Winter Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

Certensure Logo
  1. Home
  2. VMware
  3. VMware Carbon Black EndPoint Protection 2021
  4. 5V0-91.20 - VMware Carbon Black Portfolio Skills

VMware 5V0-91.20 VMware Carbon Black Portfolio Skills Exam Practice Test

Demo: 17 questions
Total 116 questions
Get 5V0-91.20 Full Access Download 5V0-91.20 PDF

VMware Carbon Black Portfolio Skills Questions and Answers

Question 1

An administrator needs to check configurations using Audit across several policies and locations within the organization.

How can the administrator run the query to only these specific devices?

Options:

A.

Specify endpoints on the query by selecting the check box for each device.

B.

Specify endpoints on the query by typing the sensor name into the text box, selecting the device. Repeat as necessary for all devices.

C.

Specify the policy for the endpoints on the query, and then select the check box for each device.

D.

Specify the policy for the endpoints on the query, and then type the sensor name into the text box, selecting the devices. Repeat as necessary for all devices.

Question 2

How can an analyst disregard alerts on multiple devices with the least amount of administrative effort?

Options:

A.

Select the “Dismiss on all devices” option.

B.

Make a note in the Notes/Tags option.

C.

Search by hash and dismiss.

D.

Turn off the Group Alerts option.

Question 3

An administrator runs the following query in Audit and Remediation:

SELECT *

FROM users

WHERE UID >= 500;

How long will this query stay active and accept data from the sensors?

Options:

A.

14 days

B.

30 days

C.

7 days

D.

1 day

Question 4

A Carbon Black Cloud Endpoint Standard analyst is testing different search operator combinations.

Which two queries produce the same result? (Choose two.)

Options:

A.

process_name:chrome.exe OR NOT netconn_domain:google.com

B.

process_name:chrome.exe OR netconn_domain:google.com

C.

process_name:chrome.exe AND NOT netconn_domain:google.com

D.

process_name:chrome.exe netconn_domain:google.com

E.

process_narne:chrome.exe NOT netconn_domain:google.com

Question 5

Which statement is true about configuring VMware Carbon Black Application Control for use on non-persistent virtual machines (VM’s)?

Options:

A.

The endpoint housing the agent template must always be on/running except when updating the image.

B.

The gold image housing the agent template must be digitally signed to ensure the integrity of the agent

cache.

C.

The endpoint housing the agent template must always be off except when updating the image.

D.

The agent running on the template machine must not be initialized before deploying clones.

Question 6

Which two statements are true regarding Live Response? (Choose two.)

Options:

A.

Live Response can only be initiated through the user interface.

B.

Live Response supports one user per session on an endpoint.

C.

Live Response opens an SSH session with the remote device.

D.

Live Response requires both view and manage permissions to use.

E.

Live Response utilizes the same channel for sensor-server communications.

Question 7

An Endpoint Standard administrator is working with an IT team to explicitly permit specific applications from the environment using both the IT Tools and Certs Approved List features.

Once applied, which reputation would these applications be classified under for processing?

Options:

A.

Trusted White

B.

Company White

C.

Local White

D.

Common White

Question 8

An Enterprise EDR administrator has created a custom Watchlist and wants to add a custom query to a report in the custom Watchlist.

From which page can the administrator add this custom query?

Options:

A.

Policies

B.

Watchlists

C.

Investigate

D.

Cloud Analysis

Question 9

A security policy states to enable Live Response by default across the enterprise. However, the team identified critical systems which should not support Live Response due to risk. The team needs to disable Live Response on selected systems.

From which page can this goal be accomplished?

Options:

A.

Policy

B.

API Access

C.

Endpoints

D.

Roles

Question 10

An analyst is investigating an alert within the Enterprise EDR console and needs to take action on it.

Which three actions are available to take on the alert? (Choose three.)

Options:

A.

Ignore alert

B.

Dismiss

C.

Dismiss on all devices if grouping is enabled

D.

Edit watchlist

E.

Save report

F.

Notifications history

Question 11

Which identifier is shared by all events when an alert is investigated?

Options:

A.

Process ID

B.

Event ID

C.

Priority Score

D.

Alert ID

Question 12

Refer to the exhibit:

Which two logic statements correctly explain filtering within the UI? (Choose two.)

Options:

A.

Filtering between fields is a logical OR

B.

Filtering within the same field is a logical AND

C.

Filtering between fields is a logical AND

D.

Filtering between fields is a logical XOR

E.

Filtering within the same field is a logical OR

Question 13

An analyst has investigated two alerts on two separate HR workstations and found that notepad.exe has

established communication to another IP address.

Which rule will kill notepad.exe entirely if this activity is detected in the future?

Options:

A.

**\system32\notepad.exe --> Communicates over the network --> Terminate process

B.

**\system32\notepad.exe --> Runs or is Running --> Deny operation

C.

**/system32/notepad.exe --> Runs or is Running --> Terminate process

D.

**/system32/notepad.exe--> Communicates over the network --> Deny operation

Question 14

What is the maximum number of binaries (hashes) that can be banned using the web console?

Options:

A.

500

B.

600

C.

300

D.

400

Question 15

An Enterprise EDR administrator is reviewing the Investigate page and believes they are receiving false positive hits from specific watchlist.

Which three options reduce future false positive hits from this watchlist? (Choose three.)

Options:

A.

Disable/remove the IOC associated with the false positives.

B.

Disable/remove the report associated with the false positives.

C.

Dismiss the watchlist hit.

D.

Select edit watchlist and uncheck alert on hits.

E.

Modify policy rules to exclude the false positive directory.

F.

Disable the watchlist associated with the false positives.

Question 16

An administrator is creating a query per policy for Audit and Remediation. The administrator ran several

recommended queries already but notices they are unable to run the same recommended query for one of their policies. The run button is grayed out.

Which statement correctly explains why the run button is unavailable?

Options:

A.

The sensors in the policy do not support the table or query.

B.

The administrator needs the use live query permission.

C.

The number of consecutive running queries is limited.

D.

The query or table is not supported within osquery.

Question 17

Review the following EDR query:

parent_name:outlook.exe AND -alliance_score_srstrust:* AND -digsig_result: "Signed'

Which process would show in the query results?

Options:

A.

Processes invoked by outlook.exe that have an SRS Trust value and that are digitally signed.

B.

Processes invoking outlook.exe that do not have an SRS Trust value and that are not digitally signed.

C.

Processes invoked by outlook.exe that do not have an SRS Trust value and that are not digitally signed.

D.

Processes invoking outlook.exe that have an SRS Trust value and that are not digitally signed.

Load More 5V0-91.20 Questions
Demo: 17 questions
Total 116 questions
Get 5V0-91.20 Full Access Download 5V0-91.20 PDF