5V0-93.22 VMware Carbon Black Cloud Endpoint Standard Skills Questions and Answers

 A security benefit of VMware Carbon Black Cloud Endpoint Standard is that it provides visibility into the entire attack chain and customizable threat intelligence that can be used to gain insight into problems. Endpoint Standard uses behavioral analytics to detect and prevent malicious activity on endpoints, and also collects comprehensive event data that can be used to investigate and respond to incidents. Endpoint Standard also allows administrators to customize their threat intelligence feeds and alerts, and integrate with other security tools and platforms. This way, administrators can gain a deeper understanding of the threats facing their organization and take appropriate actions to mitigate them. The other options are incorrect because they are not security benefits of Endpoint Standard. Option A is incorrect because a flexible query scheduler is a feature of VMware Carbon Black Audit and Remediation, not Endpoint Standard. Option C is incorrect because customizable threat feeds are a feature of VMware Carbon Black Enterprise EDR, not Endpoint Standard. Option D is incorrect because policy rules that can be tested by selecting test rule next to the desired operation attempt are a feature of VMware Carbon Black App Control, not Endpoint Standard.  References:   VMware Carbon Black Cloud Endpoint Standard Datasheet ,  Carbon Black Cloud Endpoint Standard - Technical Overview

The action that an administrator should take to ensure application.exe cannot run is to remove the Permissions rule for C:\Program Files\IT\Tools*. This is because the Permissions rule has a higher priority than the Blocking and Isolation rule, and it allows any operation on any file in that path, including application.exe. By removing the Permissions rule, the Blocking and Isolation rule will apply and terminate application.exe based on its SUSPECT_MALWARE reputation. The other options are incorrect because they will not prevent application.exe from running. Option A is incorrect because changing the reputation to KNOWN MALWARE will not override the Permissions rule that allows any operation on the file. Option B is incorrect because the file will not be blocked based on reputation alone, as the Permissions rule will bypass the reputation check. Option D is incorrect because adding the hash to the company banned list will not override the Permissions rule that allows any operation on the file.  References:   Precedence of Policy Rules ,  Set Permission Policy Rules ,  Set Blocking and Isolation Policy Rules

VMware Carbon Black Cloud Endpoint Standard is a next-generation antivirus (NGAV) and behavioral endpoint detection and response (EDR) solution that protects against the full spectrum of modern cyber-attacks. It uses the VMware Carbon Black Cloud’s universal agent and console, the solution applies behavioral analytics to endpoint events to streamline detection, prevention, and response to cyber-attacks. One of the security benefits of Endpoint Standard is that it tags events and alerts with Carbon Black TTPs (tactics, techniques, and procedures) to provide context around attacks. Carbon Black TTPs are based on the MITRE ATT & CK framework, which is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. By tagging events and alerts with Carbon Black TTPs, Endpoint Standard helps security teams to understand the nature and scope of the attack, prioritize the most critical threats, and take appropriate actions to remediate them.  References :  Carbon Black Cloud Endpoint Standard - Technical Overview ,  VMware Carbon Black Cloud Endpoint Standard Datasheet , MITRE ATT & CK

The IDs that may be used to search and investigate security incidents in Carbon Black Cloud are  hash ,  sensor , and  alert .

A  hash  is a unique identifier for a file or process that can be used to track its activity and behavior across endpoints. A hash can be searched in the  Investigate  page to view its reputation, prevalence, and associated alerts.

A  sensor  is a unique identifier for an endpoint that has the Carbon Black Cloud agent installed. A sensor can be searched in the  Endpoints  page to view its status, policy, and associated alerts. A sensor can also be searched in the  Investigate  page to view its processes, events, and network connections.

An  alert  is a unique identifier for a security incident that is generated by Carbon Black Cloud based on the policy rules and threat intelligence. An alert can be searched in the  Alerts  page to view its details, timeline, and remediation actions. An alert can also be searched in the  Investigate  page to view its associated processes, events, and network connections.

A  threat  is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. A threat is a term used to describe a malicious actor or activity that poses a risk to the organization. A threat can be detected by Carbon Black Cloud based on the threat intelligence feeds and watchlists, but it is not a unique identifier for a specific incident.

An  event  is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. An event is a term used to describe a single action or occurrence that is recorded by the Carbon Black Cloud agent on an endpoint. An event can be viewed in the  Investigate  page as part of a process or alert, but it is not a unique identifier for a specific incident.

A  user  is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. A user is a term used to describe a person who has access to the Carbon Black Cloud console or API. A user can be searched in the  Users  page to view their role, permissions, and activity, but they are not directly related to security incidents.  References :

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.1: Investigate

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.2: Alerts

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3: Endpoints

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.4: Threats

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.5: Users

 A Watchlist is a collection of queries that run against the data in the VMware Carbon Black Cloud Endpoint Standard. Watchlists enable administrators to monitor the activity of endpoints for specific Tactics, Techniques, or Procedures (TTPs) that are of interest. Administrators can configure alerts for Watchlist hits, which will notify them when a particular TTP is observed on a managed endpoint. Alerts for Watchlist hits can be sent via email, syslog, or webhook.  References :

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Module 3: Threat Hunting, Lesson 3.2: Watchlists, page 3-10

VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 7: Watchlists, page 115-116

VMware Carbon Black Cloud is a cloud-native endpoint and workload protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console. One of the capabilities of VMware Carbon Black Cloud is attack chain visualization and search, which allows users to see the full scope of an attack, from initial compromise to lateral movement, and quickly search for indicators of compromise across endpoints and workloads.  References : VMware Carbon Black Cloud Endpoint Standard Skills Exam Guide, page 4; VMware Carbon Black Cloud Endpoint Standard Skills Study Guide, page 6.

The impact of using the wildcards in the path is that all executable files in the “Program Files” folder and subfolders will be ignored, including malware files. This is because the double asterisk ** matches any files or directories in that path, and the Bypass action means that the sensor will not monitor or block any operations performed by those files. This is a very permissive and risky rule, as it could allow malicious files to run without interference from the sensor. A more restrictive and secure rule would be to specify the exact path of the application that needs to be allowed, and use the Allow and Log action instead of Bypass. This way, the sensor will only ignore the specified application, and still log its operations for visibility and analysis.  References:   Carbon Black Cloud: How to Use Wildcards in Policy Rules ,  Set Permission Policy Rules

It is possible to search for unsigned files in the VMware Carbon Black Cloud console by using the search query:

NOT process_publisher_state:FILE_SIGNATURE_STATE_SIGNED

This query will return all the processes that have a publisher state other than FILE_SIGNATURE_STATE_SIGNED, which means they are either unsigned or have an invalid signature. The process_publisher_state field is a string that indicates the signature status of the process executable file. The possible values for this field are:

FILE_SIGNATURE_STATE_SIGNED: The file has a valid signature.

FILE_SIGNATURE_STATE_UNSIGNED: The file does not have a signature.

FILE_SIGNATURE_STATE_INVALID: The file has a signature, but it is invalid or corrupted.

FILE_SIGNATURE_STATE_MISSING: The file signature could not be retrieved or verified.

The NOT operator is a Boolean NOT operator that negates the following term or phrase. For example, NOT svchost.exe will return all the processes that are not named svchost.exe.

Therefore, by using the NOT operator with the process_publisher_state field and the value FILE_SIGNATURE_STATE_SIGNED, we can search for unsigned files in the console.  References :

Advanced Search Techniques - VMware Docs , Using Regular Expressions (regex) section, NOT Operator subsection.

Carbon Black Cloud: Search for process_publisher_s… - Carbon Black … , The CB sensor now reinspects operating system files that appear unsigned to reverify their digital signature and avoid the tamper blocks section.

VMware Carbon Black Cloud Endpoint Standard uses a hybrid approach to determine the reputation of files on the endpoints. It combines local scan, which uses signature-based detection to identify known malware, and cloud scan, which uses cloud-based analytics and machine learning to identify unknown or emerging threats. When a sensor’s local AV signatures are out-of-date, it means that the local scan cannot detect the latest malware variants that have been added to the signature database. However, this does not affect the cloud scan, which can still determine the reputation of newly discovered files based on their behavior, characteristics, and context. Therefore, the effect of having out-of-date local AV signatures is that the reputation is determined by cloud reputation, which is more accurate and up-to-date than signature-based detection. The other options are not correct, because the sensor does not prompt the end user, automatically block, or fail to block a new file based on the local AV signatures alone.  References :  Carbon Black Cloud Endpoint Standard - Technical Overview ,  View and Update Signature Versions ,  Endpoint Standard: How to verify AV Signatures are updating

This feature allows the administrator to test the rule against historical data and see how many events would have matched the rule criteria in the past 24 hours. The administrator can also see the details of the matching events, such as the device name, the process name, the process path, the operation type, and the operation result.  This feature can help the administrator to confirm that the new rule would have prevented a previous execution that had been observed, as well as to evaluate the effectiveness and accuracy of the rule 1 .

The other options are not features that can be used for this purpose. A. Setting up a notification based on a policy action, and then selecting Terminate is a feature that allows the administrator to receive an alert when a terminate rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. C. Configuring the rule to terminate the process is a feature that allows the administrator to specify the action that the sensor will take when the rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. D. Configuring the rule to deny operation of the process is a feature that allows the administrator to specify a different action than terminate for the rule, but it does not allow the administrator to test the rule against historical data.  References :

Endpoint Standard Rules - VMware Docs , Test Rule section.

The security administrator can view the Live Response activities and commands that have been executed while performing a remediation process to the sensors in the Audit Log page in the VMware Carbon Black Cloud Endpoint Standard console. The Audit Log page allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The administrator can use various filters and keywords to narrow down the log scope and find the relevant entries. For example, the administrator can use the following keyword to find all the Live Response activities and commands:

live-response

This keyword will return all the log entries that contain the term live-response, which indicates that the action was related to the Live Response feature. The administrator can also use the following fields to refine the search results:

User: The name of the user who performed the action.

Action: The type of action that was performed, such as login, create, update, delete, enable, disable, and so on.

Object: The object that was affected by the action, such as policy, device, hash, and so on.

Date: The date and time range when the action was performed.

The administrator can also modify the level of granularity of the log entries, expand the log scope, limit the log scope to keywords, modify the audit table configuration, and export audit logs to the local machine 1 .

The other options are incorrect or irrelevant. Users is a page that allows the administrator to manage the users and roles in the Carbon Black Cloud console, not to view the Live Response activities and commands. Notifications is a page that allows the administrator to view and manage the notifications from the Carbon Black Cloud console, such as alerts, recommendations, and messages, not to view the Live Response activities and commands. Inbox is a page that allows the administrator to view and manage the messages from the Carbon Black Cloud console, such as product updates, announcements, and feedback requests, not to view the Live Response activities and commands.  References :

Audit Logs - VMware Docs , Overview section.

A leading wildcard is a wildcard that is placed at the beginning of a search term, such as * or ?. A leading wildcard matches any characters that precede the specified term. For example, filemod: /system32/ntdll.dll matches any file modification events that end with /system32/ntdll.dll, regardless of the drive letter or the directory name. A leading wildcard is not recommended unless absolutely necessary because it carries a significant performance penalty for the search.  This is because the search engine has to scan the entire index for possible matches, rather than using the index to quickly narrow down the results 1 .

The other options are not examples of leading wildcards. A. filemod:system32/ntdll.dll is an exact match query that matches only file modification events that are exactly system32/ntdll.dll. B. filemod:system32/ ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ and end with ntdll.dll, regardless of the characters in between. D. filemod:system32/ntdll.dll  is a trailing wildcard query that matches any file modification events that start with system32/ntdll.dll, regardless of the characters that follow.  References :

Search Syntax - VMware Docs , Wildcards section.

 Live Response is a tool that allows administrators to remotely access and remediate endpoints in real time. With Live Response, administrators can block a new malicious process by killing it, deleting its files, and removing any persistence mechanisms. Live Response can also be used to collect forensic data, run scripts, and perform other actions on the endpoints.  References : VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 5.3: Live Response. [Link]

Event data is categorized and identified by a unique event ID in VMware Carbon Black Cloud. The sensor will upload all event data to the Investigate page of the Endpoint Standard Console. This includes but is not limited to all failed and successful operations which happen at the machine level as well as any operations which are blocked or terminated by the sensor. Each event sent from the sensor to the Dashboard will be assigned a unique event ID.  References : Endpoint Standard: How is event data categorized, and formed into an Alert 1