You are troubleshooting ClearPass with IntroSpect, and you notice that in Access Tracker the IntroSpect Logon Logoff actions profile is executing. However, the ClearPass Log Source on the IntroSpect Analyzer is showing dropped entries.

Would this be a good troubleshooting step? (Confirm that the ClearPass context action is sending the User name, MAC Address, Entity Type, and User Role)

A. Yes

B. No

When IntroSpect ingests logs from different sources, it standardizes and catalogs the information. When it stores log data, it currently categorizes it into one of four standard schemas. Are these the four standard schemas? (VPN access data, email data, network data, and authentication data.)

A. Yes

B. No

Refer to the exhibit.

An IntroSpect admin is configuring an Aruba IntroSpect Packet Processor to add Microsoft AD server as a log source for analyzing the AD server logs. Are these correct Format and Source options? (Format = Standard, and Source Type = Syslog.)

A. Yes

B. No

You deploy IntroSpect Analyzer in your existing network. You want to monitor email for suspect malware activity. Would this action be supported by IntroSpect? (Deploy Splunk SIEM to gather logs from the email servers.)

A. Yes

B. No

You are planning to configure ClearPass to send endpoint context to IntroSpect. You need to create a checklist of functions that must be enabled in ClearPass to support this. Is this an option that is required? (Ingress Event Processing.)

A. Yes

B. No

You have been asked to provide a Bill of Materials (BoM) for a mature small business with two sites. The IT Director prefers all hardware to be on-premise but is open to cloud-based solution. In conversations with the IT staff, you determine that the main site has approximately 550 network devices and 400 users. All users are in Active Directory. Eighty of the users use a Pulse Secure VPN to work remotely.

The second site is a warehouse operation with approximately 40 users and another 10 users that use Pulse Secure VPN. All wireless is using Aruba Networks Instant APs. There are Active Directory servers at both sites. All logs are currently being gathered into Splunk. The team feels that they can properly monitor the corporate site network with a single tap port on a central switch at the main office. There will be a network tap at the remote site. Is this a suggestion you would make to the customer? (The customer should install the Fixed Configuration Analyzer at the main site, along with a Packet Processor in the data center and a single Packet Processor at the warehouse site.)

A. Yes

B. No

You are working on an IntroSpect Analyzer to fix an issue, and a restart is required after fixing the issue. Is this the correct procedure to restart? (From the Analyzer Menu navigate to Maintenance ->System>Cluster Start/Stop->Restart Cluster.)

A. Yes

B. No

While looking in the IntroSpect Analyzer Conversations screen you see there are a large number of DNS sessions coming from one IP address on the data center network VLAN. Would this be a logical next step? (The device at the IP address could be infected with malware seeking Command and Control. You should audit the device.)

A. Yes

B. No

You are looking in the conversation page on the IntroSpect Analyzer. Is this a valid method for determining which source the conversation data come from? (Click on the different options under Applications to filter for application types like DNS and HTTP.)

A. Yes

B. No

Refer to the exhibit.

You have been assigned a task to monitor, analyze, and find those entities who are trying to access internal resources without having valid user credentials. You are creating an AD-based use case to look for this activity. Could you use this entity type to accomplish this? (Dest Host.)

A. Yes

B. No