Exam Hp0-A116: HP Arcsight Esm 6.5 Security Administrator and Analyst

s@lm@n
HP
Exam HP0-A116
HP ArcSight ESM 6.5 Security Administrator and Analyst
Version: 6.0
[ Total Questions: 179 ]

HP HP0-A116 : Practice Test
Question No : 1
When can the online partition compression task fail? (Select two.)
A. when the partition being compressed is too old

B. when events are inserted into the partition that is being compressed
C. when the compression task takes more than two hours to complete
D. when the partition compressor does not have the necessary file permissions
Answer: B,C
Question No : 2
What is a criteria factor within the ArcSight Priority Formula?
A. Assurance
B. Asset Priority
C. Seriousness
D. Model Confidence
Answer: D
Question No : 3
Which functions are on the right-click menu for an event in the ConsoleViewer panel?
(Select two.)
A. Correlate Events
B. Show Event Details
C. Show Event Chart
D. Annotate Events
E. Prioritize Events
Answer: C,E
Question No : 4
A Composite Solution With Just One Click - Certification Guaranteed 2

What can you use to change the stage of a Case?
A. Common Conditions Editor

B. Case Editor
C. Notifications Editor
D. Event Annotations
Answer: B
Question No : 5
What are functions of Query Viewers? (Select two.)
A. present detailed comparisons of report elements, not possible with the reporting tool
B. provide a baseline analysis of events against which future queries can be compared
C. determine which devices are off-line at any given point in time by querying their status
D. display the Boolean logic behind filters and rules
E. provide a quick way to run SQL queries and identify trends without running reports
Answer: B,E
Question No : 6
Which four basic Event Search elements affect what is displayed in the Search results?
A. filter, constraints, time range, and field set

B. filter, constraints, time range, and row limit
C. filter, time range, variables, and field set
D. filter, time range, time zone, and field set
Answer: A
Question No : 7
What is the Reserve Period?
A. the amount of time to allow before compressing event data for storage

B. the number of future partitions to be maintained
C. the amount of time to wait before determining that a device is not operating
D. the maximum length of time archived partitions will be stored
Answer: B
Question No : 8
Which statement is true about Connectors that are in a Paused state?
A. Paused Connectors are responding to the Manager but not sending or caching events.
B. Paused Connectors are responding to the Manager but events are being cached.
C. Paused Connectors are responding to the Manager and sending events.
D. Paused Connectors are not responding to the Manager.
Answer: B
Question No : 9
At most, a zone can belong to how many networks?
A. 0 (Zones do not belong to networks, zones contain networks.)

B. 1
C. 2
D. as many as needed based on the Network Model
Answer: B
Question No : 10
The Packages view in the ArcSight Console Navigator provides access to all discrete
resources that are part of a package in a single view. The dependency view toggle in the
Package tree header shows required packages, which are packages on which other
packages depend. What is the visual indicator of this dependency?
A. The package name is underlined.

B. The package name is shown in hold font.

C. The package icon contains a red asterisk.
D. The package icon is highlighted in yellow.
Answer: A
Question No : 11
Which statements are true about user groups? (Select two.)
A. They can be based on departments, permission levels, or roles.

B. They control which users are allowed to log in to the Console.
C. They can be nested within other user groups.
D. They are enabled or disabled using Access Control Lists.
Answer: A,C
Question No : 12
Which Event Schema group contains data fields, which describe the connector reporting an
event?
A. Event
B. Device
C. Source
D. Agent
Answer: D
Question No : 13
Which statements are true about event lifecycle data collection and the event processing
phase? (Select two.)
A. Model confidence is determined, based on details provided by the event source.

B. Each line of incoming log data is processed as a separate event.
C. Event severity is determined, based on an Active List of recent severity factors.
D. Values are normalized and entered into the ArcSight Event Schema.

Answer: B,D
Question No : 14
What is an offline partition?
A. a partition that resides within the database

B. a partition that exceeds the online retention threshold and is therefore archived
C. a partition reserved for a future date
D. data that is no longer needed by ESM
Answer: B
Question No : 15
Which statement is true about the ArcSight Web Server?
A. It is not required.
B. It is required if users will be accessing ESM through a web browser.
C. It should always be installed on the same server as the ArcSight Manager.
D. It can be used to create rules and view reports.
Answer: B
Question No : 16
Which statement is true about the ArcSight Web interface?
A. Inline filters cannot be used from the ArcSight Web interface.

B. Data Monitors cannot be added to a Dashboard from the ArcSightWebinterface.
C. Reports cannot be formatted from the ArcSight Web interface.
D. Cases cannot be modified from the ArcSight Web interface.
Answer: B

Question No : 17
What represents the current status in the investigation of a Case?
A. Notifications
B. Cases
C. Annotations
D. Stages
Answer: D
Question No : 18
Which three attributes are used to describe an Asset Model?
A. vulnerabilities, locations, and asset categories

B. locations, asset categories, and threats
C. asset types, asset categories, and locations
D. vulnerabilities, addresses, and threats
Answer: A
Question No : 19
Click the Exhibit button.

Which type of diagram is shown in the exhibit?
A. a geographic hierarchy map

B. an event graph
C. an image viewer map
D. a query topology
Answer: B
Question No : 20
What is a function of the Variable GetSessionData?
A. retrieves data fields from a Session List

B. sends session details to the ArcSight Manager
C. populates a Session List
D. investigates session details in the audit log

Answer: A
Question No : 21
When specifying the attributes of a new Active List, you can set TTL days, hours, and
minutes. What is TTL?
A. Total Time Lag

B. Time Threshold Lag
C. Time To Live
D. Total Time Left
Answer: C
Question No : 22
There are three types of ArcSight SmartConnectors. Which type is used primarily to
execute commands on a device to retrieve, modify, or analyze its configuration?
A. Event Connectors
B. Scanner Connectors
C. CounterACT Connectors
D. SNMP Connectors
Answer: C
Question No : 23
How are ESM Global Variables created?
A. from within the Manager's server.properties file by using the System Global Variable link
B. from the Fields and Global Variable tab in the Field SetResource or by promoting a
Local Variable
C. from the System Tools menu by using the Create System Global Variable option
D. from the Local Variables tab of the Filter Resource and only by promoting a Local
Variable

Answer: D
Question No : 24
What can ArcSight ESM Dashboards display?
A. multiple Data Monitors

B. multiple Cases
C. multiple Stages
D. multiple Reports
Answer: A
Question No : 25
ESM components fail to consistently restart after a system reboot and require individual
intervention with repeated arcsight_services component restart commands. Which log file
offers troubleshooting information that will help resolve this issue?
A. monit.log
B. server.log
C. arcsight_services.log
D. server.status.log
Answer: A
Question No : 26
Active Channel views and Dashboard views are examples of ArcSight Console Viewer
Panel views. Which other views are associated with the Viewer Panel? (Select two)
A. Simple views
B. Asset views
C. Results views
D. Resource views
E. Combined views

Answer: B,D
Question No : 27
Which ArcSight Solution works as a GPS for privileged user activity that identifies unusual
hehavior?
A. ThreatDetector
B. Pattern Discovery
C. IdentityView
D. ldentityCorrelation
Answer: B
Question No : 28
In ESM, what allows contextual information to be added to an individual event or group of

events in support of workflow or operational metrics?
A. Knowledge Base
B. Templates
C. Annotations
D. Rules
Answer: C
Question No : 29
What is an example of an event-based Data Monitor?
A. moving average
B. rules partial match
C. last n events
D. session reconciliation
Answer: C

Question No : 30
How do asset categorization and event categorization relate to each other?
A. Asset categorization requires custom FlexConnectors; event categorization uses

standard Smartconnectors.
B. Asset categorization and event categorization are the same.
C. Asset categorization is the fingerprint of an asset; event categorization is a set of criteria
that describes an event.
D. Asset categorization and event categorization use the same field set to apply categories
to assets and events
Answer: D
Question No : 31
Which type of event is displayed in an Active Channel with the following Inline Filter
applied?
Category Behavior = /Authentication/Verify
Category Outcome = /Failure
A. Logout events
B. Login Success events
C. Login Failure events
D. Account Locked events
Answer: C
Question No : 32
Which statements are true about results in Query Viewers? (Select two.)
A. Results can be displayed as tables or charts, and added to Dashboards

B. Results can be used in event searches.
C. Results can be used to generate reports.
D. Results can be used as event filters.
E. Results can be forwarded as notifications.

Answer: A,C
Question No : 33
In network modeling, what is a set of nodes with similar characteristics that have IPs
enumerated one after the other?
A. IP group
B. asset group
C. asset range
D. IP range
Answer: C
Question No : 34
Event correlation, event reconciliation, moving average, session reconciliation, and

statistics are all examples of which type of Data Monitors?
A. event-based
B. non-event-based
C. correlation
D. system status
Answer: C
Question No : 35
With regard to SmartConnectors, what is roll back?
A. collecting cached data after a communication failure

B. uninstallation of a package in the event of failure
C. a way to revert to the previous version of a Connector when a Connector upgrade fails
D. a way to gather data that has moved beyond the archive window
Answer: C

Question No : 36
Where are the resource settings located that determine ArcSight ESM User Password
Policy?
A. in the User E2 80 99s Access Control List

B. in the server.defaults.properties file
C. in the server.properties file
D. in either ArcSight Console or Command Center
Answer: B
Question No : 37
What happens if a notification requiring a response within 24 hours is not acknowledged

within that time?
A. The notification is escalated to the next level of notification.

B. The notification is added to the Session List.
C. An error message appears on the ArcSight Console.
D. The condition generating the notification is escalated to a higher priority.
Answer: A
Question No : 38
Why is it sometimes necessary to lock a Case?
A. to prevent the Case from being seen in the Resource Tree

B. to prevent others from modifying the Case while you edit or attach something to the
Case
C. to close and archive a Case
D. to preserve the state of the Case
Answer: C
Question No : 39

Which statement is true about ArcSight SmartConnectors acting in "passive" mode?
A. They receive events forwarded from originating devices.

B. They pull events from originating devices.
C. They do not process events from devices.
D. They process events for performance testing but then discard them.
Answer: A
Question No : 40
Which resource defines what a report will look like when generated?
A. layout
B. query
C. template
D. form
Answer: C
Question No : 41
What is the effect of the constraints used in an event search query?
A. They maintain search criteria within the range of data specified by the filter
B. They provide a shorthand view when defining field sets.
C. They limit the range or focus of data sources to be searched.
D. They establish the time range for the search query
Answer: C
Question No : 42
By default, which TCP/IP port is used by ArcSight Command Center to communicate with a
web browser client?
A. 1521

B. 9443
C. 8443
D. 443
Answer: C
Reference:
http://eromang.zataz.com/2011/06/26/arcsight-logger-and-smartconnectors-questions-and-
answers/
Question No : 43
What is a Network Model?
A. a representation of the nodes on a network and certain characteristics of the network

itself
B. a preconfigured resource used to set up ArcSight zones and communication paths
C. a dashboard containing data monitors for network, zone, asset, and customer
monitoring
D. a diagram of network interface points and vulnerabilities
Answer: A
Question No : 44
What must you do prior to applying a patch to the ArcSight Manager?
A. stop the ArcSight Manager service

B. shut down all ArcSight SmartConnectors
C. delete all files in the tmp directory
D. disconnect the network cable
Answer: A
Question No : 45

Which process uncovers the relationship between events, infers the significance of those
relationships, prioritizes them, and then provides a framework for taking action?
A. categorization
B. aggregation
C. correlation
D. filtration
Answer: C
Question No : 46
Which statement is true about join rules and chained rules?
A. Join rules link simple rules together; chained rules link join rules.
B. Join rules use Session Lists; chained rules use Active Lists.
C. Chained rules may or may not be join rules that also use Active Lists or rely on
Correlation events generated by other rules.
D. Chained rules result in detailed chains; join rules result in simple chains.
Answer: C
Question No : 47
What is the impact of checking Auto Update on the Search Results header, and selecting a
time of 2 minutes?
A. The time span for this search to complete is limited to 2 minutes, and the current results
are displayed.
B. The current field set is refreshed, and any results that changed in the grid are flagged
with a highlight.
C. The current search query is rerun every 2 minutes following selection of the Auto Update
check box
D. ArcSight Command Center checks for any new software updates occurring in the
previous 2 minutes.
Answer: B

Question No : 48
From where are the local ArcSight Console Preference Settings accessed?
A. File Menu
B. Edit Menu
C. Tools Menu
D. View Menu
Answer: C
Question No : 49
What stores information about logons, user actions, and the resulting events in the most
concise way?
A. Event annotations
B. Session Lists
C. Active Lists
D. Cases
Answer: B
Question No : 50
Which pairs of resources can be displayed in the ArcSight Web interface? (Select two.)
A. Search Filters and Saved Searches

B. Queries and Cases
C. Reports and Dashboards
D. Notifications and Active Channels
E. Knowledge Base articles and Templates
Answer: C,E
Question No : 51

Which host user should own the .tararchive from which the ArcSight ESM Suite bin file
containing ESM components, and installation and configuration wizards is extracted?
A. any user with admin group privilege

B. root user
C. arcsight user
D. archive user
Answer: B
Question No : 52
What is a trust store (sometimes called a key store)?
A. the preferred source for obtaining signed certificates

B. a list of trusted Certificate Authorities
C. the location of a system's private keys
D. the set of backup files containing SSL information
Answer: B
Question No : 53
What does a Network Model include? (Select two.)
A. assets
B. destinations
C. zones
D. file resources
Answer: A,C
Question No : 54
What do you use to establish identity, ownership, and criticality of the assets you have
installed on your network?

A. asset types
B. asset groups
C. asset categories
D. asset ranges
Answer: C
Question No : 55
In Network Modeling, what is closest to being a subnet?
A. zone
B. network
C. Asset Range
D. Network Range
Answer: A
Question No : 56
Which resources are optional ArcSight compliance solutions delivered as packages?

(Select two.)
A. SOX - Sarbanes Oxley Act

B. PCI - Penetration Culprit Identification
C. PCI - Payment Card industry
D. SOX- Secure Obfuscation Extensions
E. SOX - Security Operations Exposition
F. PCI - Payload Content Information
Answer: B,E
Question No : 57
When is it useful to schedule rules rather than have them run in real time?
A. when a network device is down

B. when events are occurring less frequently than usual
C. when you anticipate a worm or virus attack
D. when you need to minimize impact on system performance
Answer: C
Question No : 58
Which procedure allows you to terminate a session within a Session List? (Select two)
A. Exceed the time-out based on entry expiration time

B. Configure a rule action to explicitly terminate a session
C. Manually close the session using the right-click menu.
D. Adjust the Session setting in Console Preferences.
E. Close the session by exiting the ArcSight Console.
Answer: A,E
Question No : 59
Which ArcSight ESM user type provides full privileges to use the Command Center, the
ArcSight Console, the Arcsight Web client, and all tools?
A. Web User
B. Normal User
C. Connector Installer
D. Management Tool
Answer: B
Question No : 60
Which authenticators are configurable by ArcSight Command Center?
A. RADIUS Authentication, Microsoft Active Directory, LDAP, Custom JAASPlugin, or

Password-Based/SSL Client Authentication
B. RADIUS Authentication, Microsoft Active Directory, Simple LDAP, or Built-in

Authentication
C. RADIUS Authentication, Microsoft Active Directory, Simple LDAP, or SSL Client
Authentication
D. RADIUS Authentication, Microsoft Active Directory, Custom JAAS Plugin, or Password-
Based/SSL Client Authentication
Answer: B
Question No : 61
Which actions might the whine daemon initiate? (Select two.)
A. sending a message to the admin consoles

B. sending SNMP traps to a monitoring station
C. sending syslog messages to a syslog server
D. writing an event to the server.log file
Answer: A,D
Question No : 62
What are ArcSight Foundations?
A. user groups organized to explore and share ideas for extending ArcSight ESM
capabilities
B. coordinated resources that provide monitoring, analysis, and reporting capabilities
C. categories of resources used for monitoring ArcSight system health and status
D. packages that are installed but cannot be modified
Answer: B
Question No : 63
Which statement is true about inline filters?
A. An inline filter applies only to its current Active Channel.

B. An inline filter applies only as long as the Active Channel is open, and cannot be saved.

C. An inline filter cannot use AND or OR conditions.
D. An inline filter is created using Boolean logic in the Inspect/Edit panel.
Answer: A
Question No : 64
Which statements are true about SmartConnectors and batching? (Select two.)
A. Batches can be sent when they reach a certain size.

B. Batches can be sent on command.
C. Batches can be sent in priority order by severity.
D. Batches can be sent by Connector type.
Answer: A,C
Question No : 65
During your ESM installation and configuration, none of the Foundation Packages were
selected in the Configuration Wizard. What should you do to install the Foundation
Packages?
A. Manually upload the Foundation Packages to ESM using .arb files exported from
another ESM instance
B. Reapply the ESM product license from Arc Sight Command Center to install the the
Foundation Packages
C. Rerun the Configuration Wizard using Manager setup and select the Foundation
Packages to install
D. Install the Foundation Packages from the ArcSight Console Resource Navigator right-
click menus
Answer: D
Reference:
https://h10120.www1.hp.com/expertone/datacard/Exam/HP0-A116
Question No : 66

Package bundles are exported with which file extension?
A. .xml file
B. .exe file
C. .msc file
D. .arb file
Answer: D
Question No : 67
What is the "focus" of a Focus report?
A. events that have been missed based on additional criteria

B. the differences between two similar report outputs
C. a subset of a larger (for example, monthly or quarterly) report
D. high priority Correlation events only
Answer: C
Question No : 68
What is the procedure to reset all ArcSight Console preferences back to default?
A. In "console.properties" file, locate and edit the line: set default=true.

B. Copy the "console.defaults.properties" file to overwrite the "console.properties" file.
C. Stop the Console, delete or rename the user.ast file, and restart the Console.
D. In the File menu, click on Preferences, and select "Set to Default".
Answer: B
Question No : 69
What is an example of an event-based Data Monitor?
A. rules partial match

B. last n events

C. session reconciliation
D. moving average
Answer: B
Question No : 70
What happens when a Connector upgrade that was initiated from within the ArcSight
Console fails?
A. The Connector automatically rolls back to the previously working version.

B. The Connector does not respond to the failed upgrade.
C. The Connector reports to the Manager that the upgrade failed and then died.
D. The Connector automatically attempts the upgrade again.
Answer: A
Question No : 71
Which TCP/IP port is the default when a web browser is used to connect to the ArcSight
Command Center?
A. 443
B. 6443
C. 9443
D. 8443
Answer: D
Question No : 72
Besides managing user accounts, user groups, event storage, and notifications, what else
does the ArcSight Command Center allow you to do?
A. Update the ESM product license, and access the ArcSight Web interface.
B. Status Connectors, configure authentication; monitor events and resources from
Dashboards, and update the ESM product license.

C. Configure Connectors, notifications, and authentication; monitor events and resources
from Dashboards, and access the ArcSight Web interface.
D. Update the ESM product license, monitor resources, and investigate events from
Dashboards
Answer: B
Question No : 73
What is the default port used by the ArcSight ESM Console to connect to the ArcSight
Manager?
A. TCP 8443
B. UDP 8443
C. TCP 9443
D. UDP 9443
Answer: A
Question No : 74
What is the "focus" of a Focus report?
A. the differences between two similar reports

B. a subset of a larger (e.g., monthly or quarterly) report
C. events that have been missed
D. high priority Correlation events only
Answer: B
Question No : 75
What are functions of Query-Viewers? (Select two.)
A. displaying the Boolean logic and conditions linkage behind filters ana rules criteria
B. providing a baseline analysis of events against which future queries can be compared
C. determining which devices are off-line at any given point in time by querying their status

D. providing a quick way to run SQL queries and identify trends without running reports
E. presenting detailed comparisons of report elements, not possible with reporting tools
Answer: B,D
Question No : 76
What must be done first to restore the database from an online backup?
A. run the Oracle restore wizard

B. ensure that the archived redo logs are located in the archive log destination
C. bring the affected tablespaces online
D. reinstall the Oracle installation
Answer: B
Question No : 77
Under which circumstances does a Connector use its cache? (Select two.)
A. when a burst of events exceeds what the Manager can handle

B. when the Connector is performing a service restart
C. when the Connector is stopped or disabled
D. when the Connector cannot communicate with its destination
E. when the Connector cannot communicate with the event source
Answer: A,D
Question No : 78
What do field sets correspond to?
A. Variables in a rule configuration

B. components in a Network Model
C. attributes in a Query Viewer
D. columns in an Active Channel Grid view

Answer: D
Question No : 79
What Is the ArcSight Event Schema?
A. a format into which event data is normalized prior to persistence into storage
B. a collection of SmartConnectors that provide data to the ArcSight Manager
C. a set of events with a common format, collected over a user-defined time period
D. a map correlating IP addresses with devices to designate the source of events
Answer: C
Question No : 80
What are the three general types of Data Monitors?
A. event-based, correlation, and non-event based

B. event-based, correlation, and aggregation matching
C. event-based, matching conditions and non-event based
D. event-based, event graph, and non-event based
Answer: C
Question No : 81
What is the default port used when connecting to the ArcSight Web interface?
A. TCP 9443
B. UDP 9443
C. TCP 8443
D. UDP 8443
Answer: A

Question No : 82
ArcSight SmartConnectors send event data directly to what?
A. ArcSight Manager
B. ArcSight Console
C. ArcSight Web Server
D. ArcSight Database
Answer: A
Question No : 83
In network modeling, what are SmartConnectors bound to? (Select two.)
A. zones
B. assets
C. devices
D. customers
E. networks
Answer: D,E
Question No : 84
Which ArcSight resource objects do Field Sets correspond to?
A. attributes in a Query Viewer

B. variables in a Rule configuration
C. components in a Network Model
D. columns in an Active Channel Grid view
Answer: D
Question No : 85
What is the default port used to connect the ArcSight Manager to the ArcSight ESM

Database (Oracle)?
A. 443
B. 1443
C. 1521
D. 8443
Answer: C
Question No : 86
Which method is used to back up an Oracle database without shutting down the database?
A. sequential backup
B. standalone backup
C. online backup
D. offline backup
Answer: C
Question No : 87
Which command is used to modify retention periods?
A. Arcsight archive install

B. Arcsight database create
C. Arcsight retention create
D. Arcsight database pc
Answer: D
Question No : 88
When using the Query Editor, three sub-tabs provide the options you need to properly set
up the query. What information do these sub-tabs require?
A. when the query should be run; which format the query output should take; how many

data elements should be included
B. when the query should be run; what the query should be called; how long the data
should be archived
C. which data fields to select; how the data should be displayed; how long the data should
be archived
D. which data fields to select; how the data should be ordered; how the data should be
grouped
Answer: D
Question No : 89
Which functions are on the right-click menu for an event? (Select two.)
A. Correlate Events
B. Show Event Details
C. Annotate Events
D. Prioritize Events
Answer: B,C
Question No : 90
If a username and password are used for authenticating a remote peer, when would you
need to use those credentials a second time?
A. if credential caching expires and the auto-refresh option is not enabled

B. only if the peer relationship is broken and you need to authenticate the peer again
C. only for a content management subscriber manual synchronization
D. every time a distributed search is run and results are exported to the remote peer
Answer: D
Question No : 91
Preserve Raw Events, Turbo Mode, and Limit Event Processing Rate are all examples of
which type of Connector options?

A. Processing options
B. Aggregation options
C. Filter conditions
D. Preservation options
Answer: A
Question No : 92
Which tablespace is used by ArcSight to store resources?
A. ARC_EVENT_DATA
B. ARC_SYSTEM_INDEX
C. ARC_SYSTEM_DATA
D. ARC_EVENT_INDEX
Answer: C
Question No : 93
There are 17 event field groups defined in the ArcSight Event Schema. In which group
would you look for data fields describing an event's importance as assessed by ArcSight
ESM?
A. Category
B. Threat
C. Attacker
D. Event
Answer: B
Question No : 94
During Connector install, which statement is true about the ArcSight Manager's host name
or IP address?
A. It must match the host name or IP address in the ArcSight Manager's SSL certificate.

B. The host name or IP address is used as an encryption key.
C. It can be any legitimate host name or IP address.
D. It must contain a combination of alpha-numeric characters.
Answer: A
Question No : 95
What are valid actions for a rule to take? (Select two.)
A. send notification
B. execute command
C. generate report
D. add to filter
Answer: A,B
Question No : 96
Which component determines how a report looks when it is generated?
A. Query
B. Layout
C. Form
D. Template
Answer: A
Question No : 97
One of the benefits of SSL technology is authentication. What does authentication do?
A. validates client logins using advanced identity detection technology

B. encrypts information sent between clients and servers
C. adds a hashing algorithm to prevent data modification between client and server
D. ensures that clients send information to the actual intended server, not a machine
pretending to be that server

Answer: D
Question No : 98
You want your Active Channel to automatically display new events as they arrive at ESM.
Which time parameter should you use to accomplish this?
A. Evaluate Once at Attach Time

B. Evaluate $NOW-1h
C. Continuously Evaluate
D. Evaluate Continuously from Attach Time
Answer: C
Question No : 99
Which statement is true about ArcSight Database structures?
A. Data tablespaces typically use more disk space than indices.

B. Indices typically use more disk space than data tablespaces.
C. There is no appreciable difference between index and data tablespaces.
D. The system data tablespace is always much larger than the event data tablespace.
Answer: B
Question No : 100
What do the start and end times associated with a notification destination indicate?
A. the period of time the system will wait for a notification response
B. the period of time during which the destination is expected to respond
C. the period of time during which the notification can be sent
D. the period of time during which the notification can be received
Answer: C

Question No : 101
Active Channel views and Dashboard views are examples of Viewer Panel views. Which
other views are associated with the Viewer Panel? (Select two.)
A. Asset views
B. Resource views
C. Combined views
D. Simple views
E. Results views
Answer: B,E
Question No : 102
You want your Active Channel to automatically display new events as they arrive at ESM.
Which time parameter you use to accomplish this?
A. Continuously Evaluate
B. Evaluate Continuously from Attach Time
C. Evaluate $NOW-1h
D. Evaluate Once at Attach Time
Answer: C
Question No : 103
Using SSL technology, information can be communicated over an encrypted channel. What
is SSL?
A. Secure Sockets Layer

B. Security Standards Layer
C. Smart Stealth Layer
D. Standard Security Layer
Answer: A

Question No : 104
Which visualization display functions are possible with Dashboards? (Select two.)
A. fade in/out
B. slide show
C. annotate
D. zoom in/out
E. crop
Answer: B,D
Question No : 105
Which functions does a non-event based Data Monitor perform?
A. evaluates the event stream and creates Correlation events when anomalies are
discovered
B. monitors and displays rule and filter data flow thresholds and latencies
C. summarizes and displays event-based Data Monitor statistics
D. monitors and displays ArcSight ESM system and platform status
Answer: D
Question No : 106
Which ArcSight Foundation should you use to identify traffic and bandwidth usage?
A. Configuration Monitoring
B. Intrusion Monitoring
C. ArcSight Administration
D. Network Monitoring
Answer: D
Question No : 107

Which ESM components collect event data?
A. SmartConnectors
B. events
C. resources
D. nodes
Answer: A
Question No : 108
What must be done to a local Variable before it can be used with multiple resources?
A. It must be renamed.
B. It must be copied.
C. It must be moved it to a new resource.
D. It must be promoted to a Global Variable.
Answer: D
Question No : 109
Which statements are true about escalation levels? (Select two.)
A. Custom escalation levels can be added at anytime.

B. They must be defined separately for each notification type.
C. New escalation levels are added to the beginning of an escalation level sequence.
D. They are contained in notification group configurations.
E. They must be created in the order in which you want escalation to proceed.
Answer: B,E
Question No : 110
Which key pair types are valid selections when using the Manager Setup Wizard to create
an SSL key pair? (Select two.)

A. non-expiring SSL key pair
B. self-signed key pair
C. demo key pair
D. random generator key pair
Answer: B,C
Question No : 111
Which resources can be displayed in the ArcSight Web interface? (Select two.)
A. Reports and Dashboards

B. Queries and Partitions
C. Cases, Notifications, and Active Channels
D. Knowledge Base articles and Templates
Answer: A,C
Question No : 112
Using SSL technology, information can be communicated over an encrypted channel. What
is SSL?
A. Standard Security Layer

B. Smart Stealth Layer
C. Secure Sockets Layer
D. Security Standards Layer
Answer: C
Question No : 113
Which user role is responsible for building content within ESM?
A. Administrator
B. Analyst
C. Author

D. Operator
Answer: C
Question No : 114
Which statementis considered best practice for ESM Content Management?
A. Designateonly one Manager as publisher.

B. Schedule package pushes during normal work hours.
C. Schedule frequent automatic package pushes
D. Do not retry on a failed automatic package push.
Answer: C
Question No : 115
Which are operators in the ArcSight Common Conditions Editor (CCE)? (Select two.)
A. ELSE
B. AND
C. OR
D. IF
Answer: B,C
Question No : 116
Which access type is provided with ESM Access Control Lists?
A. Specific User read and write access to specific Resource Groups

B. Specific User Group read and write access to a specific Resource
C. Specific User Group read and write access to specific Resource Groups
D. Specific User read and write access to a specific Resource
Answer: C

Question No : 117
You are unable to see events from a specific device in the Console. The Active Channel
filters are not the cause. Which component should you examine next in order to
troubleshoot this issue?
A. Database
B. SmartConnector
C. Console
D. Device
Answer: B
Question No : 118
In network modeling, which resource is used by MSSP or by users with different cost
centers?
A. networks
B. zones
C. customers
D. asset groups
Answer: C
Question No : 119
What is a good way for an operator or analyst to quickly determine which events must be
addressed first?
A. check the priority rating in a Dashboard or Active Channel

B. run a report of High Priority Threats
C. ask more senior analysts or architects
D. view the Event Grid and Correlation categories
Answer: A
Question No : 120
Which components does a Network Model include? (Select two.)
A. assets
B. data monitors
C. dashboards
D. zones
Answer: A,D
Question No : 121
What does the Priority Formula calculation run on?
A. FlexConnectors
B. SmartConnectors only
C. the Manager only
D. both SmartConnectors and the Manager
Answer: C
Question No : 122
Which statement is true about how filters are applied by the Connector or by the Manager?
A. When filters are applied by either the Connector or the Manager, events that match the
filter conditions are selected and forwarded for further processing.
B. When filters are applied by either the Connector or the Manager, events that match the
filter conditions are excluded and are not forwarded for further processing.
C. Events that match the Connector filter are excluded and not forwarded further; events
that match the Manager filter are selected for further analysis.
D. Events that match the Connector filter are included and forwarded to the Manager;
events that match the Manager filter are excluded.
Answer: C
Question No : 123

Asset categories can be assigned to zones as well as assets. What happens to the assets
that belong to a zone with a category of "Critical"?
A. All assets in the zone inherit the zone's category.

B. Nothing happens. Assets in the zone maintain their own individual category identities.
C. Assets with a category that matches the zone category are grouped into a "Critical"
asset group.
D. Assets in the zone inherit the zone's category and are grouped into a "Critical" asset
group.
Answer: B
Question No : 124
Which string function is used to join two data fields?
A. Correlate
B. Concatenate
C. Substring
D. Find
Answer: B
Question No : 125
Report run start time, output format for report results, email distribution for report results,
and report filters are all examples of what?
A. report parameters
B. report formats
C. report data sources
D. report attributes
Answer: A
Question No : 126

Which statement is true about starting and stopping ArcSight SmartConnector services?
A. They are started and stopped independently of the other ArcSight component services.
B. The order in which they are started and stopped is based on event flow.
C. How they are started and stopped depends on whether or not the ArcSight Manager is
running.
D. They are started and stopped in conjunction with the Oracle database services.
Answer: A
Question No : 127
What do the start and end times associated with a notification destination indicate?
A. the period of time that the system waits for a notification response
B. the period of time during which the notification can be received
C. the period of time during which the destination is expected to respond
D. the period of time during which the notification can be sent to the destination
Answer: D
Question No : 128
Which statement is true about SmartConnectors and FlexConnectors?
A. FlexConnectors allow creation of SmartConnectors that are tailored to individualized

custom situations and specific security event data.
B. FlexConnectors are plug-and-play, self-programming SmartConnectors.
C. SmartConnectors do not include tools for customizing FlexConnectors.
D. SmartConnectors are vendor-specific and must be purchased through the individual
device vendors.
Answer: A
Question No : 129
Using ESM 6.5 ArcSight Command Center, which drill down type is available?

A. query viewer drilldowns into other query viewers only
B. query viewer drilldowns into channels, reports, dashboards, or other query viewers
C. dashboard drilldowns into channels, reports, query viewers, or other dashboards
D. dashboard drilldowns into other dashboards only
Answer: B
Question No : 130
The ArcSight Web release version must be the same version as what?
A. ArcSight Manager
B. ArcSight Database
C. ArcSight SmartConnectors
D. ArcSight Console
Answer: A
Question No : 131
Which statements are true about Session Lists? (Select two)
A. They always have Start Time, End Time, and Creation Time fields.
B. They must have a key field and a time value.
C. They can share entries with other Session Lists.
D. They can be used as a basis for Trend Queries.
E. They can be used to populate Active Lists.
Answer: C,E
Question No : 132
Which statements are true about user groups and resources? (Select two.)
A. Resources are only visible to a user if the user's group has "Read" permissions for the
resource.
B. A group with "inspect" permission enabled allows all users in that group to edit

resources.
C. To change a user's permission to access a resource group, you either change the
permissions of the user's group or put the user in a new group with different permissions.
D. A resource can only be accessed by a user if the user's group has "viewer" permissions
for the resource.
Answer: A,C
Question No : 133
Which statements are true about assets? (Select two.)
A. Assets can be grouped in folders called asset ranges.

B. Assets require a MAC address to be categorized properly.
C. Assets can include bridges, routers, web servers, or anything with an IP or MAC
address.
D. An asset is any endpoint considered significant enough to characterize with details to
help with correlation and reporting.
Answer: C,D
Question No : 134
What are the three major display components of an Active Channel in the Viewer Panel?
A. Channels, Dashboards, and Reports

B. Summary, Event Graph, and Grid
C. Header, Radar, and Grid
D. Events. Data Monitors, and Radar
Answer: C
Question No : 135
What are capabilities of the ArcSight Manager? (Select two.)
A. receives event data from SmartConnectors

B. normalizes events from devices
C. performs advanced event correlation and analysis
D. allows users to perform security monitoring through a built-in web interface
Answer: A,C
Question No : 136
How are baselines established and used in Query Viewers?
A. Baselines are created using rules. After the rule is triggered, the resulting action
establishes a baseline against which future rules are evaluated in the Query Viewer.
B. Baselines are created using query results. The baseline from the query is used to create
a new field set definition that can be run against future events.
C. Baselines are created using query results. When a query has one or more baselines
available, you can compare the current results with the baseline.
D. Baselines are created using query results and fed into the Image Editor for the related
Data Monitor.
Answer: C
Question No : 137
In Network Modeling, what are SmartConnectors bound to? (Select two.)
A. zones
B. networks
C. devices
D. customers
Answer: B,D
Question No : 138
Which are clients of the ArcSight Manager? (Select two.)
A. ArcSight Correlation Engine

B. ArcSight Web
C. ArcSight SmartConnectors
D. ArcSight Database
Answer: B,C
Question No : 139
Which statement is true about a join rule?
A. It is triggered by events that match a single set of conditions.

B. It matches the output of more than one simple rule to an Active List.
C. It recognizes patterns that involve more than one type of event.
D. It rejects partial matches but can be set for aggregation.
Answer: C
Question No : 140
What can you use to change the stage of a Case?
A. Event annotations
B. Case Editor
C. Query Viewer
D. Common Conditions Editor
Answer: B
Question No : 141
Which document provides the most detailed instructions for applying an Oracle CPU?
A. Oracle CPU release notes

B. ArcSight ESM Administrator's Guide
C. Opatch Readme file
D. ArcSight ESM Installation Guide

Answer: A
Question No : 142
Which ArcStght Console user settings can be changed in the Preferences Editor?
A. default time period of Active Channels

B. maximum number of viewable assets
C. date and time format
D. number of rows displayed in an Active Channel
Answer: D
Question No : 143
Which statement about drill down Query Viewers is true?
A. Drilldowns require an Active List for data comparison.

B. Drilldowns can be created only from Query Viewer results in chart format.
C. Drilldowns are selected by the right-click Investigate menu on Viewer Panel results
displays.
D. A drilldown is always based on another Query Viewer.
Answer: A
Question No : 144
Which statements are true about retention areas? (Select two.)
A. Retention policies cannot be changed once they are set.

B. Retention areas can be configured using the Partition Management Wizard.
C. If the size of a retention area is reduced, the data outside of the retention area is
automatically backed up.
D. Archived partitions outside the offline archive period become invalid.
Answer: B,D

Question No : 145
What does the ArcSight Manager use to automatically establish identity, ownership, and
criticality of the assets installed on a network?
A. Asset Types
B. Asset Groups
C. Asset Categories
D. Asset Ranges
Answer: C
Question No : 146
Which command should you use to configure notification acknowledgements after the initial
configuration of ArcSight ESM?
A. arcsight managersetup
B. arcsight notifysetup
C. arcsight notifyconfig
D. arcsight setupnotify
Answer: A
Question No : 147
What is stored in a database partition?
A. as much data as it can hold

B. a user-configurable number of events
C. events from a one week time period
D. events from a 24-hour time period
Answer: D
Question No : 148

What are potential ways of acknowledging notifications? (Select two.)
A. by replying to notification email

B. by calling in to the notification response hotline
C. by sending email to SysAdmin
D. by using the Notifications Manager in the ArcSight Console
Answer: A,D
Question No : 149
When exporting search results, what does the "Save to ArcSight Command Center" option
do?
A. automatically exports the file to the Administration > Saved Searches > Saved Search
Files path
B. opens a dialog allowing the user to specify a download location on the browser host
system
C. opens the appropriate output format application to view and optionally save the results
on the user's host
D. automatically exports the file to the ESM host <arcsight
home>/logger/userdata/savedsearch directory
Answer: A
Question No : 150
Which statements are true about Active Lists? (Select two.)
A. They can store data over longer periods of time than rules or Data Monitors.
B. They can incur processing overhead if not properly scheduled.
C. They always include start time and end time fields.
D. They can be manually populated using the right-click context menu.
E. They can neither be exported nor imported.
Answer: A,C
Question No : 151
Which statement best describes how baselines are established and used in Query
Viewers?
A. Baselines are created using query results, which are fed into the Image Editor for
filtering and display in the related Data Monitor.
B. Baselines are created using rules. After the rule is triggered, the resulting action
establishes a baseline against which future rules are evaluated in the Query Viewer.
C. Baselines are created using query results. When a query has one or more baselines
available, you can compare the current results with a baseline.
D. Baselines are created using query results. The baseline from the query is used to create
a new field set definition that can be run against future events.
Answer: B
Question No : 152
What is the primary function of the ArcSight Manager?
A. It accepts correlated, prioritized events from SmartConnectors with instructions from the
ArcSight Console, and writes events to the database.
B. It manages bottlenecks between the connectors, the ArcSight Console, and the ESM
Database.
C. It writes incoming events to the database while simultaneously processing events
through the Correlation engine.
D. It restores the rule definitions that drive the functioning of ArcSight ESM.
Answer: C
Question No : 153
Which command is used to add a secondary destination to a Connector's configuration?
A. arcsight destinations -n
B. arcsight connectorsetup -w
C. arcsight connectionwizard
D. arcsight connector -d
Answer: B

Question No : 154
What are valid actions for a rule to take? (Select two.)
A. generating a report
B. executing a command
C. sending a notification
D. Creating a vulnerability
E. adding a condition to a filter
Answer: C,E
Question No : 155
Which file types MUST be included in an Oracle backup? (Select two.)
A. table files
B. data files
C. program files
D. configuration files
Answer: B,D
Question No : 156
What is a bundle?
A. a set of resources that makes up a package

B. a data transmission containing SSL information
C. a set of raw log events before they are parsed
D. a container for one or more packages
Answer: D
Question No : 157
Command Center Event Search consists of which search syntax methods?

A. SQL query, regular expression, and complex expression search
B. field-query search, simple query search, and complex expression search
C. full-field search, Boolean search, and regular expression search
D. field-based search, full-text search, and regular expression
Answer: B
Question No : 158
What is the name of the resource you can use to override the default ArcSight mapping IP
addresses to geographic regions?
A. zones
B. destinations
C. locations
D. categories
Answer: C
Question No : 159
Which processes occur in the first phase of the event lifecycle? (Select two.)
A. evaluating event data

B. applying event categories
C. applying hashing to event data
D. correlating event data
E. normalizing event data
Answer: B,E
Question No : 160
Of the 17 event field groups defined in the ArcSight Event Schema, in which group can
data fields describing an event's importance as assessed by ArcSight ESM be found?
A. Category

B. Attacker
C. Event
D. Threat
Answer: B
Question No : 161
When configuring the ArcSight Database, what is the result of setting the offline archive
period (Days) to Zero?
A. Partition Archiving is enabled.

B. Partition Archiving is disabled.
C. Online retention is enabled.
D. Online reserved period is enabled.
Answer: B
Question No : 162
Which output formats are available when running a report? (Select two.)
A. XML
B. HTML
C. PDF
D. JPEG
Answer: B,C
Question No : 163
Which ArcSight ESM Resource enables you to perform live monitoring of events?
A. Cases
B. Active Channels
C. Stages
D. Knowledge Base

Answer: B
Question No : 164
Which statement is true about the ArcSight Web interface?
A. Data Monitors cannot be added to a Dashboard in the ArcSight Web interface.

B. Reports cannot be formatted in the ArcSight Web interface.
C. Inline filters cannot be used in the ArcSight Web interface.
D. Cases cannot be modified in the ArcSight Web interface.
Answer: A
Question No : 165
Which command is used to check the status of the TNS Listener?
A. lsnrctl status
B. listener status
C. tnsstat
D. oralistener status
Answer: A
Question No : 166
Which ArcSight Foundation should you use to identify and analyze unexpected
modifications to systems, devices, or applications?
A. Configuration Monitoring
B. Intrusion Monitoring
C. ArcSight Administration
D. Network Monitoring
Answer: A

Question No : 167
How do asset categorization and event categorization relate to each other?
A. Asset categorization and event categorization are the same.

B. Asset categorization and event categorization use the same field set to apply categories
to assets and events.
C. Asset categorization requires custom FlexConnectors; event categorization uses
standard SmartConnectors.
D. Asset categorization is the fingerprint of an asset; event categorization is a set of criteria
that describes an event.
Answer: D
Question No : 168
Why would you lock a Case?
A. to close and archive a Case

B. to prevent others from modifying the Case while you edit or attach something to the
Case
C. to prevent the Case from being seen in the Resource List
D. to preserve the state of the Case
Answer: B
Question No : 169
Which role does the Active Channel play in testing a rule?
A. The rule can be replayed and verified against real-time events in the Active Channel.
B. The rule can be replayed against historical events in the Active Channel.
C. The rule cannot be tested with the Active Channel because it will create additional
invalid Correlation events.
D. The rule can only be tested with an Active Channel by an administrator.
Answer: B

Question No : 170
Which ArcSight Manager directory should be backed up in order to preserve the

server.properties file?
A. user directory
B. config directory
C. properties directory
D. jre directory
Answer: B
Question No : 171
How can you restore a new ArcSight Web installation to a previous configuration?
A. copy the old ArcSight Web installation's config directory and cacerts file into the new
installation
B. copy the ArcSight Manager's config directory into the new installation
C. manually reconfigure the new installation
D. connect to the Manager and download the saved configuration
Answer: A
Question No : 172
During which process is the first user created for access to ESM?
A. during initial configuration of server-side SSL trust store

B. during the authentication phase of the SmartConnector Installation
C. during installation of the ArcSight Console
D. during installation of the ArcSight Manager
Answer: B

Question No : 173
Which command is a valid investigate command?
A. Add [Attribute=Value] to Filter

B. Create [Filter=Value]
C. Add [Value!=Condition] to Filter
D. Add to Filter [List of Related Conditions]
Answer: A
Question No : 174
What does Partition Archiving allow you to specify?
A. the number of partitions to keep offline

B. the number of partitions that remain online
C. the compression ratio to be used in partitioning
D. the amount of data to store in a partition
Answer: A
Question No : 175
Report run start time, output format for report results, email distribution for report results,
and report filters are all examples of what?
A. report parameters
B. report formats
C. report data sources
D. report attributes
Answer: C
Question No : 176

What are the three types of Data Monitors?
A. event type, matching conditions, and non-event

B. event-based, correlation, and non-event based
C. event type, correlation, and aggregation matching
D. event-based, event graph, and non-event based
Answer: B
Question No : 177
What is the name of the resource you can use to override the default ArcSight mapping of
IP addresses to geographic regions?
A. zones
B. destinations
C. locations
D. categories
Answer: C
Question No : 178
Which statements are true about reports? (Select two.)
A. Reports can be based on Cases, Trends, Session Lists, and Events.

B. Archived reports must be restored before they can be used again
C. Reports can be scheduled to run yearly, monthly, weekly, daily, or hourly.
D. Reports cannot be based on Session Lists.
E. Only scheduled reports can be archived.
Answer: B,D
Question No : 179
Which tools are used to view events in ArcSight ESM? (Select two.)

A. Active Channel
B. Knowledge Base article
C. Dashboard
D. Annotations
Answer: A,C

Exam Hp0-A116: HP Arcsight Esm 6.5 Security Administrator and Analyst

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exam Hp0-A116: HP Arcsight Esm 6.5 Security Administrator and Analyst

Uploaded by

Copyright:

Available Formats

s@lm@n

[ Total Questions: 179 ]

A. when the partition being compressed is too old

What is a criteria factor within the ArcSight Priority Formula?

A Composite Solution With Just One Click - Certification Guaranteed 2

A. Common Conditions Editor

What are functions of Query Viewers? (Select two.)

A. filter, constraints, time range, and field set

What is the Reserve Period?

A Composite Solution With Just One Click - Certification Guaranteed 3

Which statement is true about Connectors that are in a Paused state?

At most, a zone can belong to how many networks?

A. 0 (Zones do not belong to networks, zones contain networks.)

A. The package name is underlined.

A Composite Solution With Just One Click - Certification Guaranteed 4

Which statements are true about user groups? (Select two.)

A. They can be based on departments, permission levels, or roles.

A. Model confidence is determined, based on details provided by the event source.

A Composite Solution With Just One Click - Certification Guaranteed 5

What is an offline partition?

A. a partition that resides within the database

Which statement is true about the ArcSight Web Server?

Which statement is true about the ArcSight Web interface?

A. Inline filters cannot be used from the ArcSight Web interface.

A Composite Solution With Just One Click - Certification Guaranteed 6

What represents the current status in the investigation of a Case?

Which three attributes are used to describe an Asset Model?

A. vulnerabilities, locations, and asset categories

Click the Exhibit button.

A Composite Solution With Just One Click - Certification Guaranteed 7

Which type of diagram is shown in the exhibit?

A. a geographic hierarchy map

What is a function of the Variable GetSessionData?

A. retrieves data fields from a Session List

A Composite Solution With Just One Click - Certification Guaranteed 8

A. Total Time Lag

How are ESM Global Variables created?

A Composite Solution With Just One Click - Certification Guaranteed 9

What can ArcSight ESM Dashboards display?

A. multiple Data Monitors

A Composite Solution With Just One Click - Certification Guaranteed 10

In ESM, what allows contextual information to be added to an individual event or group of

What is an example of an event-based Data Monitor?

A Composite Solution With Just One Click - Certification Guaranteed 11

How do asset categorization and event categorization relate to each other?

A. Asset categorization requires custom FlexConnectors; event categorization uses

Category Behavior = /Authentication/Verify

Category Outcome = /Failure

A. Results can be displayed as tables or charts, and added to Dashboards

A Composite Solution With Just One Click - Certification Guaranteed 12

Event correlation, event reconciliation, moving average, session reconciliation, and

With regard to SmartConnectors, what is roll back?

A. collecting cached data after a communication failure

A Composite Solution With Just One Click - Certification Guaranteed 13

A. in the User E2 80 99s Access Control List

What happens if a notification requiring a response within 24 hours is not acknowledged

A. The notification is escalated to the next level of notification.

Why is it sometimes necessary to lock a Case?

A. to prevent the Case from being seen in the Resource Tree

A Composite Solution With Just One Click - Certification Guaranteed 14

A. They receive events forwarded from originating devices.

What is the effect of the constraints used in an event search query?