HPE2-W05 Implementing Aruba IntroSpect Questions and Answers

Refer to the exhibit.

You have been assigned a task to monitor, analyze, and find those entities who are trying to access internal resources without having valid user credentials. You are creating an AD-based use case to look for this activity. Could you use this entity type to accomplish this? (Source Host.)

A network administrator is looking for an option to set the maximum data retention period to 180 days in theIntroSpect Analyzer. Is this a correct statement about data retention in IntroSpect? (The default data retentionperiod is set at 30 days, and this cannot be changed.)

During a conversation with one of your colleagues, they bring up the subject of small business security and ask you to explain why a small business would be interested in a product like IntroSpect. Is this a reason they would purchase IntroSpect? (Most small business that suffer a data breach will go out of business as a result

of the breach.

Refer to the exhibit.

Would this be a correct option when configuring a user account for a ClearPass to use to communicate with IntroSpect? (The username must be the host name of the ClearPass server, and the email address needs to be the username on the ClearPass server.)

You are an administrator who made a few configuration changes in the IntroSpect Packet Processor, and arestart is required after those changes. Is this a valid method to restart the Packet Processor? (SSH into thePacket Processor, and log in as “admin” and issue the command #> shutdown –s now.)

Your company has found some suspicious conversations for some internal users. The security team suspects those users are communicating with entities in other countries. You have been assigned the task of identifying those users who are either uploading or downloading files from servers in other countries. Is this the best way to visualize conversations of suspected users in this scenario? (Visualizing Applications and Ports.)

A company wants to integrate ClearPass with the IntroSpect. Is this a supported version? (ClearPass 6.7.3.)

In a conversation with a colleague you are asked to give them an idea of what type of monitor source you

would use for each attack stage.

Would this be a correct correlation? (For “Command and Control” you can monitor DNS through network tap

ports.)

During a discovery at a large company, the customer asks if they can run IntroSpect on a segment of the network and only monitor a small group of users and servers as a trial. As their IT staff becomes familiar with the analytics, they want to expand the installation to the entire enterprise. Would this be a valid option for the customer? (The customer can deploy the analyzer at the first site and use whitelist/blacklist functions to contain the scope of the analytics to the smaller site.)

While a customer site you are asked to explain the advantages and limits of collecting AMON from the Aruba Mobility Controllers. Would this be a correct statement? (AMON is an easy way to monitor a network where the primary access method is through Aruba Mobility Controllers.)

You are visiting a site configured with IntroSpect, and the on-site admin tells you that they do not think that oneof their database servers has fired any alerts for large download or strange access patterns. Could this be areason? (The database server needs to be listed in an entity whitelist.)

You were called into a customer site to do an evaluation of installing IntroSpect for a small business. During

the discovery process, the customer asks you to explain when they would need to deploy a Packet Processor.

Does this explain the function of the Packet Processor? (The packet Processor helps if they are using the

analyzer deployed in the cloud by forwarding log data over HTTPS.)

In a meeting with a customer that runs a fully automated manufacturing facility that is connected to the business and corporate offices, the operations manager asks why they need IntroSpect to monitor the manufacturing network. Is this a reason they should monitor the manufacturing network security? (Because the controllers and sensors do not store customer data or corporate intellectual property, even if the automation network was to be breached it would not expose anything valuable.)

You have been asked to provide a Bill of Materials (BoM) for a mature small business with two sites. The IT Director prefers all hardware to be on-premise but is open to cloud-based solution. In conversations with the IT staff, you determine that the main site has approximately 550 network devices and 400 users. All users are in Active Directory. Eighty of the users use a Pulse Secure VPN to work remotely.

The second site is a warehouse operation with approximately 40 users and another 10 users that use Pulse Secure VPN. All wireless is using Aruba Networks Instant APs. There are Active Directory servers at both sites. All logs are currently being gathered into Splunk. The team feels that they can properly monitor the corporate site network with a single tap port on a central switch at the main office. There will be a network tap at the remote site.

Is this a suggestion you would make to the customer? (The customer should install the Fixed Configuration Analyzer in the data center to manage the tap and Splunk logs for the main site and a single Packet Processor at the warehouse site.)