- Home
- VMware
- VMware Carbon Black Cloud Endpoint Standard Skills
- VMware.5V0-93.22.v2024-02-19.q27
- Question 10
Valid 5V0-93.22 Dumps shared by ExamDiscuss.com for Helping Passing 5V0-93.22 Exam! ExamDiscuss.com now offer the newest 5V0-93.22 exam dumps, the ExamDiscuss.com 5V0-93.22 exam questions have been updated and answers have been corrected get the newest ExamDiscuss.com 5V0-93.22 dumps with Test Engine here:
Access 5V0-93.22 Dumps Premium Version
(62 Q&As Dumps, 35%OFF Special Discount Code: freecram)
<< Prev Question Next Question >>
Question 10/27
A security administrator is tasked to investigate an alert about a suspicious running process trying to modify a system registry.
Which components can be checked to further inspect the cause of the alert?
Which components can be checked to further inspect the cause of the alert?
Correct Answer: B
Explanation
These components can provide more information about the suspicious running process and its behavior, such as:
Event details: This component shows the details of the event that triggered the alert, such as the device name, the device time, the process name, the process path, the process ID, the operation type, the operation result, the registry key, the registry value, and the registry data. The event details can help the security administrator to identify the source and the target of the registry modification attempt, and to verify if the operation was successful or not.
Command lines: This component shows the command lines that were executed by the process or its parent process, such as the arguments, the parameters, the switches, and the environment variables. The command lines can help the security administrator to understand the purpose and the context of the process execution, and to detect any malicious or anomalous commands or scripts.
TTPs involved: This component shows the tactics, techniques, and procedures (TTPs) that were involved in the event, based on the MITRE ATT&CK framework. The TTPs can help the security administrator to assess the severity and the impact of the event, and to correlate the event with other related events or indicators of compromise.
The other components are not as useful or relevant for investigating the alert. A. Device ID and priority score are components that provide general information about the device and the alert, but they do not provide specific details about the suspicious running process or its behavior. C. Network connections and child path are components that show the network activity and the child processes of the suspicious running process, but they do not show the registry modification attempt or its result. D. File reputation and timestamp are components that show the reputation and the time of the file associated with the suspicious running process, but they do not show the command lines orthe TTPs involved in the event. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3.2: Investigate Alerts, Page 16.
These components can provide more information about the suspicious running process and its behavior, such as:
Event details: This component shows the details of the event that triggered the alert, such as the device name, the device time, the process name, the process path, the process ID, the operation type, the operation result, the registry key, the registry value, and the registry data. The event details can help the security administrator to identify the source and the target of the registry modification attempt, and to verify if the operation was successful or not.
Command lines: This component shows the command lines that were executed by the process or its parent process, such as the arguments, the parameters, the switches, and the environment variables. The command lines can help the security administrator to understand the purpose and the context of the process execution, and to detect any malicious or anomalous commands or scripts.
TTPs involved: This component shows the tactics, techniques, and procedures (TTPs) that were involved in the event, based on the MITRE ATT&CK framework. The TTPs can help the security administrator to assess the severity and the impact of the event, and to correlate the event with other related events or indicators of compromise.
The other components are not as useful or relevant for investigating the alert. A. Device ID and priority score are components that provide general information about the device and the alert, but they do not provide specific details about the suspicious running process or its behavior. C. Network connections and child path are components that show the network activity and the child processes of the suspicious running process, but they do not show the registry modification attempt or its result. D. File reputation and timestamp are components that show the reputation and the time of the file associated with the suspicious running process, but they do not show the command lines orthe TTPs involved in the event. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3.2: Investigate Alerts, Page 16.
- Question List (27q)
- Question 1: What is a security benefit of VMware Carbon Black Cloud Endp...
- Question 2: Which statement is true regarding Blocking/Isolation rules a...
- Question 3: An organization is implementing policy rules. The administra...
- Question 4: Which permission level is required when a user wants to inst...
- Question 5: An administrator would like to proactively know that somethi...
- Question 6: An administrator wants to prevent ransomware that has not be...
- Question 7: The use of leading wildcards in a query is not recommended u...
- Question 8: A user downloaded and executed malware on a system. The malw...
- Question 9: Where can a user identify whether a sensor's signature pack ...
- Question 10: A security administrator is tasked to investigate an alert a...
- Question 11: An administrator has been tasked with preventing the use of ...
- Question 12: Which statement accurately characterizes Alerts that are cat...
- Question 13: An administrator wants to block ransomware in the organizati...
- Question 14: An organization has the following requirements for allowing ...
- Question 15: The use of leading wildcards in a query is not recommended u...
- Question 16: What is a capability of VMware Carbon Black Cloud?...
- Question 17: In which tab of the VMware Carbon Black Cloud interface can ...
- Question 18: An administrator is investigating an alert and reads a summa...
- Question 19: The administrator has configured a permission rule with the ...
- Question 20: A script-based attack has been identified that inflicted dam...
- Question 21: Which scenario would qualify for the "Local White" Reputatio...
- Question 22: Which VMware Carbon Black Cloud integration is supported for...
- Question 23: An administrator is tasked to create a reputation override f...
- Question 24: An administrator needs to make sure all files are scanned lo...
- Question 25: An administrator wants to prevent malicious code that has no...
- Question 26: An administrator needs to fully analyze the relevant informa...
- Question 27: An administrator wants to find information about real-world ...
