
















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A comprehensive simulation covering topics related to the SolarWinds Security Event Manager (SEM) platform, including SIEM fundamentals, log analysis, threat detection, real-time monitoring, and automated incident response. This exam tests familiarity with SEM dashboards, rule configuration, correlation logic, agent deployment, and compliance reporting. It prepares IT security professionals to effectively demonstrate their mastery of event management within SolarWinds environments.
Typology: Exams
1 / 88
This page cannot be seen from the preview
Don't miss anything!

















































































Question 1. Which component of SolarWinds SEM is responsible for storing normalized events and providing query capabilities? A) SEM Manager B) SEM Database C) SEM Console D) SEM Agent Answer: B Explanation: The SEM Database holds all normalized events and enables searches and reporting. Question 2. In the SEM Virtual Appliance architecture, which element provides the graphical user interface for administrators? A) Manager Service B) Console Service C) Agent Service D) Database Service Answer: B Explanation: The Console Service runs the web‑based UI used to manage and monitor SEM. Question 3. Which licensing model allows a SEM node to collect logs from any type of device without limitation? A) Workstation License B) Universal License C) Per‑Device License D) Per‑User License Answer: B Explanation: The Universal License is unrestricted and can collect logs from any device type.
Question 4. When deploying the SEM Virtual Appliance on VMware, which virtual hardware setting is most critical for log retention performance? A) Number of virtual CPUs B) Amount of virtual RAM C) Size of the virtual disk (SSD preferred) D) Number of virtual NICs Answer: C Explanation: A fast SSD improves database write performance, crucial for high‑volume log storage. Question 5. Which time‑synchronization protocol should be configured on the SEM Manager to ensure accurate event timestamps? A) NTP B) SNTP C) PTP D) LDAP Answer: A Explanation: Network Time Protocol (NTP) provides precise clock synchronization across devices. Question 6. Which of the following is a prerequisite for installing a SEM Agent on a Windows system? .NET Framework 4.5 or later must be present. A) PowerShell 5. B) .NET Framework 4.5+ C) Windows Server 2019 only
C) SMB file sharing D) Remote Desktop Protocol (RDP) Answer: B Explanation: WinRM allows SEM to pull event logs remotely in an agentless fashion. Question 10. Which built‑in connector is used to parse IIS web server logs into normalized SEM events? A) Microsoft Exchange Connector B) Windows Event Log Connector C) IIS Log Connector D) Syslog Connector Answer: C Explanation: The IIS Log Connector knows the log format and maps fields to SEM event attributes. Question 11. When creating a custom connector, which XML element defines the regular expression used to extract fields? A)
B) Raw message text from the log source C) Username of the account that generated the event D) Timestamp of the event Answer: B Explanation: EventInfo stores the original log message or description. Question 13. Which predefined event category would a successful LDAP bind be mapped to? A) Change Management B) Compliance C) Security D) System Answer: C Explanation: Authentication activities fall under the Security category. Question 14. Which dashboard widget would you add to monitor the number of failed logon attempts per hour? A) Top Sources B) Event Trend Chart C) Top Users D) Event Summary Table Answer: B Explanation: An Event Trend Chart can display counts over time for a specific filter, such as failed logons.
Explanation: The Search Scheduler lets you automate searches and define notification actions. Question 18. In a correlation rule, what does the “Time Window” parameter define? A) The maximum number of events that can trigger the rule B) The period during which the rule is active each day C) The interval in which matching events must occur to satisfy the rule D) The retention time for rule‑generated alerts Answer: C Explanation: Time Window sets the maximum time gap between events that together satisfy the rule. Question 19. Which type of correlation does SEM perform when it evaluates events that arrive within the same second? A) In‑memory correlation B) Event‑time correlation C) Batch correlation D) Historical correlation Answer: A Explanation: In‑memory correlation processes events in real time as they are received. Question 20. A rule is configured with the condition “Source IP = 10.0.0.5 AND Event Category = Security”. Which logical operator connects the two conditions? A) OR B) NOT C) AND D) XOR
Answer: C Explanation: The rule uses the AND operator to require both conditions to be true. Question 21. Which built‑in correlation rule detects multiple failed logon attempts from the same source within a 5‑minute window? A) Brute Force Attack Detection B) Multiple Failed Logins C) Suspicious Authentication D) Credential Dumping Answer: B Explanation: The “Multiple Failed Logins” rule is designed for that specific pattern. Question 22. When configuring an active response to block an IP address, which SEM component actually enforces the block? A) SEM Console B) SEM Manager C) SEM Firewall (or integrated firewall module) D) SEM Agent on the source host Answer: C Explanation: The SEM Firewall component pushes firewall rules to block the offending IP. Question 23. Which of the following is a potential risk of enabling automatic user account disablement as an active response? A) Increased network latency B) Accidental lockout of legitimate users C. Loss of log data retention
Answer: B Explanation: POST sends data to the server to create a new resource, such as a ticket. Question 27. Which external threat intelligence format is natively supported by SEM for feed ingestion? A) STIX/TAXII B) OpenIOC C) CSV only D) JSON Web Token Answer: A Explanation: SEM can pull STIX/TAXII feeds directly for IOC matching. Question 28. In SEM, how can you reference a threat intelligence indicator’s “malicious confidence” score inside a correlation rule? A) %THREAT_CONFIDENCE% B) ThreatScore() function C) Indicator.Confidence field D) It cannot be referenced in rules Answer: C Explanation: The Indicator.Confidence attribute is available for rule conditions. Question 29. Which compliance framework requires tracking of “failed login attempts” and “privileged account changes” that SEM can report on? A) PCI DSS
Answer: A Explanation: PCI DSS includes requirements for monitoring authentication failures and privileged account activity. Question 30. Which SEM report type provides a summary of events that map directly to PCI DSS requirement 10.2.4? A) PCI DSS Event Log Report B. SOC Audit Report C) Compliance Overview Report D) Change Management Report Answer: A Explanation: The PCI DSS Event Log Report is tailored to the specific logging requirements of PCI DSS. Question 31. To export a report in CSV format for further analysis in Excel, which button must you click after generating the report? A) Export PDF B) Export HTML C) Export CSV D) Print Report Answer: C Explanation: The Export CSV option creates a comma‑separated file suitable for spreadsheets.
Answer: B Explanation: High disk I/O latency directly impacts database write/read performance. Question 35. If the EPS (Events Per Second) rate exceeds the licensed limit, what is the typical SEM behavior? A) The manager shuts down completely B) New events are dropped and logged as “over‑limit” C) All events are queued indefinitely D) The system automatically upgrades the license Answer: B Explanation: SEM discards excess events and records an “over‑limit” warning. Question 36. Which command line tool can be used to verify the connectivity of a SEM Agent to the manager? A) ping B) telnet (to port 443) C) semctl status D) netstat - an Answer: C Explanation: The semctl utility provides status and connectivity checks for agents. Question 37. During a backup of the SEM Manager, which directory contains the SQLite database files that must be saved? A) /opt/sem/data/ B) /var/lib/sem/db/ C) C:\Program Files\SolarWinds\SEM\Database\
D) /usr/local/sem/backup/ Answer: C Explanation: On Windows, the database resides under the Program Files\SolarWinds\SEM\Database folder. Question 38. After applying a hotfix to the SEM appliance, what is the recommended next step before resuming normal operation? A) Reboot the appliance immediately B) Verify the version number in the console’s About page C) Delete all existing alerts D) Disable all active responses Answer: B Explanation: Confirming the hotfix version ensures the update applied correctly. Question 39. Which FIM policy option allows you to ignore changes to file timestamps while still detecting content modifications? A) Monitor Size Only B) Ignore Timestamp Changes C) Content Hash Check D) Track Permissions Only Answer: B Explanation: The “Ignore Timestamp Changes” setting tells FIM to disregard timestamp updates. Question 40. To block unauthorized USB storage devices, which SEM feature must be configured? A) USB Defender
A) A scheduled batch job that runs nightly B) An in‑memory real‑time engine that evaluates incoming events against rules C) A third‑party SIEM integration module D) A static report generator Answer: B Explanation: The engine processes events as they arrive, applying correlation logic instantly. Question 44. Which built‑in connector parses Windows Security Event Log ID 4625 (failed logon)? A) Windows Security Log Connector B) Windows Event Log Connector C) Security Event Connector D) Syslog Connector Answer: B Explanation: The generic Windows Event Log Connector includes parsing for ID 4625. Question 45. If you need to collect logs from a Linux server using the syslog protocol, which port should you configure on the SEM manager? A) 22 (SSH) B) 514 (UDP) C) 1514 (TCP) D) 443 (HTTPS) Answer: B Explanation: Standard syslog traffic uses UDP port 514.
Question 46. Which console view allows you to see a real‑time graphical representation of event volume per minute? A) Live Events B) Monitor > Event Trend C) Dashboard > Event Volume Widget D) Reports > Event Summary Answer: C Explanation: The Event Volume widget on the dashboard charts events per minute. Question 47. To filter events that originated from a specific domain controller, which field should you include in the search query? A) SourceHost B) DomainController C) SourceIP D) TargetDomain Answer: A Explanation: SourceHost contains the hostname of the device that sent the log. Question 48. Which search operator is used to exclude events where the “Event Category” equals “Change Management”? A) NOT EventCategory = Change Management B) EventCategory != Change Management C) EventCategory <> Change Management D) EventCategory NOT IN (Change Management) Answer: B Explanation: The “!=” operator excludes events matching the specified value.
Explanation: %RULE_NAME% expands to the rule’s display name. Question 52. Which external system can be used to enrich SEM events with vulnerability data via the “Threat Intelligence” feature? A) Cisco Umbrella B) Qualys Vulnerability Feed C) Microsoft Teams D) Splunk Forwarder Answer: B Explanation: Qualys provides vulnerability feeds that SEM can ingest for enrichment. Question 53. Which PCI DSS control requires the retention of audit logs for at least one year? A) 10.2. B) 10.5. C) 12.3. D) 11.4. Answer: B Explanation: PCI DSS 10.5.3 mandates a minimum of one‑year log retention. Question 54. Which SEM report provides a list of all users who have been added to privileged groups in the last 30 days? A) Privileged Access Change Report B) User Account Creation Report C) Group Membership Audit Report D) Change Management Summary
Answer: C Explanation: The Group Membership Audit Report tracks additions and removals from groups. Question 55. To schedule a compliance report to be emailed every Monday at 08:00, which two settings must be defined? A) Cron expression and recipient list B) Day of week and time zone C) Schedule type (weekly) and start time D) Report template and output format Answer: C Explanation: Selecting “Weekly” and specifying the start time configures the schedule. Question 56. Which user role is best suited for a SOC analyst who needs to view events and generate reports but cannot change system settings? A) Administrator B) Read‑Only User C) Analyst D) Auditor Answer: C Explanation: The Analyst role provides view and reporting capabilities without system‑wide privileges. Question 57. When integrating SEM with Azure AD for single sign‑on, which protocol is primarily used? A) LDAP B) SAML 2.