An administrator configures new threat intelligence sources and must validate that the feeds are being downloaded and that the intelligence is being used within the Cisco Secure Firewall system. Which action accomplishes the task?
A.
Look at the connection security intelligence events
B.
Use the source status indicator to validate the usage
C.
View the threat intelligence observables to see the downloaded data
D.
Look at the access control policy to validate that the intelligence is being used
My answer is "A". B seems right. Q is asking two things
1. are being downloaded?
2. is being used?
According to below explanation, this met #1 requirement.
By default, all sources are published, this means that they are pushed to sensors. This process can take up to 20 minutes or more.
Step 3. Under the Indicator tab, you can confirm if indicators were downloaded property from the configured sources:
However, to confirm that is being used as well, we need to verify from the live data which is method 2. So my answer is A
Method 1. To verify if TID acted on the traffic, you need to navigate to the Incidents tab.
Method 2. The incidents can be found under the Security Intelligence Events tab under a TID tag.
Method 3. You can confirm if configured sources (feeds) are present on the FMC and a sensor. To do that, you can navigate to these locations on the CLI:
Two requirements.
First, validate the feeds are being downloaded:
"Step 3. Under the Indicator tab, you can confirm if indicators were downloaded property from the configured sources:"
Second, validate that the intelligence is being used:
"Step 4. Once you select the name of an indicator you can see more details about it. Indicator Details
NAME
ZeuS Tracker (offline)| 13d.pp.ru/global/config.jp
(2017-08-16) | This domain has been identified as malicious
by zeustracker.abuse.ch
DESCRIPTION
This domain 13d.pp.ru has been identified as malicious by
zeustracker.abuse.ch. For more detailed infomation about this
indicator go to [CAUTION !! Read-URL-Before-Click]
[https://zeustracker.abuse.ch/monitor.php?host=13d.pp.ru]."
https://www.cisco.com/c/en/us/support/docs/storage-networking/security/214859-configure-and-troubleshoot-cisco-threat.html
Nope - The place you refer to is verifying that incidences occur (using the indicators) - not that indicators themselves have been downloaded correctly - answer is B
I agree with you. My choice is "A"
https://www.cisco.com/c/en/us/support/docs/storage-networking/security/214859-configure-and-troubleshoot-cisco-threat.html
I prefer option D, answer says that user has already configured a source, so to check that source will be published on FTD device you need to Verify that the Enable Threat Intelligence Director check box is checked in Advanced Settings of the access control policy.
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.300-710 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
gwb
8 months, 3 weeks agoStevens0103
10 months, 1 week agojsomers
11 months, 1 week agoTidot
10 months, 4 weeks agoNian
1 month, 3 weeks agogwb
8 months, 3 weeks agoLC1980
11 months, 1 week ago