Pass the VMware Carbon Black Cloud Endpoint Standard Skills 2023 5V0-93.22 Questions and answers with ExamsMirror

VMware Carbon Black Cloud Endpoint Standard uses a hybrid approach to determine the reputation of files on the endpoints. It combines local scan, which uses signature-based detection to identify known malware, and cloud scan, which uses cloud-based analytics and machine learning to identify unknown or emerging threats. When a sensor’s local AV signatures are out-of-date, it means that the local scan cannot detect the latest malware variants that have been added to the signature database. However, this does not affect the cloud scan, which can still determine the reputation of newly discovered files based on their behavior, characteristics, and context. Therefore, the effect of having out-of-date local AV signatures is that the reputation is determined by cloud reputation, which is more accurate and up-to-date than signature-based detection. The other options are not correct, because the sensor does not prompt the end user, automatically block, or fail to block a new file based on the local AV signatures alone. References: Carbon Black Cloud Endpoint Standard - Technical Overview, View and Update Signature Versions, Endpoint Standard: How to verify AV Signatures are updating

The best rule to prevent a spreadsheet from being misused to run malicious code, while minimizing the risk of breaking normal operations of a spreadsheet, is B. **\excel.exe [Invokes a command interpreter] [Deny operation]. This rule will prevent any Excel process from invoking a command interpreter, such as cmd.exe or powershell.exe, which is a common technique used by malware to execute malicious commands or scripts. This rule will deny the operation but not terminate the process, which may allow the spreadsheet to continue functioning normally. This rule is more specific and effective than option A, which only applies to Microsoft Office applications that run external code, or option C, which applies to Excel applications that communicate over the network. Option D is incorrect because it is too vague and may not catch all the possible ways that a spreadsheet can run malware.

The VMware Carbon Black Cloud integration that is supported for SIEM is the Splunk App. The Splunk App allows administrators to bring alerts, events, audit logs, or vulnerability data from Carbon Black Cloud into their Splunk dashboard1. The Splunk App also supports Splunk SOAR, which enables automated actions and workflows based on Carbon Black Cloud alerts2.

The other options are not supported for SIEM integration with Carbon Black Cloud. SolarWinds, LogRhythm, and Datadog are not listed among the 140+ ecosystempartnerships and integrations that Carbon Black Cloud offers3. They are also not part of the Next-Gen SOC Alliance, which features Splunk, IBM Security, Google Cloud’s Chronicle, Exabeam, and Sumo Logic integrations with Carbon Black Cloud1. References:

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.6: Integrations

VMware Carbon Black Cloud Endpoint Standard User Guide, Chapter 12: Integrations

Integrations and APIs - VMware

Carbon Black Cloud - Cloud SIEM | Sumo Logic Docs

VMware Launches Next-Gen SOC Alliance with Splunk, IBM … - VMware Blogs

The correct answer is to click Drop Connection, which is a feature of VMware Carbon Black Cloud Endpoint Standard that allows the administrator to immediately terminate a network connection that is deemed malicious or suspicious. This feature can be accessed from the Alert Details page, where the administrator can see the application, process, and destination IP address of the connection. By clicking Drop Connection, the administrator can block the connection without affecting the rest of the system or network. This is a quick and effective way to stop a potential threat from communicating with a remote server or exfiltrating data. References: = VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 4.3: Investigate Alerts, Subsection 4.3.2: Drop Connection.

The reputation that was used by the sensor for the decision to terminate the process was the effective reputation. The effective reputation is the reputation that the sensor uses to evaluate and enforce policy rules on the endpoint. The effective reputation is determined by the following factors:

The initial cloud reputation, which is the reputation that the Carbon Black Cloud assigns to the file based on its analysis and threat intelligence feeds.

The actioned reputation, which is the reputation that the administrator assigns to the file through the Carbon Black Cloud console, such as approve, ban, or dismiss.

The current cloud reputation, which is the reputation that the Carbon Black Cloud updates for the file based on new information or changes in the threat landscape.

The effective reputation is the highest priority reputation among these three factors. For example, if the initial cloud reputation is SUSPECT_MALWARE, the actioned reputation is APPROVED, and the current cloud reputation is KNOWN_MALWARE, the effective reputation will be APPROVED, because it has the highest priority. The sensor will use the effective reputation to apply the policy rules on the endpoint. In this case, the process will not be blocked by the rule [Suspected malware] [Invokes a command interpreter] [Terminate process], because the effective reputation is not SUSPECT_MALWARE.

In the question scenario, the effective reputation for the process was SUSPECT_MALWARE, which means that either the initial cloud reputation, the actioned reputation, or the current cloud reputation was SUSPECT_MALWARE, and there was no higher priority reputation that overrode it. Therefore, the sensor used the effective reputation to enforce the policy rule and terminate the process. References:

Endpoint Standard: How to Confirm Applied … - VMware Carbon Black, Resolution section.

The Process Analysis page in VMware Carbon Black Cloud Endpoint Standard is a graphical view of the event that shows the process tree, the event timeline, and the event details. The process tree displays the parent-child relationships of the processes involved in the event, as well as the actions taken by the policy, such as blocking or alerting. The event timeline shows the chronological sequence of the events, such as process executions, file modifications, network connections, and registry changes. The event details provide more information about the selected event, such as the process name, path, hash, command line, reputation, and Carbon Black TTPs. The Process Analysis page can help the security administrator to investigate the hash ban event and understand the context and impact of the blocked application. References: Carbon Black Cloud Endpoint Standard - Technical Overview, Add Hash to Banned List, Carbon Black Cloud: How to Add a SHA256 Hash to Approved/Banned List

 The correct answer is C because it uses the correct syntax for the advanced search query. The process_name field matches the name of the process, and the AND NOT operator excludes the results that match the second condition. The backslashes in the path need to be escaped with another backslash, so C:\Windows\System32 is the correct way to write it. References: VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 3.3.2: Investigate Page - Advanced Search.

The IDs that may be used to search and investigate security incidents in Carbon Black Cloud are hash, sensor, and alert.

A hash is a unique identifier for a file or process that can be used to track its activity and behavior across endpoints. A hash can be searched in the Investigate page to view its reputation, prevalence, and associated alerts.

A sensor is a unique identifier for an endpoint that has the Carbon Black Cloud agent installed. A sensor can be searched in the Endpoints page to view its status, policy, and associated alerts. A sensor can also be searched in the Investigate page to view its processes, events, and network connections.

An alert is a unique identifier for a security incident that is generated by Carbon Black Cloud based on the policy rules and threat intelligence. An alert can be searched in the Alerts page to view its details, timeline, and remediation actions. An alert can also be searched in the Investigate page to view its associated processes, events, and network connections.

A threat is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. A threat is a term used to describe a malicious actor or activity that poses a risk to the organization. A threat can be detected by Carbon Black Cloud based on the threat intelligence feeds and watchlists, but it is not a unique identifier for a specific incident.

An event is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. An event is a term used to describe a single action or occurrence that is recorded by the Carbon Black Cloud agent on an endpoint. An event can be viewed in the Investigate page as part of a process or alert, but it is not a unique identifier for a specific incident.

A user is not a valid ID for searching and investigating security incidents in Carbon Black Cloud. A user is a term used to describe a person who has access to the Carbon Black Cloud console or API. A user can be searched in the Users page to view their role, permissions, and activity, but they are not directly related to security incidents. References:

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.1: Investigate

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.2: Alerts

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.3: Endpoints

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.4: Threats

VMware Carbon Black Cloud Endpoint Standard Skills Reference Materials, Section 2.5: Users

 The Investigate page in the VMware Carbon Black Cloud Endpoint Standard console is where the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. The Investigate page allows the administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. The administrator can also use the processtree view to visualize the process execution and the event details to examine the process activity. For example, the administrator can use the following search query to find all the processes that have a file type of Excel VBA:

file_type:EXCEL_VBA

This query will return all the processes that have a file type of EXCEL_VBA, which is a file type that indicates the file contains Excel VBA code. The file_type field is a string that indicates the type of the file based on its content and format. The possible values for this field are:

EXE: Executable file

DLL: Dynamic-link library file

SYS: System file

BAT: Batch file

CMD: Command file

VBS: Visual Basic Script file

JS: JavaScript file

PS1: PowerShell Script file

HTA: HTML Application file

MSI: Windows Installer file

DOC: Microsoft Word document file

XLS: Microsoft Excel spreadsheet file

PPT: Microsoft PowerPoint presentation file

PDF: Portable Document Format file

SWF: Shockwave Flash file

JAR: Java Archive file

CLASS: Java class file

PY: Python script file

SH: Shell script file

PL: Perl script file

RB: Ruby script file

PHP: PHP script file

ASP: Active Server Pages file

ASPX: Active Server Pages Extended file

HTML: HyperText Markup Language file

XML: Extensible Markup Language file

DOCM: Microsoft Word document with macros file

XLAM: Microsoft Excel add-in with macros file

XLSM: Microsoft Excel spreadsheet with macros file

XLTM: Microsoft Excel template with macros file

PPTM: Microsoft PowerPoint presentation with macros file

POTM: Microsoft PowerPoint template with macros file

PPAM: Microsoft PowerPoint add-in with macros file

EXCEL_VBA: Excel Visual Basic for Applications file

WORD_VBA: Word Visual Basic for Applications file

POWERPOINT_VBA: PowerPoint Visual Basic for Applications file

OUTLOOK_VBA: Outlook Visual Basic for Applications file

ACCESS_VBA: Access Visual Basic for Applications file

PROJECT_VBA: Project Visual Basic for Applications file

VISIO_VBA: Visio Visual Basic for Applications file

PUBLISHER_VBA: Publisher Visual Basic for Applications file

INFOPATH_VBA: InfoPath Visual Basic for Applications file

ONENOTE_VBA: OneNote Visual Basic for Applications file

UNKNOWN: Unknown file type

Therefore, by using the Investigate page in the VMware Carbon Black Cloud Endpoint Standard console, the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. References:

Investigate Endpoint Data - VMware Docs, Overview section.

Advanced Search Techniques - VMware Docs, Using Fields section, file_type subsection.

 The VMware Carbon Black Cloud Endpoint Standard allows administrators to add applications to the Approved List, which approves the presence and actions of specified applications on the endpoints. Adding to the Approved List is global in its effects and applies to all policies attached to a particular version of an application. There are two different methods that can be used to add applications to the Approved List: by signing certificate or by application path.

By signing certificate: This method allows administrators to approve files that are signed by a specific certificate authority (CA) or signer. For example, if an administrator wants to approve all files that are signed by Google Inc, they can add the signer name and the CA name to the Approved List. This method is useful for approving files that are frequently updated or have dynamic names or paths. However, administrators should be careful when using wildcards or approving certificates from untrusted sources, as this could lead to incidentally approving malicious software that appears to be signed by a trusted CA or signer.

By application path: This method allows administrators to approve files that are located in a specific path on the endpoint. For example, if an administrator wants to approve a custom application that is installed in C:\Program Files\Custom Application\, they can add the path and the file name to the Approved List. This method is useful for approving files that have a fixed name and location on the endpoint. However, administrators should be aware that this method does not account for new versions of the application, and they should routinely update the Approved List to reflect the changes. Administrators can also use wildcards to target certain files or directories, but they should be as specific as possible to avoid approving unwanted files.

The other options are not valid methods for adding applications to the Approved List. MD5 hash is a method for adding files to the Banned List, which prevents specific files from running on the endpoints by their hash values. Application name is a method for creating permission rules, which allow or deny the presence and actions of an application only on a specific device. IT Tool is not a method, but a category of applications that are recommended to be added to the Approved List, such as software deployment tools, executable installers, IDEs, compilers, or script editors. References: Adding to the Approved List, Endpoint Standard: How to add a Certificate to the Approved List, Endpoint Standard: How to add a SHA256 hash to Approved/Banned List