SL.
NO Questions
1 What is an IP address?
2 UDP is a connection oriented
protocol.
3 What are all the types of logs Ans)System Log,
available in Windows
operating system?
4 The command to identify the
IP address of the Windows
system,
5 The term, “Vulnerability”
refers to,
6 Telnet
7 what is SIEM
8 which one is not a part of
ArcSight architecture
9 Which one is not a ArcSight
Resource
10 ArcSight Console is ?
Choice A Choice B Choice C Choice D
It is the address Ans)It is a logical It is an address assigned
embedded in the address to by the antivirus software.
network adapter. identify a node in
the network
True Ans)FALSE
OS Log, System Log, User Log, Type A log, Type B Log, Type C
Application Log, Connection Log, Application Log log
Security Log Error Log
fconfig Ans)ipconfig address –ip ipaddress
An attempt to gain Simply listening to A threat action whereby Ans)Weakness in an
unauthorized access a private sensitive data is directly information system, system
to system services, conversation which released to an security procedures, internal
resources, or may reveal unauthorized entity controls, or implementation
information information which that could be exploited or
can provide access triggered by a threat source.
to a facility or
network.
used to send email uses telephone is part of Netscape ans)is a protocol that allows
lines for remote login
Security Index and Log Analysis Tool Ans)Log Management Security incident and Error
Event Management and Event Management Tool
Tool Management Tool
Flex Connector Oracle DB Ans)MySQL ArcSight Web
Partitions Ans)Annotations Notifications Lists
Thin Client Windows Service Software Ans)Thick Client
11 which one is not a user Admin System Ans)Analyst Sys
group in ArcSight

12 A firewall is used to protect a a form of virus a screen saver program Ans)none of the above
computer room
from fires and
floods

13 Oracle DB is optional in TRUE Ans)FALSE

ArcSight Setup.

14 A Kb corresponds to 1024 bits 1000 bytes Ans)2^10 bytes 2^10 bits

15 , what is the default port Ans)TCP 9443 UDP 9443 TCP 8443 UDP 8443
used when connecting to the
ArcSight Web interface?

16 At most, a zone can belong 0 (Zones do not Ans)1 2 as many as needed based on the
to how many networks? belong to networks, Network Model
zones contain
networks.)

17 What is Zero day attack? Attacks happening First attack An attack that exploits a Ans)An attempt to make a
on Jan 1st of every detected within an previously unknown machine or network resource
year. organization vulnerability in a unavailable to its intended
computer application users

18 , How does the port scan By analysing all logs Ans)By sending By generating abnormal
works? generated by framed IP traffic targeted against
firewall packets and particular network and
analysing the consuming all available
reply bandwidth

19 The ArcSight component that ArcSight Web Ans)SmartConnec Console ArcSight DB

performs Normalization is tor

20 which are operators in the ELSE Ans)AND Ans)OR IF

ArcSight Common Conditions
Editor (CCE)? (Select two.)

21 Which functions are on the Correlate Events Ans)Show Event Ans)Annotate Events Prioritize Events
 right-click menu for an Details
event? (Select two.)

22 Which string function is used Add Ans)Concatenate Join Find

to join two data fields?

23 TTL means Total Time Lag Time Threshold Lag Ans)Time To Live Total Time Left

24 What can ArcSight ESM Ans)multiple Data multiple Cases multiple Stages multiple Reports
Dashboards display? Monitors

25 Using SSL technology, Ans)Secure Security Standards Smart Stealth Layer Standard Security Layer
information can be Sockets Layer Layer
communicated over an
encrypted channel. What is
SSL?

26 Which are clients of the ArcSight Correlation Ans)Arcsight web Ans)ArcSight Smart ArcSight Database
ArcSight Manager? (Select Engine Connectors
two.)

27 What is the default port used Ans)TCP 8443 UDP 8443 TCP 9443 UDP 9443
by the ArcSight ESM Console
to connect to the ArcSight
Manager?

28 What is the default port used 443 1443 Ans)1521 8443

to connect the ArcSight
Manager to the ArcSight ESM
Database (Oracle)?

29 ArcSight Smart Connectors Ans)ArcSight ArcSight Console ArcSight Web Server ArcSight Database
send event data directly to Manager
what?

30 what are typical jobs of L1

analyst in ArcSight ? (write 3
interfaces , they need to
watch/use every day).

31 Which are operators in the ELSE ans)AND NOT IF

 ArcSight Common Conditions
Editor (CCE)?
32 What stores information about
logons, user actions, and the
resulting events in the most
concise way?
33 Which statements are true
about Session Lists?
34 Report run start time, output
format for report results, email
distribution for report results,
and report filters are all
examples of what?
35 When using the Query Editor,
three sub-tabs provide the
options you need to properly set
up the query. What information
do these sub-tabs require?
36 What is the "focus" of a Focus
report?
37 What do field sets correspond
to?
38 How are baselines established
and used in Query Viewers?
Event annotations ans)Session Lists Active Lists Cases
They must have a key They can share They can be used to ans)They always have Start Time,
file and a value entries with other populate Active Lists. End Time, and Creation Time fields.
Session Lists.
ans)report report formats report data sources report attributes
parameters
when the query when the query which data fields to select; ans)which data fields to select; how
should be run; which should be run; what how the data should be the data should be ordered; how the
format the query the query should be displayed; how long the data data should be grouped
output should take; called; how long the should be archived
how many data data should be
elements should be archived
included
the differences ans)a subset of a events that have been high priority Correlation events only
between two similar larger (e.g., monthly missed
reports or quarterly) report
Variables in a rule components in a attributes in a Query Viewer ans)columns in an Active Channel
configuration Network Model Grid view
Baselines are created Baselines are created Baselines are created using ans)Baselines are created using
using rules. After the using query results. query results. When a query query results and fed into the Image
rule is triggered, the The baseline from the has one or more baselines Editor for the related Data Monitor.
resulting action query is used to available, you can compare

39 At most, a zone can belong to
how many networks?
40 In network modeling, what are
SmartConnectors bound to?
41 Which role does the Active
Channel play in testing a rule?
42 What must be done to a local
Variable before it can be used
with multiple resources?
43 Which resource defines what a
report will look like when
generated?
44 Which resources can be
displayed in the ArcSight Web
interface?
45 Which functions are on the
right-click menu for an event?
46 Active Channel views and
Dashboard views are examples
of Viewer Panel views. Which
other views are associated with
the Viewer Panel?
establishes a baseline create a new field set the current results with the
against which future definition that can be baseline.
rules are evaluated in run against future
the Query Viewer. events.
0 1 2 as many as needed based on the
Network Model
Assets Assets Ranges Zone ans)Customer
The rule can be ans)The rule can be The rule cannot be tested ans)None
replayed and verified replayed against with the Active Channel
against real-time historical events in because it will create
events in the Active the Active Channel. additional invalid Correlation
Channel. events.
It must be renamed. It must be copied. It must be moved it to a new ans)It must be promoted to a Global
resource. Variable.
layout query ans)Template & report None
Stages, Annotation Queries and Partitions ans)Cases, Notifications, Knowledge Base articles and
and Active Channels Templates
Correlate Events ans)Show Event Knowledge Base Prioritize Events
Details
Asset views ans)Resource views & Combined views Simple views
Results views
47 What are functions of Query present detailed ans)provide a determine which devices are display the Boolean logic behind
Viewers? comparisons of report baseline analysis of off-line at any given point in filters and rules
elements, not possible events against which time by querying their status
with the reporting tool future queries can be
compared

provide a quick way

to run SQL queries
and identify trends
without running
reports

48 What happens if a notification ans)The notification is The notification is An error message appears The condition generating the
requiring a response within 24 escalated to the next added to the Session on the ArcSight Console. notification is escalated to a higher
hours is not acknowledged level of notification. List. priority.
within that time?

49 Why would you lock a Case? to close and archive a ans)to prevent others to prevent the Case from to preserve the state of the Case
Case from modifying the being seen in the Resource
Case while you edit List
or attach something
to the Case

50 What represents the current Notifications ans)stages Case Annotation

status in the investigation of a
Case?

51 There are 17 event field groups Category Attacker ans)Threat Event

defined in the ArcSight Event
SchemIn which group would you
look for data fields describing an
event's importance as assessed
by ArcSight ESM?

52 Which Event Schema group Event ans)Device & Agent Source None
contains data fields, which
describe the connector reporting
 an event?

53 Which output formats are XML ans)HTML MP4 JPEG

available when running a
report?

54 What does a Network Model ans)assets destinations Network file resources

include?

55 Which statement is true about ans)An inline filter An inline filter applies An inline filter cannot use An inline filter is created using
inline filters? applies only to its only as long as the AND or OR conditions. Boolean logic in the Inspect/Edit
current Active Active Channel is panel.
Channel. open, and cannot be
saved.

56 Which tools are used to view Knowledge Base ans)Active Channel Knowledge Base Annotations
events in ArcSight ESM? article

57 What is a good way for an ans)check the priority run a report of High ask more senior analysts or view the Event Grid and Correlation
operator or analyst to quickly rating in a Dashboard Priority Threats architects categories
determine which events must be or Active Channel
addressed first?

58 What can ArcSight ESM ans)multiple Data multiple Cases multiple Stages multiple Reports
Dashboards display? Monitors

59 How do asset categorization and Asset categorization Asset categorization Asset categorization ans)Asset categorization is the
event categorization relate to and event and event requires custom fingerprint of an asset; event
each other? categorization are the categorization use the FlexConnectors; event categorization is a set of criteria that
same. same field set to categorization uses standard describes an event.
apply categories to SmartConnectors.
assets and events.

60 Which process uncovers the Categorization aggregation ans)Correlation Filteration

relationship between events,
infers the significance of those
relationships, prioritizes them,
and then provides a framework
 for taking action?

61 What is a criteria factor within Assurance Asset Priority Seriousness ans)Model confidence
the ArcSight Priority Formula?

62 What does the Priority Formula Flex connector Smart connector only ans)Manager only Both manager and smart connector
calculation run on?

63 Which statements are true Model confidence is ans)Each line of Event severity is ans)Values are normalized and
about event lifecycle data determined, based on incoming log data is determined, based on an entered into the ArcSight Event
collection and the event details provided by processed as a Active List of recent severity Schema.
processing phase? the event source. separate event factors.

64 Using SSL technology, Standard Security Smart Stealth Layer ans)Secure Sockets Layer Security Standards Layer
information can be Layer
communicated over an
encrypted channel. What is SSL?

65 You want your Active Channel to Evaluate Once at Evaluate $NOW-1h ans)Continuously Evaluate Evaluate Continuously from Attach
automatically display new Attach Time Time
events as they arrive at ESM.
Which time parameter should
you use to accomplish this?

66 Which ArcSight ESM Resource Cases ans)Active Channels Knowledge Base Stages
enables you to perform live
monitoring of events?

67 What is a function of the ans)retrieves data sends session details ans)populates a Session List investigates session details in the
Variable GetSessionData? fields from a Session to the ArcSight audit log
List Manager

68 Which string function is used to Substring Find ans)Concatenate correlate

join two data fields?

69 What is the primary function of It accepts correlated, It manages It restores the rule ans)It writes incoming events to the
the ArcSight Manager? prioritized events bottlenecks between definitions that drive the database while simultaneously
from SmartConnectors the connectors, the functioning of ArcSight ESM. processing events through the
 with instructions from ArcSight Console, and Correlation engine.
the ArcSight Console, the ESM Database.
and writes events to
the database.

70 Which ESM components collect Node Resource ans)Smartconnector Which ESM components collect
event data? event data?

71 Which statement is true about a ans)It recognizes It is triggered by It rejects partial matches but It matches the output of more than
join rule? patterns that involve events that match a can be set for aggregation one simple rule to an Active List.
more than one type single set of
of event. conditions.

72 Which statement is true about JOINrules use Session ans)Chained rules Join rules link simple rules Chained rules result in detailed
join rules and chained rules? Lists; chained rules may or may not be together; chained rules link chains; join rules result in simple
use Active Lists. join rules that also join rules. chains.
use Active Lists or
rely on Correlation
events generated by
other rules

73 Which statement is true about ans)Data Monitors Reports cannot be Inline filters cannot be used Cases cannot be modified in the
the ArcSight Web interface? cannot be added to a formatted in the in the ArcSight Web ArcSight Web interface.
Dashboard in the ArcSight Web interface.
ArcSight Web interface.
interface.

74 When specifying the attributes Time Threshold Lag Total Time Lag Total Time LEFT ans)TimeTo live
of a new Active List, you can set
TTL days, hours, and minutes.
What is TTL?

75 What can you use to change the Event annotations ans)Case Editor Common Conditions Editor Query Viewer
stage of a Case?

76 Which type of event is displayed Logout events Login Success events Account Locked events ans)Logon failure event
in an Active Channel with the
 following Inline Filter applied?
Category Behavior =
/Authentication/Verify Category
Outcome = /Failure

77 What are valid actions for a rule ans)send notification Send a Report generate report add to filter
to take?

78 Event correlation, event Event based Non-Event Based ans)Correlation system status
reconciliation, moving average,
session reconciliation, and
statistics are all examples of
which type of Data Monitors?

79 What are the three types of event type, matching event type, event-based, event graph, ans)event-based, correlation, and
Data Monitors? conditions, and non- correlation, and and non-event based non-event based
event aggregation matching

80 What is an example of an event- moving average rules partial match ans)Last N count session reconciliation
based Data Monitor?

81 Click the Exhibit button. Which a geographic hierarchy ans)an event graph an image viewer map a query topology
type of diagram is shown in the map
exhibit?

82 Asset categories can be assigned All assets in the zone Assets with a category ans)Nothing happens. Assets in the zone inherit the zone's
to zones as well as assets. What inherit the zone's that matches the Assets in the zone maintain category and are grouped into a
happens to the assets that category. zone category are their own individual "Critical" asset group.
belong to a zone with a category grouped into a category identities.
of "Critical"? "Critical" asset group.

83 What is the name of the zones ans)Locations categories Destination

resource you can use to override
the default ArcSight mapping of
IP addresses to geographic
regions?

84 In network modeling, which networks zone ans)Customer Asset Group

 resource is used by MSSP or by
users with different cost
centers?

85 In network modeling, what is a ans)Asset Range Asset IP IP range Asset group

set of nodes with similar
characteristics that have IPs
enumerated one after the
other?

86 What do you use to establish asset types asset groups ans)asset categories asset ranges
identity, ownership, and
criticality of the assets you have
installed on your network?

87 Which statements are true Assets can be grouped Assets require a MAC ans)Assets can include An asset is a Building
about assets? in folders called asset address to be bridges, routers, web
ranges. categorized properly. servers, or anything with an
IP or MAC address.

88 Which user role is responsible ans)Author Analyst operator Admin

for building content within ESM?

89 With regard to collecting cached data uninstallation of a ans)a way to revert to the a way to gather data that has moved
SmartConnectors, what is roll after a communication package in the event previous version of a beyond the archive window
back? failure of failure Connector when a
Connector upgrade fails

90 What must be done first to run the Oracle ans) ensure that bring the affected reinstall the Oracle installation
restore the database from an restore wizard the archived redo tablespaces online
online backup? logs are located in
the archive log
destination

91 Where is the trust store the preferred source ans) a list of trusted the location of a system's the set of backup files containing
located by default? for obtaining signed Certificate private keys SSL information
certificates Authorities
92 Which key pair types are valid non-expiring SSL key ans)self-signed key
selections when using the
Manager Setup Wizard to
create an SSL key pair?
(Select two.)
93 During Connector install,
which statement is true
about the ArcSight Manager's
host name or IP address?
94 Which file types MUST be
included in an Oracle backup?
(Select two.)
95 How can you restore a new
ArcSight Web installation to a ArcSight Web
previous configuration?
96 Package bundles are
exported with which file
extension?
97 Which command is used to
modify retention periods?
98 When configuring the
ArcSight Database, what is
the result of setting the
offline archive period (Days)
ans) demo key pair random generator key pair
pair pair
ans) It must match The host name or IP It can be any legitimate It must contain a combination of
the host name or IP address is used as host name or IP address. alpha-numeric characters.
address in the an encryption key.
ArcSight Manager's
SSL certificate.
table files ans)data files program files ans) configuration files
ans) copy the old copy the ArcSight manually reconfigure the connect to the Manager and
Manager's config new installation download the saved configuration
installation's config directory into the
directory and new installation
cacerts file into the
new installation
.xml file .exe file .msc file ans) .arb file
Arcsight archive Arcsight database Arcsight retention create ans)Arcsight database pc
install create
Partition Archiving is ans)Partition Online retention is enable Online reserved period is
enable Archiving is disable enabled.
 to Zero?
99 Which command should you
use to configure notification
acknowledgements after the
initial configuration of
ArcSight ESM?
100 Which command is used to
add a secondary destination
to a Connector's
configuration?
101 Which actions might the
whine daemon initiate?
(Select two.)
102 Which command is used to
check the status of the TNS
Listener?
103 Which ArcSight Manager
directory should be backed
up in order to preserve the
server.properties file?
104 What happens when a
Connector upgrade that was
initiated from within the
ArcSight Console fails?
105 What happens when
smartconnector is rolled
back?
ans)arcsight arcsight notifysetup arcsight notifyconfig arcsight setupnotify
managersetup
arcsight destinations ans)arcsight arcsight connectionwizard arcsight connector -d
-n connectorsetup -w
ans)sending a sending SNMP traps sending syslog messages ans)writing an event to the
message to the to a monitoring to a syslog server server.log file
admin consoles station
ans)lsnrctl status listener status tnsstat oralistener status
user directory ans)config directory properties directory jre directory
ans)The Connector The Connector does The Connector reports to The Connector automatically
automatically rolls not respond to the the Manager that the attempts the upgrade again.
back to the failed upgrade. upgrade failed and then
previously working die
version.
collecting cached uninstallation of a ans)a way to revert to a way to gather data that has
data after a package in the the previous version of a moved beyond the archive
communication event of failure Connector when a window

106 Which statement is true
about starting and stopping
ArcSight SmartConnector
services?
107 During Connector install,
which statement is true
about the ArcSight Manager's
host name or IP address?
108 There are three types of
ArcSight SmartConnectors.
Which type is used primarily
to execute commands on a
device to retrieve, modify, or
analyze its configuration?
109 When you need to map a
subnet, what do you do in
network modelling ?
110 How do you recognize a
offline partition?
111 How are retention areas
configured?
failure Connector upgrade fails
ans)They are The order in which How they are started and They are started and stopped in
started and stopped they are started and stopped depends on conjunction with the Oracle
independently of stopped is based on whether or not the database services.
the other ArcSight event flow. ArcSight Manager is
component running.
services.
ans)It must match The host name or IP It can be any legitimate It must contain a combination of
the host name or IP address is used as host name or IP address. alpha-numeric characters.
address in the an encryption key.
ArcSight Manager's
SSL certificate.
Event Connectors Scanner Connectors ans)CounterACT SNMP Connectors
Connectors
ans)zone network Asset Range Network Range
a partition that ans)a partition that a partition reserved for a data that is no longer needed by
resides within the exceeds the online future date ESM
database retention threshold
and is therefore
archived
Retention policies ans)Retention If the size of a retention ans)Archived partitions outside
cannot be changed areas can be area is reduced, the data the offline archive period
 once they are set. configured using outside of the retention become invalid.
the Partition area is automatically
Management Wizar backed up.

112 When configuring the Partition Archiving is ans)Partition Online retention is enable Online reserved period is
ArcSight Database, what is enable Archiving is disable enabled.
the result of setting the
offline archive period (Days)
to Zero?

113 How do you find out the the amount of time ans)the number of the amount of time to the maximum length of time
reserve period? to allow before future partitions to wait before determining archived partitions will be stored
compressing event be maintained that a device is not
data for storage operating

114 When can the online when the partition ans)when events ans)when the when the partition compressor
partition compression task being compressed is are inserted into compression task takes does not have the necessary file
fail? (Select two.) too old the partition that is more than two hours to permissions
being compressed complete

115 You are unable to see events Database ans)SmartConnecto Console Device
from a specific device in the r
Console. The Active Channel
filters are not the cause.
Which component should you
examine next in order to
troubleshoot this issue?

116 What are the elements that ans)Batches can be Batches can be sent ans)Batches can be sent Batches can be sent by Connector
are used to process a batch? sent when they on comman in priority order by type.
reach a certain size. severity.

117 Preserve Raw Events, Turbo ans)Processing Aggregation options Filter conditions Preservation options
Mode, and Limit Event options
 Processing Rate are all
examples of which type of
Connector options?

118 How do you compile a a set of resources a data transmission a set of raw log events ans)a container for one or more
bundle? that makes up a containing SSL before they are parsed packages
package information

119 Which method is used to sequential backup standalone backup ans)online backup offline backup
back up an Oracle database
without shutting down the
database?

120 What is the default port used ans)TCP 9443 UDP 9443 TCP 8443 UDP 8443
when connecting to the
ArcSight Web interface?

121 What is the default port used ans)TCP 8443 UDP 8443 TCP 9443 UDP 9443
by the ArcSight ESM Console
to connect to the ArcSight
Manager?

122 What is the default port used 443 1443 ans)1521 8443
to connect the ArcSight
Manager to the ArcSight ESM
Database (Oracle)?

123 The ArcSight Web release ans)ArcSight ArcSight Database ArcSight SmartConnectors ArcSight Console
version must be the same Manager
version as what?

124 What must you do prior to ans)Stop the shut down all delete all files in the tmp disconnect the network cable
applying a patch to the ArcSight Manager ArcSight directory
ArcSight Manager? service SmartConnectors
125 Which command is used to ans)lsnrctl status listener status tnsstat oralistener status
check the status of the TNS
Listener?

126 Which tablespace is used by ARC_EVENT_DATA ARC_SYSTEM_INDE ans)ARC_SYSTEM_DATA ARC_EVENT_INDEX

ArcSight to store resources? X