VMware 5v0-91-20 practice test

VMware Carbon Black Portfolio Skills Exam

Last exam update: Apr 08 ,2024
Page 1 out of 8. Viewing questions 1-15 out of 116

Question 1

A company uses Audit and Remediation to check configurations and adhere to compliance
regulations. The regulations require monthly reporting and twelve months of data retained.
How can an administrator accomplish this requirement with Audit and Remediation?

  • A. Schedule the query to run monthly, and set the data retention to 12 months for the query.
  • B. Schedule the query to run monthly, and configure the audit log retention to 12 months.
  • C. Schedule the query to run monthly, and no further action is required.
  • D. Schedule the query to run monthly, and export the results for each run to an external location.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

Which list below captures all Enforcement Levels for App Control policies?

  • A. Critical, Lockdown, Monitored, Tracking, Banning
  • B. High Enforcement, Medium Enforcement, Low Enforcement
  • C. High Enforcement, Medium Enforcement, Low Enforcement, None (Visibility), None (Disabled)
  • D. Control, Local Approval, Disabled
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://www.google.com/url
?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwiFsPPz04XvAhWRsnEKHV4lBukQFjABegQIA
hAD&
url=https%3A%2F%2Fcommunity.carbonblack.com%2Fgbouw27325%2Fattachments%2Fgbouw2732
5%
2Fproduct-docs-
news%2F2961%2F1%2FVMware%2520Carbon%2520Black%2520App%2520Control%
25208.5.0%2520User%2520Guide.pdf&usg=AOvVaw3es_0JTc8-_BifNR4iFiGl (6)

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

An incorrectly constructed watchlist generates 10,000 incorrect alerts.
How should an administrator resolve this issue?

  • A. Delete the watchlist to automatically clear the alerts, and then create a new watchlist with the correct criteria.
  • B. From the Triage Alerts Page, use the facets to select the watchlist, click the Wrench button to Mark all as Resolved False Positive, and then update the watchlist with the correct criteria.
  • C. Update the Triage Alerts Page to show 200 alerts, click the Select All Checkbox, click the “Dismiss Alert(s)” button for each page, and then update the watchlist with the correct criteria.
  • D. From the Watchlists Page, select the offending watchlist, click Clear Alerts from the Action menu, and then update the watchlist with the correct criteria.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

An Enterprise EDR administrator wants to use Watchlists curated by VMware Carbon Black and other
threat intelligence specialists.
How should the administrator add these curated Watchlists from the Watchlists page?

  • A. Click Add Watchlists, and input the URL(s) for the desired Watchlists.
  • B. Click Take Action, select Edit, and select the desired Watchlists.
  • C. Click Take Action, and select Subscribe for the desired Watchlists.
  • D. Click Add Watchlists, on the Subscribe tab select the desired Watchlists, and click Subscribe.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://www.google.com/url
?
sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjl1tW404XvAhWZRhUIHSygB74QFjADegQI
ExAD&
url=https%3A%2F%2Fcommunity.carbonblack.com%2Fgbouw27325%2Fattachments%2Fgbouw2732
5%
2Fproduct-docs-news%2F1913%2F18%2FEnterprise%2520EDR%2520Getting%
2520Started.pdf&usg=AOvVaw2_M7opfEgUaIIfutBZChvk (5)

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

Which identifier is shared by all events when an alert is investigated?

  • A. Process ID
  • B. Event ID
  • C. Priority Score
  • D. Alert ID
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

An analyst on the security team noticed that several alerts are false positives within Enterprise EDR.
The
analyst disables the IOC within the report from those alerts.
Which statement correctly explains what disabling the IOC will accomplish?

  • A. That specific IOC in the report will no longer generate hits or alerts on the device from the alert.
  • B. The report will no longer generate hits or alerts on the device from the alert.
  • C. That specific IOC in the report will no longer generate hits or alerts.
  • D. The report will no longer generate hits or alerts.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

What information does the Alert Details panel provide on the Alert Triage page in Endpoint
Standard?

  • A. Threat ID
  • B. Process ID
  • C. Device ID
  • D. Alert ID
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

An analyst is reviewing an alert in Enterprise EDR from a custom watchlist. The analyst disagrees with
the alert severity rating.
How can the analyst change the alert severity value, if this is possible?

  • A. The alert severity is assigned by the backend analytics.
  • B. The alert severity is not configurable.
  • C. Change the alert severity on the watchlist.
  • D. Change the alert severity on the report.
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

An administrator wants to allow files to run from a network share.
Which rule type should the administrator configure?

  • A. Execute Prompt (Shared Path)
  • B. Trusted Path
  • C. Network Execute (Allow)
  • D. Write Approve (Network)
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

What is the maximum number of binaries (hashes) that can be banned using the web console?

  • A. 500
  • B. 600
  • C. 300
  • D. 400
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

What are three ways to ignore a feed report within the EDR user interface? (Choose three.)

  • A. Threat Reports Details page
  • B. Threat Intelligence Feeds page
  • C. Investigations page
  • D. Search Threat Reports page
  • E. Alert Dashboard page
  • F. After marking a feed alert as a false positive
Answer:

ABF

User Votes:
A
50%
B
50%
C
50%
D
50%
E
50%
F
50%

Reference:
https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-Customize-a-
Feed-to
-
Prevent-False-Positives/ta-p/64413

Discussions
vote your answer:
A
B
C
D
E
F
0 / 1000

Question 12

Given the following query:
SELECT * FROM users WHERE UID >= 500;
Which statement is correct?

  • A. This query limits the number of columns to display in the results.
  • B. This query filters results sent to the cloud.
  • C. This query is missing a parameter for validity.
  • D. This query returns all accounts found on systems.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

An administrator uses the following Enterprise EDR search query to show web browsers spawning
nonbrowser child processes that connect over the network:
(parent_name:chrome.exe OR parent_name:iexplore.exe OR parent_name:firefox.exe) AND (NOT
process_name:chrome.exe OR NOT process_name:iexplore.exe OR NOT process_name:firefox.exe)
Which field can be added to this query to filter the results by signature status?

  • A. childproc_publisher_state
  • B. process_publisher
  • C. childproc_reputation
  • D. process_publisher_state
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

An administrator runs the following query in Audit and Remediation:
SELECT *
FROM users
WHERE UID >= 500;
How long will this query stay active and accept data from the sensors?

  • A. 14 days
  • B. 30 days
  • C. 7 days
  • D. 1 day
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Reference:
https://community.carbonblack.com/t5/Knowledge-Base/Carbon-Black-Cloud-Audit-and
-
Remediation-How-long-does-a-query/ta-p/34817

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Which statement is true about configuring VMware Carbon Black Application Control for use on non-
persistent virtual machines (VMs)?

  • A. The endpoint housing the agent template must always be on/running except when updating the image.
  • B. The gold image housing the agent template must be digitally signed to ensure the integrity of the agent cache.
  • C. The endpoint housing the agent template must always be off except when updating the image.
  • D. The agent running on the template machine must not be initialized before deploying clones.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2