Question 1

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

Options :

A : $fieldname$

B : ''fieldname''

C : %fieldname%

D : _fieldname_

Answer: A

Question 2

When investigating, what is the best way to store a newly-found IOC?

Options :

A : Paste it into Notepad.

B : Click the ''Add IOC'' button.

C : Click the ''Add Artifact'' button.

D : Add it in a text note to the investigation.

Answer: B

Question 3

Which settings indicated that the correlation search will be executed as new events are indexed?

Options :

A : Always-On

B : Real-Time

C : Scheduled

D : Continuous

Answer: C

Question 4

Where is detailed information about identities stored?

Options :

A : The Identity Investigator index.

B : The Access Anomalies collection.

C : The User Activity index.

D : The Identity Lookup CSV file.

Answer: C

Question 5

Which of these Is a benefit of data normalization?

Options :

A : Reports run faster because normalized data models can be optimized for better performance.

B : Dashboards take longer to build.

C : Searches can be built no matter the specific source technology for a normalized data type.

D : Forwarder-based inputs are more efficient.

Answer: A