5V0-91.20 Online Practice Questions and Answers

How long will Live Queries in Carbon Black Audit and Remediation run before timing out?

A. 30 days

B. 14 days

C. 180 days

D. 7 days

Which statement filters data to only return rows where the publisher of the software includes VMware anywhere in the name?

A. WHERE publisher = "%VMware%"

B. WHERE publisher = "%VMware"

C. WHERE publisher LIKE "VMware%"

D. WHERE publisher LIKE "%VMware%"

There is a requirement to block ransomware when a sensor is offline. Which blocking and isolation rule fulfills this requirement?

A. Known Malware --> Performs ransomware-like behavior --> Terminate process

B. Not Listed Application --> Performs ransomware-like behavior --> Deny operation

C. Suspect Malware --> Performs ransomware-like behavior --> Deny operation

D. Unknown Application --> Performs ransomware-like behavior --> Terminate process

An incorrectly constructed watchlist generates 10,000 incorrect alerts.

How should an administrator resolve this issue?

A. Delete the watchlist to automatically clear the alerts, and then create a new watchlist with the correct criteria.

B. From the Triage Alerts Page, use the facets to select the watchlist, click the Wrench button to "Mark all as Resolved False Positive", and then update the watchlist with the correct criteria.

C. Update the Triage Alerts Page to show 200 alerts, click the Select All Checkbox, click the "Dismiss Alert(s)" button for each page, and then update the watchlist with the correct criteria.

D. From the Watchlists Page, select the offending watchlist, click "Clear Alerts" from the Action menu, and then update the watchlist with the correct criteria.

An administrator receives an alert with the TTP DATA_TO_ENCRYPTION.

What is known about the alert based on this TTP even if other parts of the alert are unknown?

A. A process attempted to delete encrypted data on the disk.

B. A process attempted to write a file to the disk.

C. A process attempted to modify a monitored file written by the sensor.

D. A process attempted to transfer encrypted data on the disk over the network.

An Endpoint Standard administrator is working with an IT team to explicitly permit specific applications from the environment using both the IT Tools and Certs Approved List features.

Once applied, which reputation would these applications be classified under for processing?

A. Trusted White

B. Company White

C. Local White

D. Common White

Review the following EDR query:

(parent_name:powershell.exe OR parent_name:cmd.exe) AND netconn_count:[l TO *]

Which process would show in the query results?

A. Processes invoked by Powershell.exe and cmd.exe with a single network connection event

B. Processes invoking Powershell.exe and cmd.exe with multiple network connection events

C. Processes invoked by Powershell.exe or cmd.exe with any number of network connection events

D. Processes invoking Powershell.exe or cmd.exe with multiple network connection events

Given an event rule: Approve nVidia Drivers, changes the local state to Approved for file writes or execution blocks when the publisher is NVIDIA Corporation. How is an alert created that is triggered whenever an nVidia driver is approved by the event rule?

A. Add a new Alert of type Event Alert. Set Subtype to New unapproved file to computer and Execution block (unapproved file) and Publisher to NVIDIA Corporation. Click Create and add email recipients.

B. Click Create Alert on the event rule Approve nVidia Drivers details page. Click Create and add email recipients. Create and Exit.

C. Click Create Alert on the event rule Approve nVidia Drivers details page. Add email recipients. Create and Exit.

D. Create a custom rule name Approve nVidia that approves writes or blocks when the publisher is NVIDIA Corporation. Create an alert for rule name Approve nVidia. Click Create and add email recipients.

An Enterprise EDR administrator is reviewing the Investigate page and believes they are receiving false positive hits from specific watchlist.

Which three options reduce future false positive hits from this watchlist? (Choose three.)

A. Disable/remove the IOC associated with the false positives.

B. Disable/remove the report associated with the false positives.

C. Dismiss the watchlist hit.

D. Select edit watchlist and uncheck alert on hits.

E. Modify policy rules to exclude the false positive directory.

F. Disable the watchlist associated with the false positives.

An administrator viewed and filtered the results of a completed query within the User Interface for Audit and Remediation. The administrator exported the results to create charts and other visuals for reporting. When viewing the exported results, the administrator noticed some results were missing from the data set.

Why did the administrator not have the full data set from the query?

A. Export applies to the data visible in the UI; filtering will impact the viewable data.

B. Export pulls all results; the query must not have covered all data required.

C. Export is limited to the first hundred rows, and the query had more rows than supported.

D. Export was used prior to the query completing, and some data is missing.