An analyst is reviewing an alert in Enterprise EDR from a custom watchlist. The analyst disagrees with the alert severity rating.
How can the analyst change the alert severity value, if this is possible?
An administrator runs the following query in Audit and Remediation:
SELECT *
FROM users
WHERE UID >= 500;
How long will this query stay active and accept data from the sensors?
Refer to the exhibit:
Which statement is true in regards to communication between the sensor and server?
An administrator is interested in upgrading endpoints to the latest release in VMware Carbon Black App Control (V8.1.4+).
What is the first step to make a new agent available for installation or upgrade?
Why would a sensor have a status of "Inactive"?
The sensor has not checked in within the last 30 days.
The sensor has been uninstalled from the endpoint for more than 30 days.
The device has been put in bypass for the last 30 days.
The sensor has been in disabled mode for more than 30 days.
What are three ways to ignore a feed report within the EDR user interface? (Choose three.)
An administrator wants to query the status of the firewall for all endpoints. The administrator will query the
registry key found here
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\StandardProfile.
To make the results easier to understand, the administrator wants to return either enabled or disabled for the results, rather than the value from the registry key.
Which SQL statement will rewrite the output based on a specific result set returned from the system?
How is a new Alert of type Event Alert created whenever an endpoint is added or deleted and send emails for the App Control admin whenever these events occur?
Review the following EDR query:
(parent_name:powershell.exe OR parent_name:cmd.exe) AND netconn_count:[l TO *]
Which process would show in the query results?
An analyst wants to block an application's specific behavior but does not want to kill the process entirely as it is heavily used on workstations. The analyst needs to use a Blocking and Isolation Action to ensure that the process is kept alive while blocking further unwanted activity.
Which Blocking and Isolation Action should the analyst use to accomplish this goal?
There is a need to ignore all activity at an application path.
Which rule definition should be used to address this need?
Carbon Black App Control maintains an inventory of all interesting (executable) files on endpoints where the agent is installed.
What is the initial inventory procedure called, and how can this process be triggered?