The correct answer is C because it uses the correct syntax for the advanced search query. The process_name field matches the name of the process, and the AND NOT operator excludes the results that match the second condition. The backslashes in the path need to be escaped with another backslash, so C:\Windows\System32 is the correct way to write it. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.3.2: Investigate Page - Advanced Search.