New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > IBM > IBM Security > C1000-162

C1000-162 IBM Security QRadar SIEM V7.5 Analysis Question and Answers

Question # 4

Which two (2) options are at the top level when an analyst right-clicks on the Source IP or Destination IP that is associated with an offense at the Offense Summary?

A.

Information

B.

Asset Summary page

C.

Navigate

D.

WHOIS Lookup

E.

DNS Lookup

Full Access
Question # 5

The magnitude rating of an offense in QRadar is calculated based on which values?

A.

Relevance, severity, importance

B.

Relevance, credibility, severity

C.

Criticality, severity, importance

D.

Criticality, severity, credibility

Full Access
Question # 6

Offense chaining is based on which field that is specified in the rule?

A.

Rule action field

B.

Offense response field

C.

Rule response field

D.

Offense index field

Full Access
Question # 7

Which two (2) types of data can be displayed by default in the Application Overview dashboard?

A.

Login Failures by User {real-time)

B.

Flow Rate (Flows per Second - Peak 1 Min)

C.

Top Applications (Total Bytes)

D.

Outbound Traffic by Country (Total Bytes)

E.

ICMP Type/Code (Total Packets)

Full Access
Question # 8

A mapping of a username to a user’s manager can be stored in a Reference Table and output in a search or a report.

Which mechanism could be used to do this?

A.

Quick Search filters can select users based on their manager’s name.

B.

Reference Table lookup values can be accessed in an advanced search.

C.

Reference Table lookup values can be accessed as custom event properties.

D.

Reference Table lookup values are automatically used whenever a saved search is run.

Full Access
Question # 9

What is an effective method to fix an event that is parsed an determined to be unknown or in the wrong QReader category/

A.

Create a DSM extension to extract the category from the payload

B.

Create a Custom Property to extract the proper Category from the payload

C.

Open the event details, select map event, and assign it to the correct category

D.

Write a Custom Rule, and use Rule Response to send a new event in the proper category

Full Access
Question # 10

A QRadar analyst wants predefined searches, reports, custom rules, and custom properties for HIPAA compliance.

Which option does the QRadar analyst use to look for HIPAA compliance on QRadar?

A.

Use Case Manager app

B.

QRadar Pulse app

C.

IBM X-Force Exchange portal to download content packs

D.

IBM Fix Central to download new rules

Full Access
Question # 11

Which kind of information do log sources provide?

A.

User login actions

B.

Operating system updates

C.

Flows generated by users

D.

Router configuration exports.

Full Access
Question # 12

How does a Device Support Module (DSM) function?

A.

A DSM is a configuration file that combines received events from multiple log sources and displays them as offenses in QRadar.

B.

A DSM is a background service running on the QRadar appliance that reaches out to devices deployed in a network for configuration data.

C.

A DSM is a configuration file that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as outputs.

D.

A DSM is an installed appliance that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as outputs.

Full Access
Question # 13

After analyzing an active offense where many source systems were observed connecting to a specific destination via local-to-local LDAP traffic, an ^lyst discovered that the targeted system is a legitimate LDAP server within the organization.

x avoid confusion in future analyses, how can this type of traffic to the target system be flagged as expected and be excluded from further offense ation?

A.

Add the IP address of the LDAP server to the BB:Host Definition: LDAP Servers building block.

B.

Remove the IP address of the source systems from the Global False Positive Events building block.

C.

Add the IP address of the source systems to the All Default Positive building block.

D.

Remove the IP address of the LDAP server from the network hierarchy.

Full Access
Question # 14

What is the effect of toggling the Global/Local option to Global in a Custom Rule?

A.

It allows a rule to compare events & flows in real time.

B.

It allows a rule to analyze the geographic location of the event source.

C.

It allows rules to be tracked by the central processor for detection by any Event Processor.

D.

It allows a rule to inject new events back into the pipeline to affect and update other incoming events.

Full Access
Question # 15

When examining lime fields on Event Information, which one represents the time QRadar received the raw event?

A.

Processing Time

B.

Log Source Time

C.

Start Time

D.

Storage Time

Full Access
Question # 16

What Is the result of the following AQL statement?

A.

Returns all fields where the username contains the ERS string and is case-sensitive

B.

Returns all fields where the username contains the ERS string and is case-insensitive

C.

Returns all fields where the username is different from the ERS string and is case-insensitive

D.

Returns all fields where the username is different from the ERS string and is case-sensitive

Full Access
Question # 17

How can an analyst identify the top rules that generated offenses in the previous week and were closed as false positives or tuned?

A.

From Reports > Offenses Report > Weekly reports > False positives reports

B.

Use Case Manager app > Active Rules > Filter Offenses with start date > Closure Reason > Select False-Positive, Tuned

C.

Use Case Manager app > CRE Report > Filter Offenses with the following direction > R2R > Select False-Positive, Tuned.

D.

From Reports > CRE Report > Weekly reports > False positives reports

Full Access
Question # 18

In Rule Response, which two (2) options are available for Offense Naming?

A.

This information should be removed from the current name of the associated offenses

B.

This information should contribute to (he name of the associated offenses

C.

This information should set or replace the name of the associated offenses

D.

This information should contribute to the dispatched event name of the associated offenses.

E.

This information should contribute to the category naming of the associated offenses

Full Access
Question # 19

Which two (2) statements regarding indexed custom event properties are true?

A.

The indexed filter adds to portions of the data set.

B.

The indexed filter eliminates portions of the data set and reduces the overall data volume and number of event or flow logs that must be searched.

C.

By default, data retention for the index payload is 7 days.

D.

Indexing searches a full event payload for values.

E.

Use indexed event and flow properties to optimize your searches.

Full Access
Question # 20

Which two (2) aggregation types are available for the pie chart in the Pulse app?

A.

Last

B.

Middle

C.

Total

D.

First

E.

Average

Full Access
Question # 21

Which action is performed in Edit Search to create a report from Offense data?

A.

Under Search Parameters, select "Use Offense Data".

B.

In the Select Data Source for report field, select "Offense".

C.

In the Data Source field, type offense.

D.

Under Search Parameters, select "Associated With Offense Equals True".

Full Access
Question # 22

Which statement regarding the Assets tab is true?

A.

The display is populated with all discovered assets in your network.

B.

It displays flow information to determine how and what network traffic is communicated.

C.

It displays connection information to determine how different network devices are connected.

D.

The display is populated with all eliminated and recreated assets in your network.

Full Access
Question # 23

When you create a report, you must choose a chart type for each chart that is included in the report.

Which two (2) chart types can you include in a report?

A.

Flows

B.

Raw Data

C.

Containers

D.

Scanners

E.

Log Sources

Full Access
Question # 24

Which two high level Event Categories are used by QRadar? (Choose two.)

A.

Policy

B.

Direction

C.

Localization

D.

Justification

E.

Authentication

Full Access
Question # 25

From which tabs can a QRadar custom rule be created?

A.

Log Activity or Network Action tabs

B.

Offenses or Admin tabs

C.

Offenses, Log Activity, or Network Activity tabs

D.

Offenses. Assets, or Log Action tabs

Full Access
Question # 26

Reports can be generated by using which file formats in QRadar?

A.

PDF, HTML, XML, XLS

B.

JPG, GIF, BMP, TIF

C.

TXT, PNG, DOC, XML

D.

CSV, XLSX, DOCX, PDF

Full Access
Question # 27

How long does QRadar store payload indexes by default?

A.

7 days

B.

30 days

C.

14 days

D.

90 days

Full Access
Question # 28

AQRadar analyst can check the rule coverage of MITRE ATT&CK tactics and techniques by using Use Case Manager.

In the Use Case Manager app, how can a QRadar analyst check the offenses triggered and mapped to MITRE ATT&CK framework?

A.

By navigating to "CRE Report"

B.

From Offenses tab

C.

By clicking on "Tuning Home"

D.

By navigating to "Detected in timeframe"

Full Access
Question # 29

Select all that apply

What is the sequence to create and save a new search called "Offense Data" that shows all the CRE events that are associated with offenses?

Full Access
Question # 30

On the Offenses tab, which column explains the cause of the offense?

A.

Description

B.

Offense Type

C.

Magnitude

D.

IPs

Full Access
Question # 31

How does a QRadar analyst get to more information about a MITRE entry in the Use Case Manager?

A.

Hover over the entry and read the tooltip

B.

Highlight the entry and click the help button

C.

Click the Tactic’s Explore icon to reveal and open the MITRE web page

D.

Use the Threat Intelligence app

Full Access
Question # 32

The Pulse app contains which two (2) widget chart types?

A.

Small number chart

B.

Hexadecimal chart

C.

Binary chart

D.

Scatter chart

E.

Big number chart

Full Access
Question # 33

In QRadar. what are building blocks?

A.

A rule under the rule group "System”

B.

A collection of tests that don't result in a response or an action

C.

A network hierarchy node

D.

An entry in the reference set named "System Entries"

Full Access
Question # 34

Which parameter is calculated based on the relevance, severity, and credibility of an offense?

A.

Magnitude rating

B.

Severity age

C.

Impact rating

Full Access
Question # 35

The Use Case Manager app has an option to see MITRE heat map.

Which two (2) factors are responsible for the different colors in MITRE heat map?

A.

Number of events associated to offense

B.

Number of rules mapped

C.

Level of mapping confidence

D.

Number of offenses generated

E.

Number of log sources associated

Full Access
Question # 36

On the Reports tab in QRadar. what does the message "Queued (position in the queue)" indicate when generating a report?

A.

The report is scheduled to run, and the message is a count-down timer that specifies when the report will run next.

B.

The report is ready to be viewed in the Generated Reports column.

C.

The report is generating.

D.

The report is queued for generation and the message indicates the position of the report in the queue.

Full Access
Question # 37

Which two (2) are valid options available for configuring the frequency of report execution in the QRadar Report wizard?

A.

Quarterly

B.

Automatically

C.

Monthly

D.

Yearly

E.

Manually

Full Access
Question # 38

Which two (2) AQL functions are used for calculations and formatting?

A.

INCIDR

B.

START

C.

LOWER

D.

STRLEN

E.

GROUP BY

Full Access
Question # 39

Which two (2) options are used to search offense data on the By Networks page?

A.

Raw/Flows

B.

Events/Flows

C.

NetIP

D.

Severity

E.

Network

Full Access
Question # 40

Several systems were initially reviewed as active offenses, but further analysis revealed that the traffic generated by these source systems is legitimate and should not contribute to offenses.

How can the activity be fine-tuned when multiple source systems are found to be generating the same event and targeting several systems?

A.

Edit the building blocks by using the Custom Rules Editor to tune out a destination IP

B.

Use the Log Source Management app to tune the event

C.

Edit the building blocks by using the Custom Rules Editor to tune out the specific event

D.

Edit the building blocks by using the Custom Rules Editor to tune out a source IP

Full Access
Question # 41

During an active offense review, an analyst observed that a single source system generated a significant amount of high-rate traffic for transferring ^bound mail via port 25. The system responsible for this traffic was not authorized to function as a mail server.

lat is the correct action in this situation?

A.

Add the IP address of the source system to the Host Definition Mail Servers building block.

B.

Continue to investigate the offense and follow the organization’s response processes to stop the source system’s traffic.

C.

Submit a request to the firewall team to allow this type of traffic from the source system to remote destinations.

D.

Use the False Positive Wizard to tune the specific event and event category.

Full Access