Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

IBM C1000-162 IBM Security QRadar SIEM V7.5 Analysis Exam Practice Test

Page: 1 / 13
Total 127 questions

IBM Security QRadar SIEM V7.5 Analysis Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$42  $119.99

PDF Study Guide

  • Product Type: PDF Study Guide
$36.75  $104.99
Question 1

On the Reports tab in QRadar. what does the message "Queued (position in the queue)" indicate when generating a report?

Options:

A.

The report is scheduled to run, and the message is a count-down timer that specifies when the report will run next.

B.

The report is ready to be viewed in the Generated Reports column.

C.

The report is generating.

D.

The report is queued for generation and the message indicates the position of the report in the queue.

Question 2

Reports can be generated by using which file formats in QRadar?

Options:

A.

PDF, HTML, XML, XLS

B.

JPG, GIF, BMP, TIF

C.

TXT, PNG, DOC, XML

D.

CSV, XLSX, DOCX, PDF

Question 3

A QRadar analyst wants predefined searches, reports, custom rules, and custom properties for HIPAA compliance.

Which option does the QRadar analyst use to look for HIPAA compliance on QRadar?

Options:

A.

Use Case Manager app

B.

QRadar Pulse app

C.

IBM X-Force Exchange portal to download content packs

D.

IBM Fix Central to download new rules

Question 4

Which two (2) types of categories comprise events?

Options:

A.

Unsupported

B.

Unfound

C.

Stored

D.

Found

E.

Parsed

Question 5

Which IBM X-Force Exchange feature could be used to query QRadar to see if any of the lOCs were detected for COVID-19 activities?

Options:

A.

TAXI I automatic updates

B.

STIX Bundle

C.

Threat Intelligence ATP

D.

Ami Affected

Question 6

What is the default number of notifications that the System Notification dashboard can display?

Options:

A.

50 notifications

B.

20 notifications

C.

10 notifications

D.

5 notifications

Question 7

Which are types of reference data collections in QRadar?

Options:

A.

Reference set. Reference data, and Reference rule

B.

Reference set, Reference map. and Reference map of maps

C.

Reference data. Reference table, and Reference event

D.

Reference event, Reference map of sets, and Reference data

Question 8

Which of these statements regarding the deletion of a generated content report is true?

Options:

A.

Only specific reports that were not generated from the report template as well as the report template are deleted.

B.

All reports that were generated from the report template are deleted, but the report template is retained.

C.

All reports that were generated from the report template as well as the report template are deleted.

D.

Only specific reports that were not generated from the report template are deleted, but the report template is retained.

Question 9

Which kind of information do log sources provide?

Options:

A.

User login actions

B.

Operating system updates

C.

Flows generated by users

D.

Router configuration exports.

Question 10

On the Log Activity tab in QRadar. what are the options available when right-clicking an IP address of an event to access more event filter information?

Options:

A.

Filter on. False Positive. More Options. Quick Filter

B.

Filter out, False Negative, More Options, Quick Filter

C.

Filter off, True Positive, Less Options, Quick Search

D.

Filter in, True Negative, Less Options. Quick Search

Question 11

What type of rules will test events or flows for volume changes that occur in regular patterns to detect outliers?

Options:

A.

Behavioral rules

B.

Anomaly rules

C.

Custom rules

D.

Threshold rules

Question 12

To test for authorized access to a patent, create a list that uses a custom event property for Patent id as the key, and the username parameter as the value. Data is stored in records that map a key to multiple values and every key is unique. Use this list to populate a list of authorized users.

The example above refers to what kind of reference data collections?

Options:

A.

Reference map of maps

B.

Reference map

C.

Reference map of sets

D.

Reference table

Question 13

What is the benefit of using default indexed properties for searching in QRadar?

Options:

A.

It increases the amount of data required to be searched.

B.

It improves the speed of searches.

C.

It returns fewer results than non-indexed properties.

D.

It reduces the number of indexed search values.

Question 14

Which type of rule requires a saved search that must be grouped around a common parameter

Options:

A.

Flow Rule

B.

Event Rule

C.

Common Rule

D.

Anomaly Rule

Question 15

A Security Analyst was asked to search for an offense on a specific day. The requester was not sore of the time frame, but had Source Host information to use as well as networks involved, Destination IP and username.

Which fitters can the Security Analyst use to search for the information requested?

Options:

A.

Offense ID, Source IP, Username

B.

Magnitude, Source IP, Destination IP

C.

Description, Destination IP. Host Name

D.

Specific Interval, Username, Destination IP

Question 16

A QRadar analyst develops an advanced search on the Log Activity tab and presses the shortcut "Ctrl + Space" in the search field. What information is displayed?

Options:

A.

The full list of AQL databases, functions and fields (properties) is displayed.

B.

The full list of AQL tables and relationships from a database is displayed.

C.

The full list of AOL functions, fields (properties), and keywords is displayed.

D.

The full list of AQL functions, tables, and views from a database is displayed.

Question 17

What right-click menu option can an analyst use to find information about an IP or URL?

Options:

A.

IBM Advanced Threat lookup

B.

Watson Advisor Al IOC Lookup

C.

QRadar Anomaly lookup

D.

X-Force Exchange Lookup

Question 18

A new log source was configured to send events to QRadar to help detect a malware outbreak. A security analyst has to create an offense based on properties from this payload but not all the information is parsed correctly.

What is the sequence of steps to ensure that the correct information is pulled from the payload to use in a rule?

Options:

Question 19

Which flow fields should be used to determine how long a session has been active on a network?

Options:

A.

Start time and end time

B.

Start time and storage time

C.

Start time and last packet time

D.

Last packet time and storage time

Question 20

Many offenses are generated and an analyst confirms that they match some kind of vulnerability scanning.

Which building block group needs to be updated to include the source IP of the vulnerability assessment (VA) scanner to reduce the number of offenses that are being generated?

Options:

A.

Host reference

B.

Host definitions

C.

Behavior definition

D.

Device definition

Question 21

Which two (2) aggregation types are available for the pie chart in the Pulse app?

Options:

A.

Last

B.

Middle

C.

Total

D.

First

E.

Average

Question 22

How can an analyst search for all events that include the keyword "access"?

Options:

A.

Go to the Network Activity tab and run a quick search with the "access" keyword.

B.

Go to the Log Activity tab and run a quick search with the "access" keyword.

C.

Go to the Offenses tab and run a quick search with the "access" keyword.

D.

Go to the Log Activity tab and run this AOL: select * from events where eventname like 'access'.

Question 23

What are the behavioral rule test parameter options?

Options:

A.

Behavioral rule. Current traffic level, Predicted value

B.

Season, Anomaly detection. Current traffic trend

C.

Season, Current traffic level, Predicted value

D.

Current traffic behavior. Behavioral rule. Current traffic level

Question 24

An analyst wishes to review an event which has a rules test against both event and flow data.

What kind of rule is this?

Options:

A.

Anomaly rules

B.

Threshold rules

C.

Offense rules

D.

Common rules

Question 25

When using the Dynamic Search window on the Admin tab, which two (2) data sources are available?

Options:

A.

ASSETS

B.

PAYLOAD

C.

OFFENSES

D.

AOL QUERY

E.

SAVED SEARCHES

Question 26

Several systems were initially reviewed as active offenses, but further analysis revealed that the traffic generated by these source systems is legitimate and should not contribute to offenses.

How can the activity be fine-tuned when multiple source systems are found to be generating the same event and targeting several systems?

Options:

A.

Edit the building blocks by using the Custom Rules Editor to tune out a destination IP

B.

Use the Log Source Management app to tune the event

C.

Edit the building blocks by using the Custom Rules Editor to tune out the specific event

D.

Edit the building blocks by using the Custom Rules Editor to tune out a source IP

Question 27

What does an analyst need to do before configuring the QRadar Use Case Manager app?

Options:

A.

Create a privileged user.

B.

Create an authorized service token.

C.

Check the license agreement.

D.

Run a QRadar health check.

Question 28

How long does QRadar store payload indexes by default?

Options:

A.

7 days

B.

30 days

C.

14 days

D.

90 days

Question 29

Which parameter should be used if a security analyst needs to filter events based on the time when they occurred on the endpoints?

Options:

A.

Inspect "Log Time interval"

B.

Evaluate "Storage Time"

C.

Examine "Log Source Time"

D.

Review "Time Period"

Question 30

What is the effect of toggling the Global/Local option to Global in a Custom Rule?

Options:

A.

It allows a rule to compare events & flows in real time.

B.

It allows a rule to analyze the geographic location of the event source.

C.

It allows rules to be tracked by the central processor for detection by any Event Processor.

D.

It allows a rule to inject new events back into the pipeline to affect and update other incoming events.

Question 31

What is an effective method to fix an event that is parsed an determined to be unknown or in the wrong QReader category/

Options:

A.

Create a DSM extension to extract the category from the payload

B.

Create a Custom Property to extract the proper Category from the payload

C.

Open the event details, select map event, and assign it to the correct category

D.

Write a Custom Rule, and use Rule Response to send a new event in the proper category

Question 32

Which type of rule should you use to test events or (lows for activities that are greater than or less than a specified range?

Options:

A.

Behavioral rules

B.

Anomaly rules

C.

Custom rules

D.

Threshold rules

Question 33

Which two (2) statements regarding indexed custom event properties are true?

Options:

A.

The indexed filter adds to portions of the data set.

B.

The indexed filter eliminates portions of the data set and reduces the overall data volume and number of event or flow logs that must be searched.

C.

By default, data retention for the index payload is 7 days.

D.

Indexing searches a full event payload for values.

E.

Use indexed event and flow properties to optimize your searches.

Question 34

Which two (2) of these custom property expression types are supported in QRadar?

Options:

A.

XLS

B.

YAML

C.

JSON

D.

Regex

E.

HTML

Question 35

Which two (2) options are at the top level when an analyst right-clicks on the Source IP or Destination IP that is associated with an offense at the Offense Summary?

Options:

A.

Information

B.

DNS Lookup

C.

Navigate

D.

WHOIS Lookup

E.

Asset Summary page

Question 36

What does this example of a YARA rule represent?

rule ibm_forensics : qradar

meta:

description = “Complex Yara rule.“

strings:

Shexl = {4D 2B 68 00 ?? 14 99 F9 B? 00 30 Cl 8D}

Sstrl = "IBM Security!"

condition:

Shexl and (#strl > 3)

Options:

A.

Flags content that contains the hex sequence, and hex1 at least three times

B.

Flags containing hex sequence and str1 less than three times

C.

Flags for str 1 at an offset of 25 bytes into the file

D.

Flags content that contains the hex sequence, and str1 greater than three times

Question 37

An analyst must create a reference set collection containing the IPv6 addresses of command-and-control servers in an IBM X-Force Exchange collection in order to write a rule to detect any enterprise traffic with those malicious IP addresses.

What value type should the analyst select for the reference set?

Options:

A.

IP

B.

IPv6

C.

IPv4 or IPv6

D.

AlphaNumeric (Ignore Case)

Question 38

How does a QRadar analyst get to more information about a MITRE entry in the Use Case Manager?

Options:

A.

Hover over the entry and read the tooltip

B.

Highlight the entry and click the help button

C.

Click the Tactic’s Explore icon to reveal and open the MITRE web page

D.

Use the Threat Intelligence app

Page: 1 / 13
Total 127 questions