VMware 5V0-91.20 Exam Practice Test Instant Access

Question 1

Review the following EDR query:

(parent_name:powershell.exe OR parent_name:cmd.exe) AND netconn_count:[l TO *]

Which process would show in the query results?

AProcesses invoked by Powershell.exe and cmd.exe with a single network connection event

BProcesses invoking Powershell.exe and cmd.exe with multiple network connection events

CProcesses invoked by Powershell.exe or cmd.exe with any number of network connection events

DProcesses invoking Powershell.exe or cmd.exe with multiple network connection events

Answer : A

Question 2

An administrator viewed and filtered the results of a completed query within the User Interface for Audit and Remediation. The administrator exported the results to create charts and other visuals for reporting. When viewing the exported results, the administrator noticed some results were missing from the data set.

Why did the administrator not have the full data set from the query?

AExport applies to the data visible in the UI; filtering will impact the viewable data.

BExport pulls all results; the query must not have covered all data required.

CExport is limited to the first hundred rows, and the query had more rows than supported.

DExport was used prior to the query completing, and some data is missing.

Answer : D

Question 3

An Enterprise EDR administrator sees the process in the graphic on the Investigate page but does not see an alert for this process:

How can the administrator generate an alert for future hits against this watchlist?

Aselect the watchlist on the watchlists page, select the Scheduled Task Created report, and use Take Action to select Alert on hit for the report.

BSelect the watchlist on the watchlists page, select the Scheduled Task Created report, and use Take Action to toggle Alert on hit to On.

CSelect the watchlist on the watchlists page and click on Alerts: Off to toggle the alerts to On.

DSelect the watchlist on the watchlists page, use Take Action to select Edit, and select Alert on hit.

Answer : D

Question 4

An analyst is investigating an alert within the Enterprise EDR console and needs to take action on it.

Which three actions are available to take on the alert? (Choose three.)

AIgnore alert

BDismiss

CDismiss on all devices if grouping is enabled

DEdit watchlist

ESave report

FNotifications history

Answer : B, C, E

Alerts/ta-p/51766

Question 5

Which Live Query statement is properly constructed?

ASELECT * FROM 'users'

Bselect * from *:

Cselect from users;

DSELECT * FROM users;

Answer : D

Question 6

Which strategy should be used to purge inactive bans from the web console?

ASchedule an add-hoc cron job to remove

BUse a pre-configured system cron job daily to remove them

CRun the cbbannlng script on the EDR server

DGo to the hashes page on the web console and remove them

Answer : C

Question 7

An analyst is investigating an alert within Enterprise EDR on the process analysis page. The process tree can be seen below:

Which statement accurately characterizes this situation?

AConhost.exe has one or more child processes.

BThe solid line between the nodes denotes a process was injected into by another process.

CSeveral nodes in this process tree have watchlist hits.

DThe analyst navigated to this process analysis page from the wscrlpt.exe process.

Answer : B

VMware Carbon Black Portfolio Skills 5V0-91.20 Exam Practice Test