How often do watchlists run?

A. Every 10 minutes

B. Every 5 minutes

C. Watchlists can be configured to run at scheduled intervals

D. Every 30 minutes

A process has created a number of interesting (executable) files in one sequence.

In addition to the event Subtype 'New Unapproved File to Computer', what other event subtype is likely to be associated with this sequence?

A. File Upload Completed

B. New File Discovered on Startup

C. File Group Created

D. File Properties Modified

Which statement is true when searching through the EDR server UI?

A. The backslash \ is the character to escape characters.

B. Whitespaces between search terms imply the OR operator.

C. The percent symbol % is the character to represent a wildcard.

D. The exclamation point ! is the character to represent negation.

Refer to the exhibit:

Which statement is true in regards to communication between the sensor and server?

A. The sensor must be able to resolve the name cb.yourcompany.com.

B. The server must have an entry in the host file for cb.yourcompany.com.

C. The communication is unencrypted.

D. The sensor will communicate on a non-default port.

An administrator is reviewing an alert about a known and required application in the environment. The application has been given the reputation of PUP, with the alert reason being that the PUP was detected. As a result, this application is matching policy blocking and isolation rules for PUPs in the environment and Is not behaving as expected.

Which step should the administrator take to remediate this situation?

A. Add the file to the Approved List and Dismiss alert

B. Add the file to the Approved List

C. Dismiss the alert

D. Add the file to the Banned List and Delete application

An administrator is concerned that someone may be using unauthorized commands from cmd.exe. These commands are not considered suspicious or malicious, and there is no policy based around them.

Which page should the administrator use to find these commands?

A. Sensor Management

B. Investigate

C. Policies

D. Alerts

Review the following search:

childproc_name:"rundll32.exe" AND -digsig_result:"Signed" AND path:c:\windows\*

What is this search looking for?

A. Processes being launched by rundll32.exe running out of the windows directory that are not signed

B. Instances of rundll32.exe running out of the windows directory that are not signed

C. Instances of rundll32.exe running out of the windows directory that are signed

D. Processes launching rundll32.exe running out of the windows directory that are not signed

An analyst on the security team noticed that several alerts are false positives within Enterprise EDR. The analyst disables the IOC within the report from those alerts.

Which statement correctly explains what disabling the IOC will accomplish?

A. That specific IOC in the report will no longer generate hits or alerts on the device from the alert.

B. The report will no longer generate hits or alerts on the device from the alert.

C. That specific IOC in the report will no longer generate hits or alerts.

D. The report will no longer generate hits or alerts.

An administrator is creating a query per policy for Audit and Remediation. The administrator ran several recommended queries already but notices they are unable to run the same recommended query for one of their policies. The run button is grayed out.

Which statement correctly explains why the run button is unavailable?

A. The sensors in the policy do not support the table or query.

B. The administrator needs the use live query permission.

C. The number of consecutive running queries is limited.

D. The query or table is not supported within osquery.

Review the following EDR query:

parent_name:outlook.exe AND -alliance_score_srstrust:* AND -digsig_result: "Signed'

Which process would show in the query results?

A. Processes invoked by outlook.exe that have an SRS Trust value and that are digitally signed.

B. Processes invoking outlook.exe that do not have an SRS Trust value and that are not digitally signed.

C. Processes invoked by outlook.exe that do not have an SRS Trust value and that are not digitally signed.

D. Processes invoking outlook.exe that have an SRS Trust value and that are not digitally signed.