PrepKing. PrepKing

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "PrepKing. PrepKing"

Transcription

1 PrepKing Number: Passing Score: 800 Time Limit: 120 min File Version: PrepKing

2 Exam A QUESTION 1 The Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) is an appliance-based, all-inclusive solution that provides unmatched insight and control of your existing security deployment. Which three items are correct with regard to Cisco Security MARS rules? (Choose three.) A. There are three types of rules. B. Rules can be deleted. C. Rules can be created using a query. D. Rules trigger incidents. Correct Answer: ACD /Reference: QUESTION 2 Which three benefits are of deploying Cisco Security MARS appliances by use of the global and local controller architecture? (Choose three.) A. A global controller can provide a summary of all local controllers information (network topologies, incidents, queries, and reports results). B. A global controller can provide a central point for creating rules and queries, which are applied simultaneously to multiple local controllers. C. A global controller can correlate events from multiple local controllers to perform global sessionizations. D. Users can seamlessly navigate to any local controller from the global controller GUI. Correct Answer: ABD /Reference: QUESTION 3 Which item is the best practice to follow while restoring archived data to a Cisco Security MARS appliance? A. Use Secure FTP to protect the data transfer. B. Use "mode 5" restore from the Cisco Security MARS CLI to provide enhanced security during the data transfer. C. Choose Admin > System Maintenance > Data Archiving on the Cisco Security MARS GUI to perform the restore operations on line. D. To avoid problems, restore only to an identical or higher-end Cisco Security MARS appliance. Correct Answer: D /Reference: QUESTION 4 A Cisco Security MARS appliance can't access certain devices through the default gateway. Troubleshooting

3 has determined that this is a Cisco Security MARS configuration issue. Which additional Cisco Security MARS configuration will be required to correct this issue? A. Use the Cisco Security MARS GUI to configure multiple default gateways B. Use the Cisco Security MARS GUI or CLI to configure multiple default gateways C. Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol D. Use the Cisco Security MARS CLI to add a static route Correct Answer: /Reference: QUESTION 5 Which two options are for handling false-positive events reported by the Cisco Security MARS appliance? (Choose two.) A. mitigate at Layer 2 B. archive to NFS only C. drop D. log to the database only Correct Answer: CD /Reference: QUESTION 6 What is the reporting IP address of the device while adding a device to the Cisco Security MARS appliance? A. The source IP address that sends syslog information to the Cisco Security MARS appliance B. The pre-nat IP address of the device C. The IP address that Cisco Security MARS uses to access the device via SNMP D. The IP address that Cisco Security MARS uses to access the device via Telnet or SSH Correct Answer: A /Reference:

4 QUESTION 7 Which statement best describes the case management feature of Cisco Security MARS? A. It is used to conjunction with the Cisco Security MARS incident escalation feature for incident reporting B. It is used to capture, combine and preserve user-selected Cisco Security MARS data within a specialized report C. It is used to automatically collect and save information on incidents, sessions, queries and reports dynamically without user interventions D. It is used to very quickly evaluate the state of the network /Reference: QUESTION 8 Which two configuration tasks are needed on the Cisco Security MARS for it to receive syslog messages relayed from a syslog relay server? (Choose two.) A. Define the syslog relay collector. B. Add the syslog relay server application to Cisco Security MARS as Generic Syslog Relay Any. C. Define the syslog relay source list. D. Add the reporting devices monitored by the syslog relay server to Cisco Security MARS. D /Reference: QUESTION 9 Here is a question that you need to answer. You can click on the Question button to the left to view the question and click on the MARS GUI Screen button to the left to capture the MARS GUI screen in order to answer the question. While viewing the GUI screen capture, you can view the complete screen by use of the left/right scroll bar on the bottom of the GUI screen. Choose the correct answer from among the options. What actions will you take to configure the MARS appliance to send out an alert when the system rule fires according to the MARS GUI screen shown?

5 A. Click "Edit" to edit the "Operation" field of the rule, select the appropriate alert option(s), then apply. B. Click on "None" in the "Action" field, select the appropriate alerts, then apply. C. Click "Edit" to edit the "Reported User" field of the rule, select the appropriate alert option(s), then apply. D. Click on "Active" in the "Status" field, select the appropriate alerts, then apply. /Reference: QUESTION 10 Which action enables the Cisco Security MARS appliance to ignore false-positive events by either dropping the events completely or by just logging them to the database? A. Inactivating the rules B. Creating system inspection rules using the drop operation C. Deleting the false-positive events from the events management page D. Creating drop rules Correct Answer: D /Reference: QUESTION 11 In order to enable the Cisco Security MARS appliance to perform mitigation, which two configuration options are correct? (Choose two.) A. SNMP RW community string B. A NetFlow device added in the Cisco Security MARS database C. Telnet or SSH access type with SNMP RO community D. SSL communications with the network devices Correct Answer: AC /Reference: QUESTION 12 Which two alert actions can notify a user that a Cisco Security MARS rule has fired, and that an incident has been logged? (Choose two.) A. syslog B. Short Message Service C. OPSEC-LEA (clear and encrypted) D. XML notification D

6 /Reference: QUESTION 13 Which additional steps should you take after manually adding the BR-FW-1 device shown in the MARS GUI screen? A. Click "Submit" to enable the device. B. Click "Submit" to test access to the device, When access is successful. Click "Activate" to activate the device. C. Click "Activate" to activate the device, then click "Submit" to save the device configuration. D. Click "Discover" to initiate manual discovery. When discovery is completed, click "Submit", then "Activate." Correct Answer: D /Reference: QUESTION 14 Which of the following alert actions can be transmitted to a use as notification that a Cisco Security MARS rule has fired and that an incident has been logged? (Choose two.)

7 A. Syslog B. OPSEC-LEA (Clear and encrypted) C. Short Message Service D. XML notification Correct Answer: CD /Reference: QUESTION 15 Which three items are true with regard to the Cisco Security MARS syslog forwarding feature for relaying the received syslog data to a syslog server? (Choose three.) A. The configured collector is a designated host that receives a syslog message but the collector does not relay it to another host. B. Cisco Security MARS can forward alert data to multiple collector IP addresses. C. Syslog forwarding is disabled until you specify the collector and at least one source host. D. The pnparser service should be running for the syslog forwarding feature to work. Correct Answer: ACD /Reference: QUESTION 16 Which incident type is pushed from a local controller to a global controller? A. Incidents on the local controller triggered by predefined system rules B. Any incidents on the local controller C. Incidents on the local controller triggered by local rules D. True positive incidents on the local controller Correct Answer: A /Reference: QUESTION 17 Most SIM offerings are software based and designed to operate on standard hardware platforms; however, recently a wave of optimized appliances tuned for performance has entered the market. Which of the following options are the functions of SIMs? A. Collect event data from reporting sources B. Store data for analysis, reporting, and archiving C. Correlate the data to show relationships D. Present the data for analysis

8 E. Report on, alarm on, and/or notify about the data Correct Answer: ABCDE /Reference: QUESTION 18 Which statement about the Cisco Security MARS maintenance procedure is true? A. No new events can be logged when the Cisco Security MARS local database reaches its maximum storage capacity. B. If the archive is generated with one release of software, then the restore has to be done with the same version of software. C. Cisco Security MARS disk drives are not hot-swappable. D. Cisco Security MARS audit logs can be exported to a centralized server for the consolidation and protection of the log data. /Reference: QUESTION 19 Study the exhibit carefully. Which icon can be chosen to generate the access rules information displayed toward the bottom of the screen? A. Incident Vector icon B. Security Manager Policy Table Lookup icon C. ISR Device Manager Policy icon D. Raw Events icon

9 /Reference: QUESTION 20 Global Controller is a master unit that allows for global management of one or more Local Controllers. Is correct? A. Correct B. False Correct Answer: A /Reference: QUESTION 21 Which three ways can be used to add devices to the Cisco Security MARS appliance? (Choose three.) A. Import the devices from Cisco Security Manager B. Manually add the devices, one at a time C. Load the devices from seed files D. Use SNMP auto discovery CD /Reference: QUESTION 22 Which log agent is installed and configured on the Microsoft Windows IIS server to configure a Microsoft Windows IIS server to publish logs to the Cisco Security MARS? A. pnlog agent B. Cisco Security MARS agent C. SNARE D. None. Cisco Security MARS is an agentless device. Correct Answer: C /Reference: QUESTION 23 A Cisco Security MARS appliance cannot access certain devices through the default gateway. Troubleshooting has determined that this is a Cisco Security MARS configuration issue. Which additional Cisco Security MARS

10 configuration will be required to correct this issue? A. Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol B. Use the Cisco Security MARS CLI to add a static route C. Use the Cisco Security MARS GUI to configure multiple default gateways D. Use the Cisco Security MARS GUI or CLI to configure multiple default gateways /Reference: QUESTION 24 Local Controller is a single appliance, ranging from a CS-MARS M20 to CS-MARS M200, is correct? A. Correct B. False Correct Answer: A /Reference: QUESTION 25 Which statement accurately describes a zone? A. Each zone within the global controller is configured and managed independently. B. A zone represents all the local controllers each global controller is monitoring. C. A zone is an area of a customer network related to one local controller. Each local controller represents a specific zone. D. Each zone within the local controller is configured and managed independently. Correct Answer: C /Reference: QUESTION 26 The Cisco Security MARS appliance performs NAT and PAT resolution at which level of operation? A. Advanced (Level 3) B. Local (Level 0) C. Intermediate (Level 2) D. Global (Level 4) Correct Answer: C

11 /Reference: QUESTION 27 How to complete the Initial CS-MARS Configuration? Please choose the proper order. 1. Connect the video and the keyboard to the CS-MARS backplane. 2. Log into CS-MARS using the factory default username and password. 3. Set the IP address for your CS-MARS interface. 4. Power on the CS-MARS device. 5. Set the desired date. 6. Set the time zone or synchronize to an NTP server. 7. Set the desired time. 8. Change the default username and password. 9. Ensure connectivity between your CS-MARS device and your administrative management workstations. A. Step1 II. Step2 III. Step3 IV Step4 V Step5 VI Step6 VII Step7 VIII Step8 IX Step9 B. I-1, II-3, III-2, IV-5, V-7, VI-4, VII-8, VIII-9, IX-6 C. I-1, II-4, III-2, IV-8, V-6, VI-5, VII-7, VIII-3, IX-9 D. I-1, II-3, III-2, IV-8, V-6, VI-4, VII-5, VIII-7, IX-9 E. I-1, II-4, III-2, IV-8, V-6, VI-5, VII-3, VIII-9, IX-7 /Reference: QUESTION 28 Which two statements are correct while configuring the pnreset command on the Cisco Security MARS? (Choose two.) A. Erases the license file B. Sets the debug level that is reported in the logs C. Lets you add or delete disks in the Cisco Security MARS devices that support RAID PassGuide.com-Make You Succeed To Pass IT Exams configurations without powering down the devices D. Clears, sets, and initializes database structures Correct Answer: AD /Reference:

12 QUESTION 29 Which two actions should be taken to represent a Check Point device in the Cisco Security MARS? (Select two) A. Define Parent Enforcement Module. B. Define Primary Management Station. C. Define Check Point OPSEC. D. Define Child Enforcement Module(s). D /Reference: QUESTION 30 CS-MARS supports the following types of equipment? A. Hardware-based security devices B. Software-based security devices C. On-demand security services D. None Correct Answer: ABC /Reference: QUESTION 31 Match the correct relationship between the description and each item. 1. This is exclusive to hosts and software applications running on hosts. 2. It is used to either connect to the device for network-based administrative sessions or connect to a remote server on which a file containing the device's configuration is stored. 3. It is the source IP address of event messages, logs, notifications, or traps that originate from the device. 4. It refers to the administrative protocol that Cisco Security MARS uses to access a reporting device or mitigation device. A. access type II. reporting IP III. access IP IV. interface setting B. I-4,II-3,III-2,IV-1 C. I-4,II-3,III-1,IV-2 D. I-3,II-4,III-2,IV-1 E. I-3,II-4,III-1,IV-2 Correct Answer: A /Reference: QUESTION 32 According to the exhibit displayed in the screen, the Local Controller-Global Controller state is active but the

13 communications do not appear to work. Which is the most likely cause of this situation? A. The Local Controller and Global Controller port 80 traffic is being blocked by a firewall. B. This issue results from a time synchronization mismatch. C. You forgot to click Activate for Global Controller-based topological changes to be pushed to the Local Controller. D. This issue results from a backlog of data that is caused by a temporary disconnect of the Local Controller and Global Controller. Correct Answer: D /Reference: QUESTION 33 When you added your routers to the CS-MARS database, if you elected to use SNMP, you must also enable SNMP on the routers themselves. What are the primary purposes? A. To read configuration data for mitigative recommendations B. To achieve topology discovery C. For reporting D. For device resource reporting Correct Answer: ABCD /Reference: QUESTION 34 The following is a question that you need to answer. You can click on the Question button to the left to view the

14 question and click on the MARS GUI Screen button to the left to capture the MARS GUI screen in order to answer question. While viewing the GUI screen capture, you can view the complete screen using the left/right scroll bar on the bottom of the GUI screen. Choose the correct answer from among the options. MARS GUI Screen Which statement can best describe the System Inspection Rule displayed on the MARS GUI screen? A. Click on "Edit." then you can apply and activate the rule. B. Click on "Add" to activate the rule. C. Click on "Change Status" to activate the rule. D. Click on "Duplicate" to archive the rule to a remote NAS. Correct Answer: C /Reference: QUESTION 35 Which three reporting devices could be added to the MARS appliance by use of the "Add SW security apps on new host?" (Choose three.)

15 A. Cisco ACS B. FWSM C. SNORT D. Generic web server. Correct Answer: ACD /Reference: QUESTION 36 Which option is correct with regard to authenticating Cisco Security MARS accounts with external AAA servers? A. You must configure Account Lockout Policy when configuring the Cisco Security MARS AAA feature for the first time.

16 B. Up to three AAA servers can be selected for AAA server authentication. C. The AAA protocols used by Cisco Security MARS are RADIUS and TACACS+. D. When the administrator changes the Cisco Security MARS authentication method from Local to AAA, the passwords for every user, including the administrator, are deleted from the local database. /Reference: QUESTION 37 While creating queries in Cisco Security MARS, which benefit is of using the dollar variable (as in $TARGET01)? A. The dollar variable allows matching of any unknown reporting device. B. The dollar variable ensures that the probes and attacks that are reported are happening to the same host. C. The dollar variable enables the same query to be applied to different reports. D. The dollar variable enables the same query to be applied to different cases. /Reference: QUESTION 38 Which three items about the Query displayed on the MARS GUI screen are correct? (Choose three.) A. Query will match any source IP address. B. Query will only match a destination IP address of OR C. Query will only match a destination IP address range from to D. Query will only match any services using the TCP-highPort OR UDP-highPort services groups. Correct Answer: ACD

17 /Reference: QUESTION 39 The Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS) is an appliance-based, all-inclusive solution that provides unmatched insight and control of your existing security deployment. What Cisco Security MARS event information derived from the reporting device raw message is not passed to Cisco Security Manager to perform Cisco Security Manager policy lookup? A. Permit or deny action of the access rule B. Event ID C. Interface name D. Direction (inbound or outbound) /Reference: QUESTION 40 Once data archiving has been enabled on the Cisco Security MARS appliance when does archiving initially occur? A. Data is archived when a configuration change occurs on the Cisco Security MARS. B. Data is archived via NFS when a new incident occurs. C. Whenever a new event is received, data will be archived via NFS. D. Data is archived nightly as a scheduled operation. Correct Answer: D /Reference: QUESTION 41 Which two items are correct according to the rule shown on the MARS GUI screen? (Choose two. A. This rule will fire if the offset 1 condition occurs "OR" if the offset 2 condition occurs. B. This rule will fire if the offset 3 condition occurs. C. The expressions between cells are "AND" while the expressions between items in the same cell are "OR." D. This is a user-defined rule.

18 C /Reference: QUESTION 42 Match the correct relationship between the Cisco Security MARS terms and their definitions. 1. queries 2. events 3. sessions 4. incidents 5. rules A. a series of events that share common 5-tuple information II. a series of sessions that match a defined rule III. tools that analyze the events and sessions and generate incidents IV. raw message sent to the Cisco Security MARS appliance by the reporting devices B. tools that can be run in a specific moment to investigate an incident C. I-3,II-4,III-5,IV-2,V-1 D. I-3,II-4,III-5,IV-1,V-2 E. I-3,II-4,III-2,IV-5,V-1 F. I-3,II-4,III-2,IV-1,V-5 Correct Answer: A /Reference: QUESTION 43 On the basis of the Rule displayed on the MARS GUI screen, what is used to determine that there is a sudden traffic increase to a particular port, and which type of attack is this Rule useful for detecting? (Choose two.) A. snmp polling B. access attacks. C. Netflow data. D. day-zero attacks Correct Answer: CD /Reference: QUESTION 44 Which attack can be detected by Cisco Security MARS by use of NetFlow data?

19 A. spoof attack B. day-zero attack C. Land attack D. buffer overflow attack /Reference: QUESTION 45 Which option is correct about the case management feature of Cisco Security MARS? A. It is used in conjunction with the Cisco Security MARS incident escalation feature for incident reporting. B. It is used to capture, combine, and preserve user-selected Cisco Security MARS data within a specialized report. C. It is used to automatically collect and save information on incidents, sessions, queries, and reports dynamically without user interventions. D. It is used to very quickly evaluate the state of the network. /Reference: QUESTION 46 Which protocol is used by Juniper NetScreen IDP to exchange IPS events with the Cisco Security MARS? A. RDEP B. SDEE C. SNMP D. syslog Correct Answer: D /Reference: QUESTION 47 Observe the following items carefully, what enables the Cisco Security MARS appliance to profile network usage and detect statistically significant anomalous behavior from a computed baseline?

20 A. Cisco Security MARS Custom Parser B. Cisco Security MARS Global Controller C. NetFlow D. Cisco Security Manager Correct Answer: C /Reference: QUESTION 48 Which two options are needed to enable Cisco Security MARS Level 3 operations? (Choose two.) A. Cisco Security Manager B. global controller C. administrative access to the device D. SNMP community string Correct Answer: CD /Reference: QUESTION 49 Which two statements best describe the Cisco Security MARS Event Management partial screen displayed? (Choose two)

21 A. Info/Misc/FW is a user-defined rule that normalizes events into a single event. B. Event ID is a low-severity event. C. Event ID belongs in an event group that includes generic informational events from firewalls. D. PIX and FWSM syslog messages (104001) are normalized into a single event (Event ID ). Correct Answer: CD /Reference: QUESTION 50 Which method can be used by the Cisco Security MARS appliance to perform IP address correlation (that is, map IP address translation) across NAT and PAT boundaries? A. Uses a NAT detection protocol to correlate the pre- and post-nat and PAT addresses B. Queries the PAT and NAT translation table through topological awareness and device configuration C. Uses the NetFlow data D. Uses NAT-T detection /Reference: QUESTION 51 What is the objective of the Service variables defined according to the following exhibit?

22 A. For IP Management Groups creation B. For Query/Reports and Rules creation C. For NetFlow Events Management D. For Data Reduction /Reference: QUESTION 52 Which description is correct with regard to Cisco Security MARS and Cisco IPS signature support? A. Cisco Security MARS can be configured to automatically download the new Cisco IPS signatures from Cisco.com or from a local web server at specified interval. B. When the Local Controller pulls the new IPS signatures from Cisco.com, it will also forward the new IPS signatures to the Global Controller. C. Cisco Security MARS supports custom IPS signatures using the dynamic IPS signature update feature. D. The dynamic IPS signature update feature is enabled by default. Correct Answer: A /Reference:

23 QUESTION 53 What will occur when you try to run a Cisco Security MARS query that will take a long time to complete? A. After submitting the query, the Cisco Security MARS GUI screen will be locked up until the query is completed. B. The query will be automatically saved as a rule. C. The query will be automatically saved as a report. D. You will be prompted to "Submit Batch" to run the query in batch mode. Correct Answer: D /Reference: QUESTION 54 Which three data points will you use to correlate reports in the Cisco Security MARS? (Choose three.) A. Order/Rank By B. Query Criterion C. View Type D. Period of Time CD /Reference: QUESTION 55 According to the following diagram displayed on the MARS GUI screen, can you tell me the reason that the Push function is not enabled (grayed out)?

24 A. Because the Incident has not been confirmed by the administrator. B. Because MARS cannot push commands to Layer 3 devices. C. Because MARS is operating at level 2 and not at level 3. D. Because the selected mitigation command is not supported on the HQ-FW-1 device. /Reference: QUESTION 56 The Cisco Security MARS appliance supports which protocol for data archiving and restoring? A. NFS B. TFTP C. FTP D. Secure FTP Correct Answer: A /Reference: QUESTION 57 Why might Cisco Security MARS not be forwarding the incoming syslog messages that it should

25 be forwarding? A. A single collector IP address is configured in Cisco Security MARS. B. The forward queue is empty. C. The pnparser service is not running on the Local Controller. D. Reporting devices are sending the syslog messages to Cisco Security MARS on UDP port 514. Correct Answer: C /Reference: QUESTION 58 Which two statements are true according to the Incident shown on the MARS GUI screen? (Choose two) A. The Nimda rule triggered both the and the Incidents. B. This is a low-severity incident. C. There are multiple events that correlate to the session. D. The session is related to both the and the Incidents. Correct Answer: CD /Reference: QUESTION 59 What is used to publish events to Cisco Security MARS about Cisco IPS signatures that have fired? A. syslog B. Secure FTP C. SNMP D. SDEE Correct Answer: D

26 /Reference: QUESTION 60 Which description is correct with regard to the case management feature of Cisco Security MARS? A. The Cases page on a local controller has an additional drop-down filter to display cases per a global controller. B. Cases are created on a global controller, but they can be viewed and modified on a local controller. C. Cases are created on a local controller, but they can be viewed and modified on a global controller. D. The global controller has a Case bar and all cases are selected from the Query/Reports > Cases page. Correct Answer: C /Reference: QUESTION 61 Cisco Security MARS offers a family of high-performance, scalable appliances for threat management, monitoring, and mitigation, enabling customers to make more effective use of network and security devices. What is a supported mitigation feature on the Cisco Security MARS appliance? A. Storing and identifying NetFlow data for attack mitigation B. Generating and pushing configuration commands to Layer 2 devices C. Generating and pushing configuration commands to Layer 3 devices D. Automatically dropping all suspected traffic at the nearest IPS appliance /Reference: QUESTION 62 Cisco Security MARS combines network intelligence, context correlation, vector analysis, anomaly detection, hotspot identification, and automated mitigation capabilities. Which action will you take to enable the Cisco Security MARS appliance to ignore false-positive events by either dropping the events completely, or by just logging them to the database? A. Inactivating the rules B. Creating drop rules C. Deleting the false-positive events from the Incidents page D. Deleting the false-positive events from the Event Management page /Reference:

27 QUESTION 63 In which two ways could the Cisco Security MARS present the incident data to the user graphically from the Summary Dashboard? (Select two) A. Compromised topology information B. Event type group matrix C. Path information D. Incident vector information Correct Answer: CD /Reference: QUESTION 64 Which three items are correct based on the Incident Vector Graph shown on the MARS GUI screen? (Choose three.) A. The port being attacked is port 80. B. This incident has two associated Event Types. C. Click the Previous button to view any other Sessions related to this incident. D. The device being attacked is the Tivoli Server. Correct Answer: ABD /Reference:

28 QUESTION 65 Which two statements accurately describe the Cisco Security MARS rules? (Choose two) A. Drop rules are treated as global rules so it will automatically propagate to the Cisco Security MARS global controller. B. Predefined system rules are treated as global rules. When an incident is fired by a system rule on the Cisco Security MARS local controller, the system rule propagates to the Cisco Security MARS global controller. C. It is not possible to edit the global rules created on the Cisco Security MARS global controller from the Cisco Security MARS local controller. D. Rules can be created on both the Cisco Security MARS global controller and the Cisco Security MARS local controllers. Rules on the Cisco Security MARS global controller will propagate down to the Cisco Security MARS local controllers. D /Reference: QUESTION 66 Which three options are true with regard to the Cisco Security MARS global and local controller architecture? (Choose three.) A. All local controllers events are propagated to the global controller for correlations. B. One global controller can support multiple local controllers. C. Each zone can have one local controller. D. Incidents can be viewed on the global controller based on a selected local controller. CD /Reference: QUESTION 67 Cisco Security MARS uses NetFlow data to perform which function? A. Traffic profiling and statistical anomaly detection B. Correlation across NAT boundary C. Data reductions D. Events normalization Correct Answer: A /Reference: QUESTION 68 Which of the following alert actions can be transmitted to a use as notification that a Cisco Security MARS rule has fired and that an incident has been logged? (Choose two.)

29 A. Syslog B. OPSEC-LEA (Clear and encrypted) C. Short Message Service D. XML notification Correct Answer: CD /Reference: QUESTION 69 Which three items are true with regard to the Cisco Security MARS syslog forwarding feature for relaying the received syslog data to a syslog server? (Choose three.) A. The configured collector is a designated host that receives a syslog message but the collector does not relay it to another host. B. Cisco Security MARS can forward alert data to multiple collector IP addresses. C. Syslog forwarding is disabled until you specify the collector and at least one source host. D. The pnparser service should be running for the syslog forwarding feature to work. Correct Answer: ACD /Reference: QUESTION 70 Which incident type is pushed from a local controller to a global controller? A. Incidents on the local controller triggered by predefined system rules B. Any incidents on the local controller C. Incidents on the local controller triggered by local rules D. True positive incidents on the local controller Correct Answer: A /Reference: QUESTION 71 Most SIM offerings are software based and designed to operate on standard hardware platforms; however, recently a wave of optimized appliances tuned for performance has entered the market. Which of the following options are the functions of SIMs? A. Collect event data from reporting sources B. Store data for analysis, reporting, and archiving C. Correlate the data to show relationships D. Present the data for analysis E. Report on, alarm on, and/or notify about the data

30 Correct Answer: ABCDE /Reference: QUESTION 72 Which statement about the Cisco Security MARS maintenance procedure is true? A. No new events can be logged when the Cisco Security MARS local database reaches its maximum storage capacity. B. If the archive is generated with one release of software, then the restore has to be done with the same version of software. C. Cisco Security MARS disk drives are not hot-swappable. D. Cisco Security MARS audit logs can be exported to a centralized server for the consolidation and protection of the log data. /Reference: QUESTION 73 Study the exhibit carefully. Which icon can be chosen to generate the access rules information displayed toward the bottom of the screen? A. Incident Vector icon B. Security Manager Policy Table Lookup icon C. ISR Device Manager Policy icon D. Raw Events icon

31 /Reference: QUESTION 74 Global Controller is a master unit that allows for global management of one or more Local Controllers. Is correct? A. Correct B. False Correct Answer: A /Reference: QUESTION 75 Match the correct relationship between the Cisco Security MARS terms and their definitions. 1. queries 2. events 3. sessions 4. incidents 5. rules A. a series of events that share common 5-tuple information II. a series of sessions that match a defined rule III. tools that analyze the events and sessions and generate incidents IV. raw message sent to the Cisco Security MARS appliance by the reporting devices B. tools that can be run in a specific moment to investigate an incident C. I-3,II-4,III-5,IV-2,V-1 D. I-3,II-4,III-5,IV-1,V-2 E. I-3,II-4,III-2,IV-5,V-1 F. I-3,II-4,III-2,IV-1,V-5 Correct Answer: A /Reference: QUESTION 76 Which option is correct about the case management feature of Cisco Security MARS? A. It is used in conjunction with the Cisco Security MARS incident escalation feature for incident reporting. B. It is used to capture, combine, and preserve user-selected Cisco Security MARS data within a specialized report. C. It is used to automatically collect and save information on incidents, sessions, queries, and reports dynamically without user interventions. D. It is used to very quickly evaluate the state of the network.

32 /Reference: QUESTION 77 Which description is correct with regard to Cisco Security MARS and Cisco IPS signature support? A. Cisco Security MARS can be configured to automatically download the new Cisco IPS signatures from Cisco.com or from a local web server at specified interval. B. When the Local Controller pulls the new IPS signatures from Cisco.com, it will also forward the new IPS signatures to the Global Controller. C. Cisco Security MARS supports custom IPS signatures using the dynamic IPS signature update feature. D. The dynamic IPS signature update feature is enabled by default. Correct Answer: A /Reference: QUESTION 78 The Cisco Security MARS appliance supports which protocol for data archiving and restoring? A. NFS B. TFTP C. FTP D. Secure FTP Correct Answer: A /Reference: QUESTION 79 Which description is correct with regard to the case management feature of Cisco Security MARS? A. The Cases page on a local controller has an additional drop-down filter to display cases per a global controller. B. Cases are created on a global controller, but they can be viewed and modified on a local controller. C. Cases are created on a local controller, but they can be viewed and modified on a global controller. D. The global controller has a Case bar and all cases are selected from the Query/Reports > Cases page. Correct Answer: C /Reference: QUESTION 80 Cisco Security MARS uses NetFlow data to perform which function?

33 A. Traffic profiling and statistical anomaly detection B. Correlation across NAT boundary C. Data reductions D. Events normalization Correct Answer: A /Reference: QUESTION 81 What will occur when you try to run a Cisco Security MARS query that will take a long time to complete? A. After submitting the query, the Cisco Security MARS GUI screen will be locked up until the query is completed. B. The query will be automatically saved as a rule. C. The query will be automatically saved as a report. D. You will be prompted to "Submit Batch" to run the query in batch mode. Correct Answer: D /Reference: QUESTION 82 Which two statements are true according to the Incident shown on the MARS GUI screen? (Choose two) A. The Nimda rule triggered both the and the Incidents. B. This is a low-severity incident. C. There are multiple events that correlate to the session. D. The session is related to both the and the Incidents. Correct Answer: CD

34 /Reference: QUESTION 83 Which two statements accurately describe the Cisco Security MARS rules? (Choose two) A. Drop rules are treated as global rules so it will automatically propagate to the Cisco Security MARS global controller. B. Predefined system rules are treated as global rules. When an incident is fired by a system rule on the Cisco Security MARS local controller, the system rule propagates to the Cisco Security MARS global controller. C. It is not possible to edit the global rules created on the Cisco Security MARS global controller from the Cisco Security MARS local controller. D. Rules can be created on both the Cisco Security MARS global controller and the Cisco Security MARS local controllers. Rules on the Cisco Security MARS global controller will propagate down to the Cisco Security MARS local controllers. D /Reference: QUESTION 84 Most SIM offerings are software based and designed to operate on standard hardware platforms; however, recently a wave of optimized appliances tuned for performance has entered the market. Which of the following options are the functions of SIMs? A. Collect event data from reporting sources B. Store data for analysis, reporting, and archiving C. Correlate the data to show relationships D. Present the data for analysis E. Report on, alarm on, and/or notify about the data Correct Answer: ABCDE /Reference: QUESTION 85 Which description is correct with regard to Cisco Security MARS and Cisco IPS signature support? A. Cisco Security MARS can be configured to automatically download the new Cisco IPS signatures from Cisco.com or from a local web server at specified interval. B. When the Local Controller pulls the new IPS signatures from Cisco.com, it will also forward the new IPS signatures to the Global Controller. C. Cisco Security MARS supports custom IPS signatures using the dynamic IPS signature update feature. D. The dynamic IPS signature update feature is enabled by default. Correct Answer: A

35 /Reference: QUESTION 86 A Cisco Security MARS appliance can't access certain devices through the default gateway. Troubleshooting has determined that this is a Cisco Security MARS configuration issue. Which additional Cisco Security MARS configuration will be required to correct this issue? A. Use the Cisco Security MARS GUI to configure multiple default gateways B. Use the Cisco Security MARS GUI or CLI to configure multiple default gateways C. Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol D. Use the Cisco Security MARS CLI to add a static route Correct Answer: /Reference: QUESTION 87 Which action enables the Cisco Security MARS appliance to ignore false-positive events by either dropping the events completely or by just logging them to the database? A. Inactivating the rules B. Creating system inspection rules using the drop operation C. Deleting the false-positive events from the events management page D. Creating drop rules Correct Answer: D /Reference: QUESTION 88 Which two items are correct according to the rule shown on the MARS GUI screen? (Choose two. A. This rule will fire if the offset 1 condition occurs "OR" if the offset 2 condition occurs. B. This rule will fire if the offset 3 condition occurs. C. The expressions between cells are "AND" while the expressions between items in the same cell are "OR." D. This is a user-defined rule. C

36 /Reference: QUESTION 89 Which two statements best describe the Cisco Security MARS Event Management partial screen displayed? (Choose two) A. Info/Misc/FW is a user-defined rule that normalizes events into a single event. B. Event ID is a low-severity event. C. Event ID belongs in an event group that includes generic informational events from firewalls. D. PIX and FWSM syslog messages (104001) are normalized into a single event (Event ID ). Correct Answer: CD /Reference: QUESTION 90 What will occur when you try to run a Cisco Security MARS query that will take a long time to complete? A. After submitting the query, the Cisco Security MARS GUI screen will be locked up until the query is completed. B. The query will be automatically saved as a rule.

37 C. The query will be automatically saved as a report. D. You will be prompted to "Submit Batch" to run the query in batch mode. Correct Answer: D /Reference: QUESTION 91 Which three items are true with regard to the Cisco Security MARS syslog forwarding feature for relaying the received syslog data to a syslog server? (Choose three.) A. The configured collector is a designated host that receives a syslog message but the collector does not relay it to another host. B. Cisco Security MARS can forward alert data to multiple collector IP addresses. C. Syslog forwarding is disabled until you specify the collector and at least one source host. D. The pnparser service should be running for the syslog forwarding feature to work. Correct Answer: ACD /Reference: QUESTION 92 Match the correct relationship between the Cisco Security MARS terms and their definitions. 1. queries 2. events 3. sessions 4. incidents 5. rules A. a series of events that share common 5-tuple information II. a series of sessions that match a defined rule III. tools that analyze the events and sessions and generate incidents IV. raw message sent to the Cisco Security MARS appliance by the reporting devices B. tools that can be run in a specific moment to investigate an incident C. I-3,II-4,III-5,IV-2,V-1 D. I-3,II-4,III-5,IV-1,V-2 E. I-3,II-4,III-2,IV-5,V-1 F. I-3,II-4,III-2,IV-1,V-5 Correct Answer: A /Reference: QUESTION 93 The Cisco Security MARS appliance supports which protocol for data archiving and restoring? A. NFS

38 B. TFTP C. FTP D. Secure FTP Correct Answer: A /Reference: QUESTION 94 Which two statements accurately describe the Cisco Security MARS rules? (Choose two) A. Drop rules are treated as global rules so it will automatically propagate to the Cisco Security MARS global controller. B. Predefined system rules are treated as global rules. When an incident is fired by a system rule on the Cisco Security MARS local controller, the system rule propagates to the Cisco Security MARS global controller. C. It is not possible to edit the global rules created on the Cisco Security MARS global controller from the Cisco Security MARS local controller. D. Rules can be created on both the Cisco Security MARS global controller and the Cisco Security MARS local controllers. Rules on the Cisco Security MARS global controller will propagate down to the Cisco Security MARS local controllers. D /Reference: QUESTION 95 Which statement about the Cisco Security MARS maintenance procedure is true? A. No new events can be logged when the Cisco Security MARS local database reaches its maximum storage capacity. B. If the archive is generated with one release of software, then the restore has to be done with the same version of software. C. Cisco Security MARS disk drives are not hot-swappable. D. Cisco Security MARS audit logs can be exported to a centralized server for the consolidation and protection of the log data. /Reference: QUESTION 96 Which description is correct with regard to the case management feature of Cisco Security MARS? A. The Cases page on a local controller has an additional drop-down filter to display cases per a global controller.

39 B. Cases are created on a global controller, but they can be viewed and modified on a local controller. C. Cases are created on a local controller, but they can be viewed and modified on a global controller. D. The global controller has a Case bar and all cases are selected from the Query/Reports > Cases page. Correct Answer: C /Reference: QUESTION 97 Which description is correct with regard to Cisco Security MARS and Cisco IPS signature support? A. Cisco Security MARS can be configured to automatically download the new Cisco IPS signatures from Cisco.com or from a local web server at specified interval. B. When the Local Controller pulls the new IPS signatures from Cisco.com, it will also forward the new IPS signatures to the Global Controller. C. Cisco Security MARS supports custom IPS signatures using the dynamic IPS signature update feature. D. The dynamic IPS signature update feature is enabled by default. Correct Answer: A /Reference: QUESTION 98 Which three items are true with regard to the Cisco Security MARS syslog forwarding feature for relaying the received syslog data to a syslog server? (Choose three.) A. The configured collector is a designated host that receives a syslog message but the collector does not relay it to another host. B. Cisco Security MARS can forward alert data to multiple collector IP addresses. C. Syslog forwarding is disabled until you specify the collector and at least one source host. D. The pnparser service should be running for the syslog forwarding feature to work. Correct Answer: ACD /Reference: