642-545 Implementing Cisco Security Monitoring, Analysis and Response System

Page 1   
Question 1

What will occur when you try to run a Cisco Security MARS query that will take a long time
to complete?

  • A. After submitting the query, the Cisco Security MARS GUI screen will be locked up until the query is completed.
  • B. The query will be automatically saved as a rule.
  • C. The query will be automatically saved as a report.
  • D. You will be prompted to "Submit Batch" to run the query in batch mode.


Answer : D

Question 2

Cisco Security MARS combines network intelligence, context correlation, vector analysis,
anomaly detection, hotspot identification, and automated mitigation capabilities. Which
action will you take to enable the Cisco Security MARS appliance to ignore false-positive
events by either dropping the events completely, or by just logging them to the database?

  • A. inactivating the rules
  • B. creating drop rules
  • C. deleting the false-positive events from the Incidents page
  • D. deleting the false-positive events from the Event Management page


Answer : B

Question 3

Which two options are needed to enable Cisco Security MARS Level 3 operations?
(Choose two.)

  • A. Cisco Security Manager
  • B. global controller
  • C. administrative access to the device
  • D. SNMP community string


Answer : C,D

Question 4

Which three reporting devices could be added to the MARS appliance by use of the "Add
SW security apps on new host?" (Choose three.)


  • A. Cisco ACS
  • B. FWSM
  • C. SNORT
  • D. generic web server.


Answer : A,C,D

Question 5

The following is a question that you need to answer. You can click on the Question button
to the left to view the question and click on the MARS GUI Screen button to the left to
capture the MARS GUI screen in order to answer question. While viewing the GUI screen
capture, you can view the complete screen using the left/right scroll bar on the bottom of
the GUI screen.
Choose the correct answer from among the options.
MARS GUI Screen


Which statement can best describe the System Inspection Rule displayed on the MARS
GUI screen?

  • A. Click on "Edit." then you can apply and activate the rule.
  • B. Click on "Add" to activate the rule.
  • C. Click on "Change Status" to activate the rule.
  • D. Click on "Duplicate" to archive the rule to a remote NAS.


Answer : C

Question 6

Which two statements accurately describe the Cisco Security MARS rules? (Choose two)

  • A. Drop rules are treated as global rules so it will automatically propagate to the Cisco Security MARS global controller.
  • B. Predefined system rules are treated as global rules. When an incident is fired by a system rule on the Cisco Security MARS local controller, the system rule propagates to the Cisco Security MARS global controller.
  • C. It is not possible to edit the global rules created on the Cisco Security MARS global controller from the Cisco Security MARS local controller.
  • D. Rules can be created on both the Cisco Security MARS global controller and the Cisco Security MARS local controllers. Rules on the Cisco Security MARS global controller will propagate down to the Cisco Security MARS local controllers.


Answer : B,D

Question 7

The Cisco Security MARS appliance performs NAT and PAT resolution at which level of
operation?

  • A. Advanced (Level 3)
  • B. Local (Level 0)
  • C. Intermediate (Level 2)
  • D. Global (Level 4)


Answer : C

Question 8

Which description is correct with regard to the case management feature of Cisco Security
MARS?

  • A. The Cases page on a local controller has an additional drop-down filter to display cases per a global controller.
  • B. Cases are created on a global controller, but they can be viewed and modified on a local controller.
  • C. Cases are created on a local controller, but they can be viewed and modified on a global controller.
  • D. The global controller has a Case bar and all cases are selected from the Query/Reports > Cases page.


Answer : C

Question 9

Which three items about the Query displayed on the MARS GUI screen are correct?
(Choose three.)


  • A. Query will match any source IP address.
  • B. Query will only match a destination IP address of 10.1.1.1 OR 10.1.1.25.
  • C. Query will only match a destination IP address range from 10.1.1.1 to 10.1.1.25.
  • D. Query will only match any services using the TCP-highPort OR UDP-highPort services groups.


Answer : A,C,D

Question 10

Which two of the following statements are TRUE when you configure the pnreset command
on the Cisco Security MARS? (Choose two.)

  • A. Clears, sets and initializes database structures
  • B. Sets the debug level that is reported in the logs
  • C. Erases the license file
  • D. Enables you to view the status of the Cisco Security MARS processes and how long the processes have been active
  • E. Sends Cisco IOS data from the Cisco Security MARS database to a network file server
  • F. Lets you add or delete disks in the Cisco Security MARS devices that support RAID configuration without powering down the devices


Answer : A,C

Question 11

Which three data points will you use to correlate reports in the Cisco Security MARS?
(Choose three.)

  • A. Order/Rank By
  • B. Query Criterion
  • C. View Type
  • D. Period of Time


Answer : B,C,D

Question 12

What is the objective of the Service variables defined according to the following exhibit?


  • A. for IP Management Groups creation
  • B. for Query/Reports and Rules creation
  • C. for NetFlow Events Management
  • D. for Data Reduction


Answer : B

Question 13

Cisco Security MARS offers a family of high-performance, scalable appliances for threat
management, monitoring, and mitigation, enabling customers to make more effective use
of network and security devices. What is a supported mitigation feature on the Cisco
Security MARS appliance?

  • A. storing and identifying NetFlow data for attack mitigation
  • B. generating and pushing configuration commands to Layer 2 devices
  • C. generating and pushing configuration commands to Layer 3 devices
  • D. automatically dropping all suspected traffic at the nearest IPS appliance


Answer : B

Question 14

Which attack can be detected by Cisco Security MARS by use of NetFlow data?

  • A. spoof attack
  • B. day-zero attack
  • C. Land attack
  • D. buffer overflow attack


Answer : B

Question 15

Which statement about the Cisco Security MARS maintenance procedure is true?

  • A. No new events can be logged when the Cisco Security MARS local database reaches its maximum storage capacity.
  • B. If the archive is generated with one release of software, then the restore has to be done with the same version of software.
  • C. Cisco Security MARS disk drives are not hot-swappable.
  • D. Cisco Security MARS audit logs can be exported to a centralized server for the consolidation and protection of the log data.


Answer : B

Page 1