A client uses the IBM Security QRadar Vulnerability Manager to discover vulnerabilities on the network devices, applications, and software. They run the QRadar Vulnerability Manager from an All-in-one system, where the scanning and processing functions are on the Console. As the client’s QRadar deployment is growing, they are also considering deploying scanners.
What is a valid client motivation for deploying additional scanners?
- A . To scan an asset in the same geographic region as the QRadar Vulnerability Manager processor.
- B . To patch assets for their vulnerabilities.
- C . To avoid scanning through a firewall that is a log source.
- D . To find more vulnerabilities on a given system.
A deployment professional found the System Activity Reporting (SAR) notifications alert "Performance degradation was detected in the event pipeline. Expensive DSM extensions were found". From the Log Sources under date creation, it can be seen that a new DSM was installed by another team member today.
To troubleshoot this issue, what steps can the deployment professional take? (Choose two)
- A . Review the debug file /var/log/qradar.dsm.debug
- B . Review the payload of the notification to determine which expensive DSM extension in the pipeline affects performance.
- C . Ensure that the log source extension is applied to all of the log sources.
- D . Run the DSM Editor and select Optimize over DSM payload to correct this error.
- E . Order your log source parsers from the log sources with the most sent events to the least and disable unused parsers.
A customer is building a big data solution which aims to perform long term analysis of security data. Security events that are processed by QRadar are also relevant for the system and according to the QRadar administrator the most straightforward option for data ingestion is to configure event forwarding on QRadar. The customer would like to make use of QRadar’s parsing capability and its built-in parsers instead of developing new parsers for the big data platform. A deployment professional is asked for advice about the data format to configure for the event forwarding.
Which available option should the deployment professional propose?
- A . Normalized
- B . Payload
- C . XML
- D . JSON
A deployment professional decides to improve visibility in the network and successfully installs the Flow Collector.
What should the deployment professional connect the Flow Collector to?
- A . WAN port
- B . SPAN port
- C . LAN port
- D . SAN port
A deployment professional needs to configure the IBM QRadar systems so that data is forwarded to one or more vendor systems, such as ticketing or alerting systems.
Which event format options can the deployment professional use for forwarding destination configuration?
- A . payioad, normalized and json
- B . leef, json and cef
- C . normalized, json and cef
- D . json, cef and payload
Some customers do not fully understand the benefits of using dedicated appliances to collect events and flows, complaining about the complexity of the deployments.
How should the deployment professional clarify any doubts that may arise?
- A . Using All-in-One appliances are a good choice for environments greater than 100.000 EPS.
- B . Event Processor collect events from various log sources and continuously forwards these events to an Event Collector.
- C . Dedicated event collectors when deployed in VMs include an on-board event processor that can be directly attached to an All-in-One Virtual console type 3199.
- D . The operation of the QRadar security intelligence platform consists of three layers, and applies to any QRadar deployment structure, regardless of its size and complexity.
A deployment professional sees that there are occasional spikes in the EPS (Events per second). The host has 1000 EPS allocated but the occasional spikes go up to 1185 EPS.
What happens with the events when they go over the allocated amount?
- A . Events are shown normally, but no offenses are generated.
- B . Events are moved to a temporary queue.
- C . Events are shown normally, QRadar has 20% buffer.
- D . Events are dropped.
High availability (HA) has been configured for an event processor in a deployment. The end user gets the notification "Disk Usage Exceeded max Threshold" for the /store partition on primary host. The retention settings are "Delete data in this bucket: immediately after the retention period has expired".
What will be the behavior of the primary at this stage?
- A . Primary will stop HA disk replication and failover to Secondary
- B . Primary will keep running HA disk replication and failover to Secondary
- C . Primary will stop HA disk replication and No failover to Secondary
- D . Primary will keep running HA disk replication and No failover to Secondary
A deployment professional needs to configure the X-Force Threat Intelligence Feed through a web proxy to access the cloud servers hosting the information.
How should the deployment professional configure the proxy for this access?
- A . Edit the Vetc/httpd/conf.d/ssl.conf and Vopt/qradar/dca/server.ini’ files on the Console and restart some services
- B . Reconfigure iptables access on each managed host to provide access to ‘update.xforce-security.com’ and ‘license.xforce-security.com’ and restart some services
- C . Complete the ‘Server Config’ values in the Advanced Update Configuration section of Auto Updates )
- D . Complete the ‘System Proxy’ values in the Advanced System Settings section of the Admin tab
A deployment professional is working on integrating an unsupported log source. The log source is able to send events in multiple formats. The administrators of the log source ask which event format should be configured.
Which event format should the deployment professional choose to be able to use direct parsing support in QRadar’s DSM editor?
- A . BLOB
- B . Regex
- C . LEEF
- D . SAML
During a new deployment, the client states that they want to collect windows logs and forward them to QRadar, but they are already using another agent to collect logs for a managed service provider [MSP] The client would like to continue forwarding these logs to the MSP as well as send them to QRadar.
Which architectural solutions would meet the client’s requirements?
- A . Install an unmanaged Wincollect instance and a setup multiple forwarding destinations to the Wincollect configuration server.
- B . Configure windows MSRPC protocol to send events to both.
- C . Install a managed Wincollect instances and setup multiple forwarding destinations.
- D . Configure Windows Event Forwarding to send events to both destinations.
A deployment professional needs to check which rules cause events to be dropped on the Console with Pipeline NATIVE_To_MPC messages.
Which script would help with this task?
- A . /opt/qradar/support/findExpensiveCustomProperties.sh
- B . /opt/qradar/support/findExpensiveCustomRules.sh
- C . /opt/qradar/support/astat.sh
- D . /opt/qradar/support/findRules.sh
A deployment professional just installed new QRadar deployment which comes with a temporary license key.
How many days does a deployment professional have before the temporarylicensekey expires?
- A . 35 days from the installation date.
- B . 15 days from the installation date.
- C . 30 days from the installation date.
- D . 45 days from the installation date.
A deployment professional needs to implement a crossover cable in the high availability (HA) environment.
By doing so, this QRadar deployment isolates what kind of traffic over the crossover connection?
- A . event
- B . flow
- C . query
- D . HA replication
A deployment professional is asked to create QRadar deployment architecture for a company.
The company has three branch offices with WAN connection between them. The head office data center requires 14000 EPS and 200000 FPM. Each branch requires 4000 EPS and 200000 FPM.
Which deployment solution will meet the minimum requirements?
- A . QRadar 3105 (Console) in head office + QRadar 1805 Event and Flow Processor in each branch office
- B . QRadar 3129 (Console) in head office + QRadar 1805 Event and Flow Processor in each branch office
- C . QRadar 3105 (Console) and QRadar Event and Flow Processor 1829 in head office +
QRadar 1805 Event and Flow Processor in each branch office - D . QRadar 3129 (All-in-One) in head office
A deployment professional configures QRadar auto-update with the automatic install option for all update types where automatic install is available.
Assuming all auto-update installations are successful, which update types will need manual installation?
- A . Major updates, scanner and protocol updates
- B . Configuration updates and WinCollect updates
- C . Application updates and major updates
- D . Application updates, DSM, scanner and protocol updates
A deployment professional receives instructions to virtualize the currently installed QRadar SIEM All-in-One appliance and to provide requirements. VM specifications must suffice for 4000 EPS.
What are the minimum processor and memory requirements that the deployment professional must use?
- A . 128 GB Memory, 16 CPU Cores
- B . 256 GB Memory, 32 CPU Cores
- C . 32 GB Memory, 16 CPU Cores
- D . 8 GB Memory, 4 CPU Cores
A deployment professional is faced with the following system notification.
38750107 – The last attempt to read in rules (usually due to a rule change) has failed.
Please see the message details and error log for information on how to resolve this.
What should the deployment professional do after trying to disable and enabling the rule?
- A . Create a new rule without deleting the old rule.
- B . Delete and recreate the rule.
- C . Modify the rule.
- D . Before doing anything else, call customer support.
A company that is located in the United States wants to expand its existing QRadar deployment to data centers located in Europe. The European branch needs to keep its data in-country and must comply with local data retention regulations.
What can the deployment professional do to comply with local data laws?
- A . Install Event and Flow Collectors in the European data center.
- B . Install Event and Flow Processors in the European data center.
- C . Install Event and Flow Processors in the United States data center.
- D . Install Data Nodes in the European data center.
A deployment professional is about to execute Server Discovery to populate the Host Definition Building Blocks. The deployment professional is working in a monitored environment and does not wish to set off any network scanner alarms.
What step should the deployment professional take to ensure that good results are returned and that no alarms are raised?
- A . Warn the network monitoring team that QRadar is about to run a network port scan
- B . Set the ‘Passive discovery’ flag in Advanced System Settings in the Admin tab
- C . Ensure that events from the relevant servers are being collected successfully
- D . Ensure that the flow sources are configured correctly and collecting data