Pre-Winter Special Sale - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

IBM C1000-162 IBM Security QRadar SIEM V7.5 Analysis Exam Practice Test

Page: 1 / 14
Total 139 questions

IBM Security QRadar SIEM V7.5 Analysis Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$42  $119.99

PDF Study Guide

  • Product Type: PDF Study Guide
$36.75  $104.99
Question 1

In Rule Response, which two (2) options are available for Offense Naming?

Options:

A.

This information should be removed from the current name of the associated offenses

B.

This information should contribute to (he name of the associated offenses

C.

This information should set or replace the name of the associated offenses

D.

This information should contribute to the dispatched event name of the associated offenses.

E.

This information should contribute to the category naming of the associated offenses

Question 2

New vulnerability scanners are deployed in the company's infrastructure and generate a high number of offenses. Which function in the Use Case Manager app does an analyst use to update the list of vulnerability scanners?

Options:

Question 3

From the Offense Summary window, how is the list of rules that contributed to a chained offense identified?

Options:

A.

Select Display > Notes

B.

Select Actions > Rules

C.

Select Display > Rules

D.

Listed in the notes section

Question 4

Which two (2) aggregation types are available for the pie chart in the Pulse app?

Options:

A.

Last

B.

Middle

C.

Total

D.

First

E.

Average

Question 5

When using the Dynamic Search window on the Admin tab, which two (2) data sources are available?

Options:

A.

ASSETS

B.

PAYLOAD

C.

OFFENSES

D.

AOL QUERY

E.

SAVED SEARCHES

Question 6

When searching for all events related to "Login Failure", which parameter should a security analyst use to filter the events?

Options:

A.

Event Asset Name

B.

Event Collector

C.

Anomaly Detection Event

D.

Event Name

Question 7

QRadar analysts can download different types of content extensions from the IBM X-Force Exchange portal. Which two (2) types of content extensions are supported by QRadar?

Options:

A.

Custom Functions

B.

Events

C.

Flows

D.

FGroup

E.

Offenses

Question 8

Which statement regarding the Assets tab is true?

Options:

A.

The display is populated with all discovered assets in your network.

B.

It displays flow information to determine how and what network traffic is communicated.

C.

It displays connection information to determine how different network devices are connected.

D.

The display is populated with all eliminated and recreated assets in your network.

Question 9

Which two (2) columns are valid for searches in the My Offenses and All Offenses tabs in QRadar?

Options:

A.

Impact

B.

Source IPs

C.

Relevance

D.

Weight

E.

Id

Question 10

How can an analyst search for all events that include the keyword "access"?

Options:

A.

Go to the Network Activity tab and run a quick search with the "access" keyword.

B.

Go to the Log Activity tab and run a quick search with the "access" keyword.

C.

Go to the Offenses tab and run a quick search with the "access" keyword.

D.

Go to the Log Activity tab and run this AOL: select * from events where eventname like 'access'.

Question 11

What Is the result of the following AQL statement?

Options:

A.

Returns all fields where the username contains the ERS string and is case-sensitive

B.

Returns all fields where the username contains the ERS string and is case-insensitive

C.

Returns all fields where the username is different from the ERS string and is case-insensitive

D.

Returns all fields where the username is different from the ERS string and is case-sensitive

Question 12

Which two (2) options are used to search offense data on the By Networks page?

Options:

A.

Raw/Flows

B.

Events/Flows

C.

NetIP

D.

Severity

E.

Network

Question 13

What does this example of a YARA rule represent?

rule ibm_forensics : qradar

meta:

description = “Complex Yara rule.“

strings:

Shexl = {4D 2B 68 00 ?? 14 99 F9 B? 00 30 Cl 8D}

Sstrl = "IBM Security!"

condition:

Shexl and (#strl > 3)

Options:

A.

Flags content that contains the hex sequence, and hex1 at least three times

B.

Flags containing hex sequence and str1 less than three times

C.

Flags for str 1 at an offset of 25 bytes into the file

D.

Flags content that contains the hex sequence, and str1 greater than three times

Question 14

How can an analyst improve the speed of searches in QRadar?

Options:

A.

Narrow the overall data by adding an indexed field in the search query.

B.

Increase the overall data in the search query.

C.

Use Index Management to disable indexing.

D.

Remove all indexed fields from the search query.

Question 15

An analyst wants to implement an AQL search in QRadar. Which two (2) tabs can be used to accomplish this implementation?

Options:

A.

Assets

B.

Vulnerabilities

C.

Log Activity

D.

Offenses

E.

Network Activity

Question 16

What does this example of a YARA rule represent?

Options:

A.

Flags containing hex sequence and str1 less than three times

B.

Flags content that contains the hex sequence, and hex! at least three times

C.

Flags for str1 at an offset of 25 bytes into the file

D.

Flags content that contains the hex sequence, and str1 greater than three times

Question 17

A new log source was configured to send events to QRadar to help detect a malware outbreak. A security analyst has to create an offense based on properties from this payload but not all the information is parsed correctly.

What is the sequence of steps to ensure that the correct information is pulled from the payload to use in a rule?

Options:

Question 18

Which statement regarding the use of the internal structured language of the QRadar database is true?

Options:

A.

Use AQL to extract, filter, and perform actions on event and flow data that you extract from the Ariel database

B.

Use AQL to extract, filter and manipulate event, flow and use cases data from the Ariel database

C.

Use AQL to accelerate and make tuning event and flow data from the Ariel database

D.

Use AQL to accelerate and make tuning event, flow and use cases data from the Ariel database

Question 19

What is the effect of toggling the Global/Local option to Global in a Custom Rule?

Options:

A.

It allows a rule to compare events & flows in real time.

B.

It allows a rule to analyze the geographic location of the event source.

C.

It allows rules to be tracked by the central processor for detection by any Event Processor.

D.

It allows a rule to inject new events back into the pipeline to affect and update other incoming events.

Question 20

Which log source and protocol combination delivers events to QRadar in real time?

Options:

A.

Sophos Enterprise console via JDBC

B.

McAfee ePolicy Orchestrator via JDBC

C.

McAfee ePolicy Orchestrator via SNMP

D.

Solaris Basic Security Mode (BSM) via Log File Protocol

Question 21

On the Reports tab in QRadar. what does the message "Queued (position in the queue)" indicate when generating a report?

Options:

A.

The report is scheduled to run, and the message is a count-down timer that specifies when the report will run next.

B.

The report is ready to be viewed in the Generated Reports column.

C.

The report is generating.

D.

The report is queued for generation and the message indicates the position of the report in the queue.

Question 22

An analyst wishes to review an event which has a rules test against both event and flow data.

What kind of rule is this?

Options:

A.

Anomaly rules

B.

Threshold rules

C.

Offense rules

D.

Common rules

Question 23

Where can you view a list of events associated with an offense in the Offense Summary window?

Options:

A.

Destination IPs

B.

Events from Event/Flow count column

C.

Display > Destination IPs

D.

Source IPs

Question 24

Which kind of information do log sources provide?

Options:

A.

User login actions

B.

Operating system updates

C.

Flows generated by users

D.

Router configuration exports.

Question 25

Which IBM X-Force Exchange feature could be used to query QRadar to see if any of the lOCs were detected for COVID-19 activities?

Options:

A.

TAXI I automatic updates

B.

STIX Bundle

C.

Threat Intelligence ATP

D.

Ami Affected

Question 26

An analyst runs a search with correct AQL. but no errors or results are shown.

What is one reason this could occur?

Options:

A.

The Quick Filter option is selected.

B.

The AQL search needs to be saved as a Quick Search before it can display any query.

C.

Microsoft Edge is not a supported browser.

D.

AQL search needs to be enabled in System Settings.

Question 27

Which statement regarding saved event search criteria is true?

Options:

A.

Saved search criteria expires

B.

Saved search criteria does not expire

C.

Saved search criteria cannot be reused

D.

You cannot define the name of the saved search criteria

Question 28

What are the behavioral rule test parameter options?

Options:

A.

Behavioral rule. Current traffic level, Predicted value

B.

Season, Anomaly detection. Current traffic trend

C.

Season, Current traffic level, Predicted value

D.

Current traffic behavior. Behavioral rule. Current traffic level

Question 29

Which two (2) types of data can be displayed by default in the Application Overview dashboard?

Options:

A.

Login Failures by User {real-time)

B.

Flow Rate (Flows per Second - Peak 1 Min)

C.

Top Applications (Total Bytes)

D.

Outbound Traffic by Country (Total Bytes)

E.

ICMP Type/Code (Total Packets)

Question 30

For a rule containing the test "and when the source is located in this geographic location" to work properly, what must a QRadar analyst configure?

Options:

A.

IBM X-Force Exchange updates

B.

MaxMind updates

C.

IBM X-Force Exchange ATP updates

D.

Watson updates

Question 31

A Security Analyst has noticed that an offense has been marked inactive.

How long had the offense been open since it had last been updated with new events or flows?

Options:

A.

1 day + 30 minutes

B.

5 days + 30 minutes

C.

10 days + 30 minutes

D.

30 days + 30 minutes

Question 32

What process is used to perform an IP address X-Force Exchange Lookup in QRadar?

Options:

A.

Offense summary tab > right-click IP address > Plugin Option > X-Force Exchange Lookup

B.

Copy the IP address and go to X-Force Exchange to perform the lookup

C.

Run Autoupdate

D.

Run a query on maxmind db

Question 33

What type of rules will test events or flows for volume changes that occur in regular patterns to detect outliers?

Options:

A.

Behavioral rules

B.

Anomaly rules

C.

Custom rules

D.

Threshold rules

Question 34

What does the logical operator != in an AQL query do?

Options:

A.

Compares a property to a value and returns false if they are unequal

B.

Takes a value and raises it to the specified power and returns the result

C.

Sets the value on the left of the operator equal to the right

D.

Compares two values and returns true if they are unequal

Question 35

On the Offenses tab, which column explains the cause of the offense?

Options:

A.

Description

B.

Offense Type

C.

Magnitude

D.

IPs

Question 36

When an analyst is investigating an offense, what is the property that specifies the device that attempts to breach the security of a component on the network?

Options:

A.

Source IP

B.

Network

C.

Destination IP

D.

Port

Question 37

Which two (2) values are valid for the Offense Type field when a search is performed in the My Offenses or All Offenses tabs?

Options:

A.

QID

B.

Any

C.

Risk Score

D.

DDoS

E.

Source IP

Question 38

Which type of rule requires a saved search that must be grouped around a common parameter

Options:

A.

Flow Rule

B.

Event Rule

C.

Common Rule

D.

Anomaly Rule

Question 39

When investigating an offense, how does one find the number of flows or events associated with it?

Options:

A.

EvenVFIow count field

B.

List Events/Flows

C.

Export count to CSV

D.

Display > Events

Question 40

Which two (2) options are at the top level when an analyst right-clicks on the Source IP or Destination IP that is associated with an offense at the Offense Summary?

Options:

A.

Information

B.

DNS Lookup

C.

Navigate

D.

WHOIS Lookup

E.

Asset Summary page

Question 41

How long does QRadar store payload indexes by default?

Options:

A.

7 days

B.

30 days

C.

14 days

D.

90 days

Page: 1 / 14
Total 139 questions