5V0-93.22 Exam Dumps : VMware Carbon Black Cloud Endpoint Standard Skills

A leading wildcard is a wildcard that is placed at the beginning of a search term, such as * or ?. A leading wildcard matches any characters that precede the specified term. For example, filemod:/system32/ntdll.dll matches any file modification events that end with /system32/ntdll.dll, regardless of the drive letter or the directory name. A leading wildcard is not recommended unless absolutely necessary because it carries a significant performance penalty for the search. This is because the search engine has to scan the entire index for possible matches, rather than using the index to quickly narrow down the results1.

The other options are not examples of leading wildcards. A. filemod:system32/ntdll.dll is an exact match query that matches only file modification events that are exactly system32/ntdll.dll. B. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ and end with ntdll.dll, regardless of the characters in between. D. filemod:system32/ntdll.dll is a trailing wildcard query that matches any file modification events that start with system32/ntdll.dll, regardless of the characters that follow. References:

• Search Syntax - VMware Docs, Wildcards section.

This feature allows the administrator to test the rule against historical data and see how many events would have matched the rule criteria in the past 24 hours. The administrator can also see the details of the matching events, such as the device name, the process name, the process path, the operation type, and the operation result. This feature can help the administrator to confirm that the new rulewould have prevented a previous execution that had been observed, as well as to evaluate the effectiveness and accuracy of the rule1.

The other options are not features that can be used for this purpose. A. Setting up a notification based on a policy action, and then selecting Terminate is a feature that allows the administrator to receive an alert when a terminate rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. C. Configuring the rule to terminate the process is a feature that allows the administrator to specify the action that the sensor will take when the rule is triggered by a current event, but it does not allow the administrator to test the rule against historical data. D. Configuring the rule to deny operation of the process is a feature that allows the administrator to specify a different action than terminate for the rule, but it does not allow the administrator to test the rule against historical data. References:

• Endpoint Standard Rules - VMware Docs, Test Rule section.

The pre-requisite step in gathering specific vulnerability data to export it as a CSV file for analysis is A. Perform a custom search on the Endpoint Page. This step allows the security administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. Theadministrator can also use the process tree view to visualize the process execution and the event details to examine the process activity. After performing the custom search, the administrator can export the data as a CSV file for further analysis by clicking the Export () icon and selecting CSV Report. The CSV file is available for download under the Notifications drop-down menu1.

The other options are not pre-requisite steps in gathering specific vulnerability data to export it as a CSV file for analysis. Accessing the Audit Log content to see associated events is a step that allows the administrator to review actions performed by Carbon Black Cloud console users, such as logging in, creating policies, banning hashes, isolating devices, and initiating Live Response sessions. The Audit Log does not provide specific vulnerability data for the endpoints2. Searching for specific malware by hash or filename is a step that allows the administrator to find and analyze malicious files on the endpoints, but it does not provide comprehensive vulnerability data for the endpoints. Enabling cloud analysis is a step that allows the administrator to upload file metadata and content to the Carbon Black Cloud for reputation and threat intelligence analysis, but it does not provide specific vulnerability data for the endpoints3. References:

• Investigate Endpoint Data - VMware Docs, Overview section.
• Audit Logs - VMware Docs, Overview section.
• Cloud Analysis - VMware Docs, Overview section.