VMware Carbon Black Portfolio Skills v1.0 (5V0-91.20)

Page:    1 / 4   
Total 56 questions

A Carbon Black Cloud analyst needs to identify the Internet Explorer extensions installed on Windows endpoints.
Which Live Query statement will successfully query these items?

  • A. SELECT * FROM registry JOIN ie_extensions;
  • B. SELECT * FROM registry WHERE ie_extensions;
  • C. SELECT * FROM ie_extensions;
  • D. SELECT * FROM ie_extensions WHERE enabled=true;

Answer : A

Which statement is true about configuring VMware Carbon Black Application Control for use on non-persistent virtual machines (VMג€™s)?

  • A. The endpoint housing the agent template must always be on/running except when updating the image.
  • B. The gold image housing the agent template must be digitally signed to ensure the integrity of the agent cache.
  • C. The endpoint housing the agent template must always be off except when updating the image.
  • D. The agent running on the template machine must not be initialized before deploying clones.

Answer : D

An administrator runs the following query in Audit and Remediation:

FROM users -
WHERE UID >= 500;
How long will this query stay active and accept data from the sensors?

  • A. 14 days
  • B. 30 days
  • C. 7 days
  • D. 1 day

Answer : C


An administrator uses the following Enterprise EDR search query to show web browsers spawning non-browser child processes that connect over the network:
(parent_name:chrome.exe OR parent_name:iexplore.exe OR parent_name:firefox.exe) AND (NOT process_name:chrome.exe OR NOT process_name:iexplore.exe OR NOT process_name:firefox.exe)
Which field can be added to this query to filter the results by signature status?

  • A. childproc_publisher_state
  • B. process_publisher
  • C. childproc_reputation
  • D. process_publisher_state

Answer : C

Given the following query:
SELECT * FROM users WHERE UID >= 500;
Which statement is correct?

  • A. This query limits the number of columns to display in the results.
  • B. This query filters results sent to the cloud.
  • C. This query is missing a parameter for validity.
  • D. This query returns all accounts found on systems.

Answer : A

What are three ways to ignore a feed report within the EDR user interface? (Choose three.)

  • A. Threat Reports Details page
  • B. Threat Intelligence Feeds page
  • C. Investigations page
  • D. Search Threat Reports page
  • E. Alert Dashboard page
  • F. After marking a feed alert as a false positive

Answer : ABF


What is the maximum number of binaries (hashes) that can be banned using the web console?

  • A. 500
  • B. 600
  • C. 300
  • D. 400

Answer : C

An administrator wants to allow files to run from a network share.
Which rule type should the administrator configure?

  • A. Execute Prompt (Shared Path)
  • B. Trusted Path
  • C. Network Execute (Allow)
  • D. Write Approve (Network)

Answer : A

An analyst is reviewing an alert in Enterprise EDR from a custom watchlist. The analyst disagrees with the alert severity rating.
How can the analyst change the alert severity value, if this is possible?

  • A. The alert severity is assigned by the backend analytics.
  • B. The alert severity is not configurable.
  • C. Change the alert severity on the watchlist.
  • D. Change the alert severity on the report.

Answer : C

What information does the Alert Details panel provide on the Alert Triage page in Endpoint Standard?

  • A. Threat ID
  • B. Process ID
  • C. Device ID
  • D. Alert ID

Answer : A

An analyst on the security team noticed that several alerts are false positives within Enterprise EDR. The analyst disables the IOC within the report from those alerts.
Which statement correctly explains what disabling the IOC will accomplish?

  • A. That specific IOC in the report will no longer generate hits or alerts on the device from the alert.
  • B. The report will no longer generate hits or alerts on the device from the alert.
  • C. That specific IOC in the report will no longer generate hits or alerts.
  • D. The report will no longer generate hits or alerts.

Answer : C

Which identifier is shared by all events when an alert is investigated?

  • A. Process ID
  • B. Event ID
  • C. Priority Score
  • D. Alert ID

Answer : B

An Enterprise EDR administrator wants to use Watchlists curated by VMware Carbon Black and other threat intelligence specialists.
How should the administrator add these curated Watchlists from the Watchlists page?

  • A. Click Add Watchlists, and input the URL(s) for the desired Watchlists.
  • B. Click Take Action, select Edit, and select the desired Watchlists.
  • C. Click Take Action, and select Subscribe for the desired Watchlists.
  • D. Click Add Watchlists, on the Subscribe tab select the desired Watchlists, and click Subscribe.

Answer : A


An incorrectly constructed watchlist generates 10,000 incorrect alerts.
How should an administrator resolve this issue?

  • A. Delete the watchlist to automatically clear the alerts, and then create a new watchlist with the correct criteria.
  • B. From the Triage Alerts Page, use the facets to select the watchlist, click the Wrench button to ג€Mark all as Resolved False Positiveג€, and then update the watchlist with the correct criteria.
  • C. Update the Triage Alerts Page to show 200 alerts, click the Select All Checkbox, click the ג€Dismiss Alert(s)ג€ button for each page, and then update the watchlist with the correct criteria.
  • D. From the Watchlists Page, select the offending watchlist, click ג€Clear Alertsג€ from the Action menu, and then update the watchlist with the correct criteria.

Answer : B

Which list below captures all Enforcement Levels for App Control policies?

  • A. Critical, Lockdown, Monitored, Tracking, Banning
  • B. High Enforcement, Medium Enforcement, Low Enforcement
  • C. High Enforcement, Medium Enforcement, Low Enforcement, None (Visibility), None (Disabled)
  • D. Control, Local Approval, Disabled

Answer : C


Page:    1 / 4   
Total 56 questions