A Carbon Black Cloud analyst needs to identify the Internet Explorer extensions installed on Windows endpoints.
Which Live Query statement will successfully query these items?
A. SELECT * FROM ie_extensions WHERE enabled=true;
B. SELECT * FROM registry WHERE ie_extensions;
C. SELECT * FROM ie_extensions;
D. SELECT * FROM registry JOIN ie_extensions;
正解:D
質問 2:
A security policy states to enable Live Response by default across the enterprise. However, the team identified critical systems which should not support Live Response due to risk. The team needs to disable Live Response on selected systems.
From which page can this goal be accomplished?
A. API Access
B. Policy
C. Endpoints
D. Roles
正解:D
質問 3:
An Enterprise EDR administrator sees the process in the graphic on the Investigate page but does not see an alert for this process:

How can the administrator generate an alert for future hits against this watchlist?
A. Select the watchlist on the watchlists page, use Take Action to select Edit, and select Alert on hit.
B. Select the watchlist on the watchlists page and click on Alerts: Off to toggle the alerts to On.
C. Select the watchlist on the watchlists page, select the Scheduled Task Created report, and use Take Action to toggle Alert on hit to On.
D. select the watchlist on the watchlists page, select the Scheduled Task Created report, and use Take Action to select Alert on hit for the report.
正解:A
質問 4:
An analyst is reviewing an alert in Enterprise EDR from a custom watchlist. The analyst disagrees with the alert severity rating.
How can the analyst change the alert severity value, if this is possible?
A. The alert severity is assigned by the backend analytics.
B. Change the alert severity on the watchlist.
C. The alert severity is not configurable.
D. Change the alert severity on the report.
正解:B
質問 5:
Which two statements are true regarding Live Response? (Choose two.)
A. Live Response opens an SSH session with the remote device.
B. Live Response requires both view and manage permissions to use.
C. Live Response supports one user per session on an endpoint.
D. Live Response can only be initiated through the user interface.
E. Live Response utilizes the same channel for sensor-server communications.
正解:D,E
質問 6:
Which statement correctly defines the results of ignoring a feed report?
A. Ignoring a feed report will also ignore the threat intelligence feed.
B. Ignoring a feed report will ignore all indicators in other threat reports.
C. Ignoring a feed report will remove all instances of the report.
D. Ignoring a feed report will ignore future instances of that report.
正解:A
質問 7:
How is a new Alert of type Event Alert created whenever an endpoint is added or deleted and send emails for the App Control admin whenever these events occur?
A. Add filter in Event Properties for Subtype Computer added and Computer deleted. Add the App Control admin email, and then click Create & Exit.
B. Add filter in Event Properties for Subtype Computer added and Computer deleted. Click Create and add the App Control admin email, and then click Create & Exit.
C. Add filter in Event Properties for Subtype Endpoint added and Endpoint deleted. Click Create and add the App Control admin email, and then click Create &. Exit.
D. Add filter in Event Properties for Subtype Computer modified. Add the App Control admin email, and then click Create & Exit.
正解:D
質問 8:
Review this EDR query:
childproc_name:whoami.exe AND childproc_name:hostname.exe AND childproc_name:tasklist.exe AND childproc_name:ipconfig.exe Which process would show in the query results?
A. Any process invoking whoami.exe, hostname.exe, tasklist.exe, or ipconfig.exe
B. Any process invoking whoami.exe, hostname.exe, tasklist.exe, and ipconfig.exe
C. Any process invoked by whoami.exe, hostname.exe, tasklist.exe, or ipconfig.exe
D. Any process invoked by whoami.exe, hostname.exe, tasklist.exe, and ipconfig.exe
正解:B
くま** -
私も高得点で5V0-91.20試験に合格した。Pass4Testさん、ネットで好評させていただきます。