Chapter 12. Security Intelligence Flashcards
1.The Security Intelligence mechanism is implemented on which of the following threat defense components?
A. Firewall engine
B. Snort engine
C. Management center
D. All of these answers are correct.
B. Security Intelligence is one of the earliest lines of defense in the Snort engine.
2.Which of the following statements is true?
A. When you add an IP address to the Do-Not-Block List, a threat defense allows that address to bypass any further inspection.
B. A threat defense updates the Cisco intelligence feed once a month.
C. Adding an IP to the Block List enables you to block an address without redeploying an access control policy.
D. Monitor-only mode of Security Intelligence works only when the threat defense is deployed in passive mode.
C. The Add IP to Block List option in the context menu enables you to block an address without redeploying an access control policy.
3.Which of the following options can you use to block an IP address using Security Intelligence?
A. Cisco Security Intelligence feed
B. Custom List
C. Context menu for a connection event
D. All of these answers are correct.
D. All of these answers are correct. These options—feed, list, and context menu—can be used to block IP addresses.
4.To block traffic based on source IP address or destination IP address, which of the following methods would be most optimal for system performance?
A. Prefilter policy
B. Access control policy
C. DNS policy
D. Security Intelligence
A. If your goal is to block traffic based on 5-tuple—source port, destination port, source IP, destination IP, and protocol—you should consider deploying a prefilter rule instead of engaging Security Intelligence as the primary method for blocking traffic. It ensures optimal system performance.
5.You have just installed a new management center, but you have noticed that no intelligence-based objects are available for selection. What could be the root cause of the issue?
A. The database is corrupt.
B. The management center is disconnected from the Internet.
C. The management center is running an older software version.
D. The management center is not registered with a threat defense.
B. On a newly installed management center, the list of intelligence-based objects may not be available for selection. To populate them in the list of available objects and use them as a rule constraint, you need to update the Cisco intelligence feed from the Cisco cloud, which requires Internet connectivity.
6.Which of the following commands displays an exact IP address and confirms that the address is included in the current Block List file?
A. catfilename.blf
B. headip_address filename.blf
C. egrepip_address *.blf
D. tailip_address filename.blf
C. The egrepip_address *.blf command displays an exact IP address and confirms that the address is included in the current Block List file.
7.You blocked an address by selecting the Add IP to Block List option. But now, you need to allow the address. Which option would be the best to allow that address again?
A. Adding a prefilter rule for that IP address to fastpath the new connections.
B. Adding an access control rule for that IP address to trust the new connections.
C. Removing that IP address from the Global Block List.
D. All of these answers are correct.
C. Any address that you block by selecting the Add IP to Block List option is included in the Global Block List category. So, if you want to unblock the address again, go toObject Management > Security Intelligenceand remove the address from the Global Block List.
8.When it comes to blocking custom IP addresses using Security Intelligence, which of the following statements is true?
A. Security Intelligence can block traffic intelligently only using a Cisco-provided feed, but any custom addresses are not supported.
B. You need to input one custom IP address at a time and then choose an action for the address.
C. You can create a text file to include custom IP addresses in bulk and input the file directly into a management center.
D. When a connection to or from a custom address is blocked, the connection is marked as the “non-default” category in the Connection Events page.
C. You can create a text file to include custom IP addresses in bulk and input the file directly into a management center.
9.When you enable the Threat Intelligence Director (TID), a threat defense acts as the following:
A. Element
B. Observable
C. Indicator
D. Director
A. After obtaining the indicators from various sources, the management center publishes the observables to its managed threat defense. In a TID deployment, managed devices are known as elements.
