Exam ID Exam ID HP0-A116

Exam type Exam type Proctored examtaken at dedicated testing

center
Exam duration Exam duration 1 hr 30 mins
Exam length Exam length 60 questions
Passing score Passing score 65%
Delivery Delivery
languages languages
English
Related Related
certifications certifications
HP ASE - ArcSight Security V1
HP ATP - ArcSight Security V1
Supporting Supporting
courses courses
These recommended courses help you prepare
for the exam
00924200 - HP ArcSight ESM 6.5 Security
Administrator and Analyst
Additional Additional
study materials study materials
ArcSight ESM 6.5c Administrators Guide
ArcSight ESM 6.5c ArcSight Console
Users Guide
ArcSight ESM 6.5c ArcSight Command
Center Users Guide
ArcSight ESM 6.5c ArcSight Web Users
Guide
ArcSight ESM 6.5c Installation and
Configuration Guide
ArcSight ESM 6.5c Standard Content
Guide
ArcSight SmartConnectors Users Guide
Register for this Exam
Register for this exam
You will need an HP Learner ID and a Pearson VUE login and
password. No online or hard copy reference material will be allowed
at the testing site. This exammay contain beta test items for
experimental purposes. During the exam, you can make specific
comments about the items (i.e. accuracy, appropriateness to
audience, etc.). HP welcomes these comments as part of our
continuous improvement process.
HPExpertOneExamPreparation Guides
HP ArcSight ESM Security Administrator and Analyst HP ArcSight ESM Security Administrator and Analyst
Exam description Exam description
This exam tests your skills and abilities related to Enterprise Security
Manager (ESM) product facilities and related user and administrative tasks.
Exam topics include use of the ArcSight Console, ArcSight Command Center,
and ArcSight Web user interfaces to monitor security events, configure
ESM, and manage users, ESM network intelligence resources and ArcSight
ESM workflows. Topics also include tailoring standard ArcSight ESM
content to acquire, search, and correlate actionable event data; and perform
remedial activities such as incident analysis, stakeholder notification, and
reporting security conditions within the network environment.
This certification exam is designed for candidates with on the job
experience. The associated training course, which usually includes labs,
provides a knowledge foundation; however, it is highly recommended that
you also have some hands-on, real-world ESM product experience.

Who should take this exam? Who should take this exam?
New candidates who want to acquire the HP ASE - ArcSight Security V1
Certification.
Exam contents Exam contents
This exam has 60 questions. Here are types of questions to expect:
Multiple choice (multiple responses)
Multiple choice (single response)
Tips for taking this exam Tips for taking this exam
This exam assesses whether you have the knowledge and skills to navigate
and utilize the ArcSight ESM products as a security solution in a business
development and production environment.
Take the time to read the entire question and consider all of the options
carefully before you answer. If the question indicates that it features an
exhibit, study the exhibit and reread the question. Make sure to select the
answer that correctly responds to the question that is asked not simply
an answer that includes some correct information. If the question asks for
more than one answer, remember to select each correct answer. You will
not receive partial credit for a partially correct answer.
Objectives Objectives
This exam validates that you can successfully perform the following:

HP0-A116 HP0-A116 Sections/Objectives Sections/Objectives
2% Introduction to ESM 6.5
Define ESM User Roles
List ArcSight Components, Interfaces, Information Resources
8% ArcSight Event Schema and Life Cycle
Describe ESM Event Schema and Schema Groups
Identify ArcSight Event LifeCycle Phases and Schema population
5% ArcSight ESM Install and Configuration
Describe Pre-Install Requirements
Identify Install Process (Installation / Configuration Wizards)
Describe reconfiguration and upgrade methods
9% ArcSight ESM Console
Describe Login, user preference, and main tool bar facilities
Navigate Resource trees, Viewer and Edit/Inspect Panels
Access built-in documentation and reference resources.
7% ArcSight Command Center
Login, navigate main tab menus and use the Help Facility
Access dashboards, Event Search, Reports, and Workflow Cases
Navigate Administrative facilities for ESM system configuration, connector status, and event storage and archive
3% ArcSight Web Interface
Login to the Home Page and use the Help Facility
Access Dashboards, Reports, Active Channels and Notifications
9% Active Channels, Filters and Field Sets
Access Active Channels and modify filters and field sets
Use Right-click menus and Event Investigation facilities
8% ESM Rules and Lists

Differentiate Simple vs Join Types Rules, Real-time vs Scheduled Rules
Edit Rule attributes, including Conditions, Aggregation, Actions, and Triggers
Explain the use of Active Lists and Session Lists
8% Dashboards and Data Monitors
Access dashboards and interpret data monitor displays
Describe the benefits of using IdentityView
Explain Drill down to Active Channels
6% Query Viewers
Describe Query Viewer usage
Edit Query Viewers, establish baselines and define drilldowns
6% ESM Reports
Enter Report Runtime parameters, run and archive reports
Edit focused reports and delta reports
Establish and manage report scheduling and distribution
4% Workflow Cases

Describe Workflow Case management
Access existing cases, view events, add attachments and notes
Add a new case, follow upon a case , and finalize a case
5% User Administration
Create ESM Users and User Groups
Explain the Administration of ACLs (Access Control Lists)
Apply ArcSight Password Policy settings
3% User Notifications

Describe Notification functions and resources
Access, modify and configure Notifications
3% Use Case Resources
Describe Use Case concepts
Differentiate Standard Content, Productized/Compliance and Consultant-provided use case deployment
Differentiate Standard Content, Productized/Compliance and Consultant-provided use case deployment
Configure and modify Standard Content Use Cases
4% ArcSight Content Management
Creating ArcSight Packages
Configuring ESM Peering
Establishing manual or scheduled ESM Content Push, Synchronization, and Tracking
8% Event Search, Filters and Saved Searches
Search Events using the Search Builder/Advanced Search tools
Display Search Results and select output options
Export and distribute Search Results
2% ArcSight Support Resources
Access HP ArcSight Support Facilities
Describe Administrative and Support-related resources
Sample questions Sample questions
Use the following questions to help assess whether you are ready to take the exam. Answers to these sample questions are
provided at the end of this guide.
1. What is the purpose of the ArcSight Enterprise Security Manager (ESM)?
a. enables situational awareness and visibility of the security risks across an organization
b. enables a security bus such that devices may communicate
c. enables security integration between disparate devices
d. enables security device management using a common browser-based Management Console
2. Which user role evaluates reports to determine if corporate objectives or initiatives are met?
a. administrator
b. author
c. business user
d. operator
3. Which component describes the SSL protocol used by the ArcSight Manager to communicate with ArcSight Consoles and
SmartConnectors?
a. Standard Secure Link
b. Secure Sockets Layer
c. System Smart Link
d. Secure Synchronous Layer
4. What are the five criteria that are used to calculate the ArcSight Priority Formula?
a. Model Confidence, Relevance, Severity, Asset Criticality, and agentSeverity
b. Vulnerability, Penetration History, Critical Zone, Asset Category, and eventSeverity
c. Behavior, Outcome, Technique, Device Group, and tupleSignificance
d. eventSource, eventDestination, AttackerID, Target Exposure, and deviceProfile
5. When is a simple rule triggered?
a. when scanned events match a configured set of conditions
b. when correlation events exceed a threshold setting
c. when the number of events exceeds a timeout window
d. when events are aggregated more than three times
6. What is the purpose of the Time Window Expiration (TWE) function in ESM?
a. establishes an Active List TTL (Time To Live)
b. determines the duration for a Rule Threshold
c. escalates an Alert Notification to the next level
d. allows individual entries in Session Lists to expire
7. Which functions do Active Lists provide to ArcSight ESM? (Select two.)
a. reduce system memory use by reducing rule partial matches
b. export and import to other ESM instances through CSV files
c. populate specified Session Lists either manually or on schedules
d. convert directly to Report Queries for long-term trending
e. generate and push categorization profiles to SmartConnectors
Answers Answers
This section provides answers to and references for the sample questions.
1. What is the purpose of the ArcSight Enterprise Security Manager (ESM)?
a. enables situational awareness and visibility of the security risks across an organization
b. enables a security bus such that devices may communicate
c. enables security integration between disparate devices
d. enables security device management using a common browser-based Management Console
References References
ArcSight ESM Administrator Analyst Training
Module 1 Introduction to ESM 6.5

2. Which user role evaluates reports to determine if corporate objectives or initiatives are met?
a. administrator
b. author
c. business user
d. operator
References References
ArcSight ESM Administrator Analyst Training
Module 1 Introduction to ESM 6.5

3. Which component describes the SSL protocol used by the ArcSight Manager to communicate with ArcSight Consoles and
SmartConnectors?
a. Standard Secure Link
b. Secure Sockets Layer
c. System Smart Link
d. Secure Synchronous Layer
References References
ArcSight ESM Administrator Analyst Training
Module 1 Introduction to ESM 6.5
4. What are the five criteria that are used to calculate the ArcSight Priority Formula?
a. Model Confidence, Relevance, Severity, Asset Criticality, and agentSeverity
b. Vulnerability, Penetration History, Critical Zone, Asset Category, and eventSeverity
c. Behavior, Outcome, Technique, Device Group, and tupleSignificance
d. eventSource, eventDestination, AttackerID, Target Exposure, and deviceProfile
References References
ArcSight ESM Administrator Analyst Training
Module 2 ArcSight Event Schema and Life Cycle

5. When is a simple rule triggered?
a. when scanned events match a configured set of conditions
b. when correlation events exceed a threshold setting
c. when the number of events exceeds a timeout window
d. when events are aggregated more than three times
References References
ArcSight ESM Administrator Analyst Training
Module 8 ESM Rules and Lists

6. What is the purpose of the Time Window Expiration (TWE) function in ESM?
a. establishes an Active List TTL (Time To Live)
b. determines the duration for a Rule Threshold
c. escalates an Alert Notification to the next level
d. allows individual entries in Session Lists to expire
References References
ArcSight ESM Administrator Analyst Training
Module 8 ESM Rules and Lists
7. Which functions do Active Lists provide to ArcSight ESM? (Select two.)
a. reduce system memory use by reducing rule partial matches
b. export and import to other ESM instances through CSV files
c. populate specified Session Lists either manually or on schedules
d. convert directly to Report Queries for long-term trending
e. generate and push categorization profiles to SmartConnectors
References References
ArcSight ESM Administrator Analyst Training
Module 8 ESM Rules and Lists
For more information For more information
HP ExpertOne: www.hp.com/go/ExpertOne-ContactUs
Copyright 2014Hewlett-PackardDevelopment Company, L.P. Theinformationcontainedhereinissubject tochangewithout notice. Theonly warrantiesfor HP productsandservicesareset forthintheexpresswarranty statements
accompanyingsuchproductsandservices. Nothinghereinshouldbeconstruedasconstitutinganadditional warranty. HP shall not beliablefor technical or editorial errorsor omissionscontainedherein.
CreatedJanuary 2014, Rev. 1