T

o
Sno. p Question Choice A Choice B Choice C Choice D
i
1 P
c lease select the Non Database user of Oracle installation for sys system ans)root Arcsight
Arcsight
Oracle accepts network connections through an Oracle service
2 known as ____________ Ans) TNS Listener HTTP Listener Message Listener Exception Listener

__________ files contain metadata about the database

3 data Ans ) control online redo configuration

The ________ is used to move the partitions out of the

4 database for offline storage. Offline Achiever Database Achiever Ans) Partition Archiver Partition Separator

To perform the online backup of an Oracle database, ensure

5 that the database is configured for mode Ans) ARCHIVELOG ONLINELOG OFFLINELOG BACKUPLOG

Which is not the component in the Notification structure for Notification Groups Escalation Levels Destinations
6 Ans)User Role
Rule Action
arc_system_data arc_system_index arc_event_data
7 Which one is not the tablespace in Arcsight DB Ans) arc_data_index

By default, a user's account is disabled after ____failed login

8 attempts. Ans) Three Five Six Ten

A________ is a temporary certificate used during initial

9 installation CA Signed Certificate Self-signed Certificate ANS) Demo Certificate SSH Certificate

10 A network consists of _______ Ans) Zone Report Filter Channel

Which log file contains information on Memory, Persistence,
11 Server.log Ans) Server.std.log Server.log Server.sql.log
time & thread dumps
Which log file contains information & errors related to
12 Partition Achiever Ans) wrapper.log Server.log Server.log Agent.log

To troubleshoot a problem, start from the __________ and

13 move towards the __________ Ans) Console & Source Source & Console Connector & Console Source & Console

U
s Ans) Benchmarking and
Email Alerting and Compression and
14 eList the function that is performed by system Package Aggregation analysis
Acknowledgement Storage
r

A What stores information about logons, user actions, and the

15 c Event annotations Active Lists Ans) Session Lists Cases
resulting events in the most concise way?
c
U
o
su
en
16 ctWhich firewall will generate Outbound TCP connection event ANS) ASA Checkpoint Juniper Pal Alto
even if there is no 3 way hand Shake
as
U
s
se
e
To detect a Brut force Attack effectively, name the field that
17 c Source User Destination IP Ans) Source IP Destination User
ashould be used in the correlation rule.
U
sI
se
m
eName the field that is common in firewall events for "TCP
18 p
cConnection" & NAT Translation in ASA event. Destination Port Ans) Source Port Destination IP Command
la
es
m
e
eIn Windows, the installation directories can be located by
19 nselecting the service in the ______ TNS listener Ans)Service Applet MSG Applet Task Manager
It
m
a
p
t Ans) Start the Oracle Start the ArcSight
li Instance Start the ArcSight Web Start the Oracle Instance Manager servicer
eo service Start the ArcSight Web
Start the Oracle TNS Listener Start the Oracle
m
n service Start the Oracle Instance service Instance
eServices for the ArcSight ESM components must be started in Start the Oracle TNS Start the Oracle TNS Listener
20 nthe following Order Start the ArcSight Manager Listener service service Start the ArcSight Web
service service
t Start the ArcSight Start the ArcSight Manager
a Start the ArcSight Web Manager service service Start the Oracle TNS
service Listener service
t
R
ei
to
n
e
On Reserve period holds how many partitions?
21 n 8 26 Ans) 14 72
t
i
o
n
 I
m
p
l
e
m
Arcsight manager Connects to Oracle installation over TCP port
22 e________ Ans) 1521 8080 8443 443
n
t
B
a
23 ctRWhat is recommended backup Method for Oracle DB Offline Ans) online Both None of the above
kie
Iu
o
t
m
n
p
e
p Online Reserve Period Online Retention Period Ans) Offline Reserve
24 nList the stage that is not part of partition lifecycle: Offline Retention Period Period
lt
ei
m
oAn encrypted repository on the SSL server that holds the SSL
en
25 Certificate and the server’s private keys called ______ TrustStore: Key Pair Ans) KeyStore Masterkey
n
A
tc
ac_________ file helps to restrict access for Connectors.
26 te
U Ans) agents.accept.ips web.accept.ips xmlrpc.accept.ips xmlrpc.reject.ips
is
p
go
sFor applying Oracle CPU, on Windows, you need to logon as
27 n
r
IU Oracle sys sysuser Ans) Administrator
am _________ user
p
gd
p The procedure for downloading and running the patch
28 lreinstaller on __________ platform is different in Arcsight Windows Ans) Mac Aix Solaris
Iea
m
d
eCommunication between ArcSight Web and clients is ____
p
29 lnencrypted SSH Ans) SSL TLS SFTP
et
m
a____Is usually installed on the same server as ArcSight
30 etManager ArcSIght DB Oracle Ans) ArcSIght Web ArcSIght Console
n
i
tSo
ain
tzChoose the Arcsight table which will have occupy more Space
31 iin the DB Ans) ARC_EVENT_DATA ARC_SYSTEM_INDEX ARC_SYSTEM_DATA ARC_EVENT_INDEX
o
n
Sn
g
i
zWhich one of the listed here is of least importance during
32 iSizing of ArcSight Solution? Retention Policy Aggregation ratio Events Per Second Ans) Number of users
Sn
ig
z____________ offers no parity, stripping, or spanning of disk
33 ispace across multiple disks Raid 3 Raid 4 Ans) Raid 1 Raid 5
n
S
gi
z________ consists of block-level striping with distributed
34 Raid 3 Raid 4 Raid 1 Ans) Raid 5
iparity and is distributed among the drives.
Sn
ig
zThe Arcsight recommendation for Disk Sizing is to allow ___
35 ibuffer to prevent solution being undersized. 1.5X 3.5X Ans) 1.25X 1.55X
Sn
ig
36 zThe Arcsight recommendation for Peak EPS is to allow ___ 1.5X Ans) 2.0X 1.25X 1.55X
ibuffer to prevent solution being undersized.
Sn
P
ig
ezIn a typical environment, where you would see high EPS per
37 ridevice? Ans) Firewall Windows Server IPS Antivirus Server
fn
SgP
o
rie
zrThe Arcsight recommendation for Windows Connector Sizing is
m
38 aifto allow ___ buffer to prevent solution being undersized. 1.5X 3.5X 0.5X Ans) 2.5X
n
P
o
ecgr
e
rm
39 faFor Optimal performance, Arcsight Database requires WAN Link
Ans) Instance &
CPU Cores Disk Space
O
Pdedicated ______
o
n Machine
rcp
e
etr
m
aifRaid Level recommendation from Arcsight for Storage is
40 m
n 1+1 Ans) 0+1 5 4
O
o______
cip
r
etzm
41 iaaArcSight database constantly performs a lot of random _____ Ans)Writes Reads Query Search
tn
O
m because of large number of event insertions
icp
i
etzo
ian
42 tIn __two disks fail, all data is lost
m 1+1 Ans) 0+1 Ans) 5 4
O
i
p
tzo
ian
t
m
ii
zo
an
t
i
o
 f
o
P
er
rm
fa
n
o
P
erc
e
rm
43 faMost I/O load will be on _____ db table due to random ARC_EVENT_DATA ARC_SYSTEM_INDEX ARC_SYSTEM_DATA Ans) ARC_EVENT_INDEX
O
n
o
P read/writes
rcp
e
trm
e
ifaA Separate volume in DB server is Required if Arcsight is
44 m running____________ Webserver Usecases Ans) Partition Archiver Partition Separator
O
n
o
Tp
irc
h
tzm
e
iiaWhat is considered to be "Good persistence" when Post Aggregation Count Ans) Estimated Cache Size is Post filter count is 0
45 ar Post EPS filter count is 0
tTn
m
O troubleshooting performance on Arcsight DB is 0 0
d
ih
cp
tzo
ieP
ian
ra Ans) Raid level changes in Event filtering at the Changing the retention
46 td
m How can Write Performance Issue can be resolved? Usecase Modification
O
ri Storage Device Policy
p
tzo
P
ty
an
aiWhat is integration method used to integrate remedy ticket
47 trm ARP TNS Ans) ARS DNS
system to Arcsight
Ii
tin
o
yzt
48 FaePost integration of remedy ticketing system what is stored in Source IP
n Attacker IP Ans) Remedy Ticket Number Remedy Assest ID
iItgcase "External ID attribute"
n
ir
eto
aEvents are partitioned by ______, hence Oracle would know
49 Fetnexactly which partition to scan Manager Receipt time Ans) End time Connector receipt time Device Start time
iTg
u
ro
n
n
ean
50 etAsset-based variables are heavier and consume more system Event Log Ans) time List
iFTresources than ____based variables
o
iu
n
n
eChained rules Same as join rules, except they utilize _______
51 to retain event details, Ans) active lists Active channel Filter Rule
TFoften for longer periods of time
u
i
n
n
eeIf the Manager Receipt time 1-2 min is more than Agent
52 Receipt Time, what could be the possible issue which closely Log Source has an issue in Ans) Network Latency Arcsight service is down Webserver is down
event processing
Tmatches
u
R
n
u
53 elWhen all conditions in a rule are satisfied, a rule can be Ans) Add to an existing case Create a new rule Create an Active channel Create a report
configured to take ____ actions
e
s
R
u
54 lRules can write, read and remove entries Ans) active lists Active channel Filter Rule
dynamically in _____
e
s
R
u Ans)
Where do you set max. # of correlated alerts per min. limit to
55 lminimize rule recursive issues? Server.log server.default.propertie Server1.log Server.sql.log
e s
s
R
uTo Avoid excessive rule firing for repetitive events in case of an Ans) will periodically
will notify whenever
56 lattack, in action and if you set "On time unit" to a value what will notify end of attack notify that the attack is will notify start of attack alert is triggered
ewill happen? still going on
s
R
uUse Active Lists to correlate information from events will limit
57 D
l____ Consumption Ans) Memory CPU Drive Space DB Records
ae
ts
a
M
58 oThe usage or performance of datamonitors can be monitored Packages Ans) CapsManager Services.MSC Foundation
nfrom ___
U
si
etWhat is the pre-requisite when configure a usecase "To
59 co Ans) Network & Asset Model Vulnerability Data Enriched data Time based Variables
arU identify inactive user accounts" through a Wizard?
ss
ee
60 cWhich one listed here is not a Jump Start Package ? PCI SOX Perimeter Monitoring Ans) DB Monitoring
a
U
ss
ee
61 cFor all perimeter monitoring use cases ____ to be defined Ans) Zone Asset Network Vulnerability
a
s
e
 U
s
eTo configure a Usecase to detect users not performing "Two Ans) Third Party
62 cFactor Authentication" if they are from untrusted realms, Network Modelling Zone Management Log Source Integration
Integration
awhich of the listed below is least pre-requisite
s
e
U
s
B
e
63 ecWhen you build a report based on the querry, by clicking on Attributes Templates Ans) Jobs Parameters
sawhich field _ you will schedule it?
ts
e
B
P
erThe communication through Arcsight Manager center &
64 saConnector is through _______, if there is no ARcMC agent HTTPS SSH Ans) API FTP
tc
B
t
eP
i
65 srcAs a best practice, When to Schedule regular configuration Ans) Same time with a Gap of 6 Hours with a Gap of 24 Hours with a Gap of 48 Hours
taebackup for all Arcsight Appliance
cB
s
te
P
ris____ rules are defined to generate alerts against health data
66 Health Datasource Ans)Breach Manager
tacmetrics.
ce
ts
P
riA ____ is a managed ArcSight product (Ie, Connector Logger
67 Host Ans) Node Asset Resource
acetc)
ceR
tse
ipWhen Logger report to generated,_____- to view, copy,
68 comodify, run Parameter Explorer Ans) Report Explorer category Explorer Favorite Explorer
er
R
st
e
pLogger report and its performance cannot be affected by Ans)Aggregation
69 Data distribution Server load Query complexity
o_____ Settings
r
R
t
Fe
lpWhen the Compression ratio is higher for the rawlog storage,
70 eothe data retrieval rate would be _____ Faster Ans) Slower Normal none
xr
t
cF
o
71 lIf the raw log data in Syslog FlexConnector contains non-ASCII agent.properties agent.default. properties Ans) JVM option server. properties
n
echaracters, where do you configure Character encoding?
n
xe
c
ct
FoTo tune the advanced configuration parameters in File
o
lnRotation for the Flex connectors, where do you make
72 Ans) agent.properties agent.default. properties JVM option server. properties
renchanges?
sx
e
c
ct
oDuring Key field assignment when you build a flex connector
73 n
rIwhich filed you will use for custom fields? flexCustom* deviceCustom* deviceVendor deviceProduct
n
sn
e
tc
et
go
74 rIrPlease select from the following which is not a ArcSight Syslog Syslog Daemon Syslog Pipe Ans) Syslog Package Syslog File
an SmartConnectors
s
tt
ie
o
gAfter modifications in Syslog.conf file in the log Source what
n
Irelse should be done at the log Source level to start receiving No Other Action is Ans)Restart the Syslog Restart the Network
75 Restart the Log Source required Service Service
n
athe events to Syslog connector?
t
ei
go
Events not being received at Syslog SmartConnector, mark the Ans) Run a Packet Sniffer at Telnet to port 514 to Telnet to port 514 to Log
76 Irncorrect troubleshooting step Check webservice is up
the Log source level SmartConnector. Source.
a
n
tt
ei
goin Cisco Secure IPS SDEE integration with Smartconnector,
77 rnwhich field would not be retrieved & Stored by default? Device Vendor Ans) Device Payload Device Severity Threat category
a
t
i
o
n
 I
n
t
e
g
78 rIHow do you turn off SSL for troubleshooting for SDEE Ans) Modify agent.properties Modify agent.default. Modify JVM option Modify server.
connections in Smart connectors? properties properties
an
t
ei
go
During integration of apache webservers ___ can be used to File Contents
79 rnget the logs if data rotation is configured at the OS level. Ans) File Name Pattern Time Stamp of logs Agent receipt time
Ia
n
t
ti
eo
gnIf database auditing is enabled, what tis the database-related
80 Iroperations oracle writes to the operating system audit file as Ans) Database startup. Table Creation Table Delete Insert record
n
aan event?
tt
ei
Ig
o
n What is the Arcsight recommended Syslog audit level that
81 rnneed to be set for Oracle DB integration Ans)Warning Debug Informational Notice
ta
et
A
rIgi
82 roWhich one is not a Audit trail in Oracle DB?
cn OS XML DB Ans) DB XML
stan
iet
giFor Checkpoint integration _____ ArcSight SmartConnector is
83 A
ro
h File Smart connector Ans) LEA WMI Syslog
ran being used
t
ct
siA
io
dThe Oracle RDA tool gathers configuration information on your
84 gm
n
A Oracle Installation and writes the output to a series of ___ files Ans) XML HTML CSV TXT
h
ir
tn
c
is
A
si The number of events per Ans) The number of Any exception in the
rd
tgFrom the get status output for specific Connector second processed by the events sent to the The number of events in the Connector that prevents
85 cm
rhperformance, what does "Sent (SLC)" Denotes? Connector in the last few Connector cache.
Manager. events from being sent.
siat
A minutes.
rin
t
cgiA
sh
oIf the server.std.log file repeatedly reports the ArcSight
d
A
itn
86 m
rgrManager is running out of memory, ___ may need to be CPU Cores Ans) Heap Size Procure additional Manager Aggregation
icincreased.
a
A
h
n
sA
td
iiEvents to the Arcsight Console flow from _______
87 rm
sig Ans) ArcSight Manager ArcSight Connector Device Logger
ito
cA
h
n
sd
rtWhere will you Check to troubleshoot or confirm if the
88 im
aArcSight Manager is able to connect to the ArcSight Database Server.log Ans) Server.std.log Server.log Server.sql.log
gist
A
ti
h
n
d
tir_____ log file name contains information & related errors on
89 o
m Server.log Agent.log Ans) Wrapper.log Server.sql.log
sanPartition Achiever
iA
t
n
riWhat is the command to be executed to find any error in the
d
90 im
aoTNSListener service. tnsctl listctl parserctl Ans) lsnrctl
sn
it
tn
i
rio
asn
tt
ri
ao
tn
i
o
n
 Complexi
Sno. Topic Question
ty
Implemen Oracle accepts network connections through an Oracle
2 Simple
tation service known as ____________
The ________ is used to move the partitions out of the
Implemen
4 Simple database for offline storage.
tation

Arcsight Which is not the component in the Notification structure

6 Administr Simple
for Rule Action
ation

Arcsight
7 Administr Simple Which one is not the tablespace in Arcsight DB
ation

User By default, a user's account is disabled after ____failed

8
Accounts Simple
login attempts.

Network
10 Simple A network consists of _______
Model
Arcsight To troubleshoot a problem, start from the __________
13 Administr Simple and move towards the __________
ation

23 Backup Simple What is recommended backup Method for Oracle DB

24 Retention Simple List the stage that is not part of partition lifecycle:

The procedure for downloading and running the patch

28 Upgrade Simple
installer on __________ platform is different in Arcsight

Implemen Communication between ArcSight Web and clients is

29 Simple ____ encrypted
tation

____Is usually installed on the same server as ArcSight

Implemen
30 tation Simple Manager

Choose the Arcsight table which will have occupy more

31 Sizing Simple
Space in the DB

In a typical environment, where you would see high EPS

37 Sizing Simple per device?

Performa
nce For Optimal performance, Arcsight Database requires
39 Optimiza Simple dedicated ______
tion

Performa
nce
42 Simple In __two disks fail, all data is lost
Optimiza
tion
 Third
Party Post integration of remedy ticketing system what is
48 Simple
Integratio stored in case "External ID attribute"
n

Events are partitioned by ______, hence Oracle would

49 Fine Tune Simple
know exactly which partition to scan
Asset-based variables are heavier and consume more
50 Fine Tune Simple
system resources than ____based variables

When all conditions in a rule are satisfied, a rule can be

53 Rules Simple
configured to take ____ actions

Rules can write, read and remove entries

54 Rules Simple
dynamically in _____
DataMoni The usage or performance of datamonitors can be
58 tor Simple monitored from ___

What is the pre-requisite when configure a usecase "To

59 Usecase Simple
identify inactive user accounts" through a Wizard?

60 Usecase Simple Which one listed here is not a Jump Start Package ?

61 Usecase Simple For all perimeter monitoring use cases ____ to be defined

When you build a report based on the querry, by clicking

63 Usecase Simple
on which field _ you will schedule it?
Best A ____ is a managed ArcSight product (Ie, Connector
67 Simple
Practices Logger etc)
When Logger report to generated,_____- to view, copy,
68 Report Simple
modify, run

Logger report and its performance cannot be affected by

69 Report Simple
_____

When the Compression ratio is higher for the rawlog

70 Report Simple
storage, the data retrieval rate would be _____

After modifications in Syslog.conf file in the log Source

Integratio
75 n Simple what else should be done at the log Source level to start
receiving the events to Syslog connector?

76 Integratio Simple Events not being received at Syslog SmartConnector,

n mark the correct troubleshooting step

Integratio Simple How do you turn off SSL for troubleshooting for SDEE
78
n connections in Smart connectors?

Integratio What is the Arcsight recommended Syslog audit level that

81 Simple
n need to be set for Oracle DB integration
Integratio Simple For Checkpoint integration _____ ArcSight
83
n SmartConnector is being used
 Arcsight Events to the Arcsight Console flow from _______
87 Administr Simple
ation
 Choice A Choice B Choice C Choice D

Message Exception
Ans) TNS Listener HTTP Listener
Listener Listener

Ans) Partition Partition

Offline Achiever Database Achiever
Archiver Separator

Notification Groups Escalation Levels Destinations

Ans)User Role

arc_event_dat Ans)
arc_system_data arc_system_index
a arc_data_ind
ex

Ans) Three Five Six Ten

Ans) Zone Report Filter Channel

Ans) Console & Connector & Source &

Source & Console
Source Console Console

Offline Ans) online Both None of the

above
Online Reserve Online Retention Offline Ans) Offline
Period Period Retention Reserve
Period Period

Windows Ans) Mac Aix Solaris

SSH Ans) SSL TLS SFTP

Ans) ArcSIght ArcSIght

ArcSIght DB Oracle Web Console

Ans) ARC_SYSTEM_INDE ARC_SYSTEM_ ARC_EVENT_I

ARC_EVENT_DATA X DATA NDEX

Antivirus
Ans) Firewall Windows Server IPS Server

Ans) Instance &

WAN Link Machine CPU Cores Disk Space

1+1 Ans) 0+1 Ans) 5 4

 Ans) Remedy Remedy
Source IP Attacker IP
Ticket Number Assest ID

Manager Receipt Connector Device Start

Ans) End time
time receipt time time

Event Log Ans) time List

Ans) Add to an Create an Create a

Create a new rule
existing case Active channel report

Ans) active lists Active channel Filter Rule

Packages Ans) CapsManager Services.MSC Foundation

Ans) Network & Time based

Vulnerability Data Enriched data Variables
Asset Model

Perimeter Ans) DB
PCI SOX Monitoring Monitoring

Ans) Zone Asset Network Vulnerability

Attributes Templates Ans) Jobs Parameters

Host Ans) Node Asset Resource

Ans) Report category Favorite

Parameter Explorer
Explorer Explorer Explorer

Query Ans)Aggregati
Data distribution Server load
complexity on Settings

Faster Ans) Slower Normal none

No Other Action is Ans)Restart

Restart the
Restart the Log
Source required the Syslog Network
Service Service

Ans) Run a Packet Telnet to port 514 Telnet to port Check

Sniffer at the Log to 514 to Log webservice is
source level SmartConnector. Source. up

Modify Modify
Ans) Modify Modify JVM
agent.default. server.
agent.properties option
properties properties

Ans)Warning Debug Informational Notice

File Smart
Ans) LEA WMI Syslog
connector
Ans) ArcSight
ArcSight Connector Device Logger
Manager