A security analyst is monitoring the traffic which is accessing internal and external resources. They find
abnormal activity, indicating communication between a compromised internal user(host) and internal
infrastructure, and found a suspicious malware activity. Is this a correct attack stage classification for this
activity? (Exfiltration.)
Refer to the exhibit.
An IntroSpect admin is configuring an Aruba IntroSpect Packet Processor to add Microsoft AD server as a log source for analyzing the AD server logs. Are these correct Format and Source options? (Format = Snare, and Source Type = Syslog.)
In a conversation with a colleague you are asked to give them an idea of what type of monitor source you would use for each attack stage.
Would this be a correct correlation? (For “Command and Control†you can monitor DNS through AMON on the Aruba Mobility Controllers.)
While validating the data sources in a new IntroSpect installation, you have confirmed that the network tap data is correct and there are AMON log sources for both firewall and DNS.
When you lock in the Entity360, you see the usernames from Active Directory.
However, when you look under E360 > activity > for any user accounts there is no information under “Activity Card†and “Authentication†for any user. When you filter the Entity360 for IP address and look at the Activity screen you do see activity on the “Activity Cardâ€.
Could this be a reason why you do not see the information but do not see activity? (The log broker could be configured incorrectly and not sending authentication logs to IntroSpect.)
Refer to the exhibit.
You have been assigned a task to monitor, analyze, and find those entities who are trying to access internal resources without having valid user credentials. You are creating an AD-based use case to look for this activity. Could you use this entity type to accomplish this? (Dest Host.)
A network administrator is looking for an option to set the maximum data retention period to 180 days in theIntroSpect Analyzer. Is this a correct statement about data retention in IntroSpect? (The default data retentionperiod is set at 30 days, and this cannot be changed.)
You deploy IntroSpect Analyzer in your existing network. You want to monitor email for suspect malware
activity. Would this action be supported by IntroSpect? (Deploy a supported DNP like Proofpoint Email Protection, and integrate with The IntroSpect Analyzer.)
You need to deploy IntroSpect Analyzer in your existing network. You are planning to configure logs from
multiple systems around your network. Can this 3rd-party tool collect the logs and push them to Analyzer? (IBM QRadar SIEM will push logs to IntroSpect.)
You are administering an IntroSpect Installation. While monitoring the load on the IntroSpect Packet
Processors, you think that one Packet Processor is overloaded. Is this a correct statement about the possible
overload? (As a general rule, the data rate should be below 5000 event/sec.)
You are one of the system administrators in your company, and you are assigned to monitor the IntroSpect
system for alarms. Is this a correct statement about alarms? (You must navigate to the IntroSpect Analyzer
Menu>Alerts page to see if there are any alarms.)
While investigating alerts in the Analyzer you notice a host desktop with a low risk score has been sending regular emails from an internal account to the same external account. Upon investigation you see that the emails all have attachments. Would this be correct assessment of the situation? (Your next step should be to find what user account logs into this desktop, and look at activity of their devices this user has access to.)
You need to deploy IntroSpect Analyzer in your existing network. You are planning to configure logs from
multiple systems around your network. Can this 3rd-party tool collect the logs and push them to Analyzer?
(Splunk Enterprise will allow push notifications.)
While troubleshooting integration between ClearPass and IntroSpect, you notice that there are no log events for either THROUGHPUT or ERROR in the ClearPass log source on the IntroSpect Analyzer. You are planning your troubleshooting actions.
Is this something you should check? (Check the authentication service being used in ClearPass for the Login – Logout enforcement policy.)
While investigating alerts you notice an entity has triggered a peer alert for visiting recruiting websites. Two days later the same user accessed the office for the first time in the late evening. You also noticed that they downloaded more data than their peers through the VPN session. Based on these conditions, is this a possible cause? (The user’s account could have been compromised and is now being used by an attacker to exfiltrate company information.)