You have been asked to provide a Bill of Materials (BoM) for a mature small business with two sites. The IT Director prefers all hardware to be on-premise but is open to cloud-based solution. In conversations with the IT staff, you determine that the main site has approximately 550 network devices and 400 users. All users are in Active Directory. Eighty of the users use a Pulse Secure VPN to work remotely.
The second site is a warehouse operation with approximately 40 users and another 10 users that use Pulse Secure VPN. All wireless is using Aruba Networks Instant APs. There are Active Directory servers at both sites. All logs are currently being gathered into Splunk. The team feels that they can properly monitor the corporate site network with a single tap port on a central switch at the main office. There will be a network tap at the remote site.
Is this a suggestion you would make to the customer? (The customer should install the Fixed Configuration Analyzer in the data center to manage the tap and Splunk logs for the main site and a single Packet Processor at the warehouse site.)
You need to deploy IntroSpect Analyzer in your existing network. You are planning to configure logs from
multiple systems around your network. Can this 3rd-party tool collect the logs and push them to Analyzer? (IBM QRadar SIEM will push logs to IntroSpect.)
You receive an email alert that a Packet Processor forwarding AMON data at a remote site to a cloud-based Analyzer has stopped communicating.
Is this a valid step to try to fix the issue? (Log into the Packet Processor and check the Alerts page to make sure that the alert is still valid.)
Your company has found some suspicious conversations for some internal users. The security team suspects those users are communicating with entities in other countries. You have been assigned the task of identifying those users who are either uploading or downloading files from servers in other countries. Is this the best way to visualize conversations of suspected users in this scenario? (Visualizing Applications and Ports.)
Refer to the exhibit.
You are monitoring a new virtual packet processor with a network tap. You run the command “cli stats SERVER_PRE | gre-a1 drop’ and then return an hour later and run the same command, but notice there is a significant increase in the number dropped packets.
Could this be a reason for the increase? (The Packet Processor may not be allocated the proper number of CPUs allocated on the VM server for the size of the TAP.)
You are looking in the conversation page on the IntroSpect Analyzer. Is this a valid method for determiningwhich source the conversation data come from? (Click on the different options under Applications to filter forapplication types like DNS and HTTP.)
While troubleshooting integration between ClearPass and IntroSpect, you notice that there are no log events for either THROUGHPUT or ERROR in the ClearPass log source on the IntroSpect Analyzer. You are planning your troubleshooting actions.
Is this something you should check? (Check the authentication service being used in ClearPass for the Login – Logout enforcement policy.)
Arube IntroSpect establishes different types of baselines to perform user or device behavior analysis. Is this acorrect description of a baseline that IntroSpect establishes? (Individual history baseline: this typically takes 10to 14 days to establish a “steady state” that can be used.)
In a conversation with a colleague you are asked to give them an idea of what type of monitor source you would use for each attack stage.
Would this be a correct correlation? (For “Command and Control” you can monitor DNS through AMON on the Aruba Mobility Controllers.)
A network administrator is looking for an option to set the maximum data retention period to 180 days in theIntroSpect Analyzer. Is this a correct statement about data retention in IntroSpect? (The data retention periodcannot exceed 90 days.)
An admin is evaluating entity activity alerts for large internal downloads, excessive host access, accessing hosts with SSH, and host and port scans. Is this a correct reason for these types of alerts? (a malware seeking command and control.)
Would this be a proper correlation between entity and attack stage? (You see an alert for a user sending DNSrequests for TOR sites, and correlate this to data exfiltration.)
While looking in the IntroSpect Analyzer Conversations screen you see there are a large number of DNS sessions coming from one IP address on the data center network VLAN. Would this be a logical next step? (The device at the IP address could be infected with malware seeking Command and Control. You should audit the device.)
You are one of the system administrators in your company, and you are assigned to monitor the IntroSpect
system for alarms. Is this a correct statement about alarms? (You must navigate to the IntroSpect Analyzer
Menu>Alerts page to see if there are any alarms.)