Which service is responsible for adding new assets in Qradar?
- A . Asset Profiler
- B . ecs-ep
- C . ecs-ec
- D . Vulnerability Information Server
Which tool allows you to troubleshoot accumulator issues?
- A . scrub.pl
- B . collectGvStats.sh
- C . validate_ecs_service.sh
- D . threadTop.sh
Which parameter determines the impact of the offense on the network?
- A . Relevance
- B . Impact
- C . Credibility
- D . Severity
In the Backup Recovery Configuration section, what is the default retention period?
- A . 1 day
- B . 4 days
- C . 7 days
- D . 15 days
To install the 7.x WinCollect Configuration Console, which of these actions is a prerequisite?
- A . Install .net framework version 3.5
- B . Install the WinCollect Agent SF bundle on QRadar
- C . Add multiple destinations for the WinCollect agent
- D . Generate an authentication token for the WinCollect agent
From which tabs can a QRadar custom rule be created?
- A . Offenses or Log Activity tabs
- B . Offenses, Log Activity or Network Activity tabs
- C . Log Activity or Network Activity tabs
- D . Offenses or Admin tabs
Where can one share, find available apps, discover what they are used for, discover what they look like, and learn what other users say about apps?
- A . IBM App Share
- B . Extensions Management
- C . IBM Passport Advantage
- D . IBM Security App Exchange
On a Microsoft Windows 2019 server, a WinCollect agent is installed, which polls events locally. Its profile is set to Maximum EPS and the average EPS is 5000.
What is the minimum RAM requirement for this Windows 2019 server?
- A . 8 GB
- B . 2 GB
- C . 4 GB
- D . 6 GB
Which version of sFlow does QRadar support when defining a new flow source?
- A . 3
- B . 5
- C . 7
- D . 9
Which are the time criteria in AQL queries?
- A . START, BETWEEN, LAST, NOW, PARSEDATETIME
- B . START, STOP, BETWEEN, LAST
- C . START, STOP, LAST, NOW, PARSEDATETIME
- D . START, STOP, BETWEEN, FIRST
Which script can detemine which QRadar process is consuming the most resources?
- A . /opt/ibm/si/diagnostiq
- B . /opt/qradar/support/threadTop.sh
- C . /opt/qradar/bin/threadTop.sh
- D . /opt/qradar/conf/threadTop.sh
What is the purpose of assigning QRadar Use Case Manager to a user role?
- A . Create new user roles in QRadar.
- B . Configure the app settings for users.
- C . Install the app on the QRadar server.
- D . Share the app with non-administrative users.
Which two types of default building blocks do you need to edit to reduce the number of offenses that are generated by high volume traffic servers?
- A . Host Definition
- B . Server Definition
- C . Traffic Definition
- D . Event Definition
- E . Network Definition
A QRadar deployment professional wants to integrate a dynamic data set like asset information so that QRadar can use the latest information in the new data set to correlate the rules and alerts.
How can the deployment professional achieve this?
- A . Use the UCM app.
- B . Import the dynamic data in the reference set and use these reference sets in rules and building blocks.
- C . Use the Threat Intelligence app.
- D . Use the QRadar Search to search each item in the list of imported data set.
What are unknown events?
- A . Both of the above
- B . The event cannot be understood or parsed by Qradar
- C . The event is collected and parsed, but cannot be mapped or categorized to a specific log source.
- D . None of the above
Which two (2) file formats are available for exporting offenses?
- A . XML
- B . CSV
- C . PDF
- D . TXT
- E . XLSX
A large multinational corporation is expanding its QRadar deployment to new countries. They decided to implement a geographically distributed deployment.
What may be a benefit of having a processor on site, according to the scenario?
- A . Reducing the analyst investigation time, by reducing latency.
- B . Compliance with local data laws by storing data in the place of origin.
- C . Avoiding latency with searches, especially during multiple concurrent searches.
- D . Improving search speeds due to high-speed network connectivity between the QRadar Console and remote processors.
How are Events that are associated with an offense listed?
- A . Offense Summary window > click Display > Destination IPs
- B . Offense Summary window > click Source IPs
- C . Offense Summary window > click Events from Event/Flow count column
- D . Offense Summary window > Destination IPs
An organization wants QRadar to have rules, dashboards, and reports to detect and report on cryptocurrency mining activity.
What can be installed in QRadar to meet this requirement?
- A . Content extension from IBM Security App Exchange
- B . Latest MITRE content from IBM Security Fix Central
- C . Latest autoupdates from IBM Security Fix Central
- D . User Behavior Analytics from IBM Security App Exchange
When prioritizing offenses to investigate, what metric is provided on the Offenses tab specifically to help influence which offenses to investigate first?
- A . Magnitude
- B . Relevance
- C . Severity
- D . Credibility
Which of these is a tenant administrator responsible for?
- A . Configure Domain Management
- B . Collaborate with the MSSP administrator
- C . Access or change the configuration for other tenants
- D . Create roles and security profiles for tenant administrators and users
What is the directory where a backup archive file needs to be placed so that QRadar can automatically import it?
- A . /store/imports/inbound
- B . /store/backupHost/inbound
- C . /storetmp/backups
- D . /storetmp/imports/backups
At the Offense Summary window, the first row of data shows the level of importance that QRadar assigned to the offense.
Which statement is the correct description for Magnitude?
- A . It indicates the relative importance of the offense, calculated based on the relevance, severity, and credibility ratings.
- B . QRadar determines it by the weight that the administrator assigned to the networks and assets.
- C . It indicates the integrity of the offense as determined by the credibility rating that is configured in the log source. It increases as multiple sources report the same event.
- D . It indicates the threat that an attack poses in relation to how prepared the destination is for the attack.
A QRadar deployment professional is asked to plan a hardware migration for an Event Processor in HA. Two new appliances are ready to be used, and they use the same IP addresses.
Which approach can be used to migrate the systems?
- A . Use the QRadar config backup and restore process to transfer all configurations.
- B . Use rsync to transfer the contents of the /store/postgres partition to the new system.
- C . Remove HA on the EPs, migrate to the new primary, then add the new secondary back in.
- D . Ensure both systems are built as appliance type 500 and add them into the deployment as replacements.
Which type of information is considered as identity data for QRadar Assets?
- A . Rule Name
- B . Source Port
- C . MAC Address
- D . Destination Port
What can an analyst use in QRadar to quickly find information about IP addresses and URLs while analyzing an offense or event?
- A . Export the Event to CSV and upload it to reputation sites.
- B . Verify if the IP address of URL is in any of your reference sets.
- C . Use the X-Force Exchange lookup plugin.
- D . Copy the IP address or URL and paste it in any external reputation site.
What does it mean when a custom rule is partially matched in QRadar?
- A . The rule is not fully enabled.
- B . The AND NOT operator is set incorrectly in the first test.
- C . All the tests in the rule were fully matched.
- D . Not all the the tests in the rule were fully matched.
Which QRadar log file contains information about the rates of EPS?
- A . /var/log/qradar.old
- B . /var/qradar.log
- C . /var/log/qradar.log
- D . /var/log/eps.log
For a Source IP based offense, which field helps determine relative importance of the targets to the business?
- A . Relative importance of Destination IP(s)
- B . Duration of the offense
- C . Total number of Events
- D . Last Event/Flow
Which of the following is used to process flows in Qradar?
- A . Event Collector
- B . Flow Processor
- C . Event Processor
- D . Flow Collector
A deployment professional needs to migrate test rules developed in a test QRadar deployment to a production QRadar deployment.
Which approach can be used to migrate the rules?
- A . Use the Use Case Manager to sync rules between the two deployments.
- B . Use the Content Management Tool (CMT) to migrate the specific rules.
- C . Use rsync to copy the /store/postgres/ directory that contains configurations.
- D . Create a configuration backup, copy it to the production system, and import/restore the backup configuration.
An analyst reviewed an active offense that was many attackers, generating many events in the same category, targeting many systems. Upon further analysis, the analyst determined that the traffic from the attackers is legitimate and should not contribute to the offenses.
Which tuning methodology guideline can the analyst use to tune out this traffic?
- A . Edit the building blocks by using the Custom Rules Editor to tune the specific event.
- B . Use the Log Source Management app to tune the category.
- C . Edit building blocks by using the Custom Rules Editor to tune the category.
- D . Use the False Positive Wizard to tune the specific event.
Where can a deployment professional find updates to DSMs?
- A . The QRadar Admin console
- B . Fix Central
- C . The Log Source Management app
- D . QRadar on Cloud website
What must a deployment professional select when defining a new flow source?
- A . The destination port
- B . The source IP address
- C . The flow source type
- D . The router brand
Several counts of the system notification message 38750088 – Performance degradation that were detected in the Event pipeline showed in a report.
In this case, what does the Event collection system do?
- A . Bypasses EPS Licensing
- B . Drops events from the pipeline
- C . Routes data to storage
- D . Queues events in RAM
What is correct order to stop Qradar Services?
- A . hostcontext>tomcat>hostservice
- B . hostcontext>hostservice>tomcat
- C . tomcat>hostservice>hostcontext
- D . The order doesn’t matter
On a QRadar appliance, you might see a warning that you cannot connect to port 32006.
Which command you will use for determining port information?
- A . netstat
- B . nc
- C . nmap
- D . psexec
Which regex statement extracts the DNS host from the cs-host value from the payload?
- A . cs-host=www.?([^|]*)
- B . cs-host=.?www.(.*.?)
- C . cs-host=(?:www.)?([^|]*)|(?:add|get|query|delete)s+(?:www.)?([^s]+)
- D . cs-host=(?:www.)?([^|]*)|(?:http|ftp|tcp|https)s+(?:www.)?([^s]+)
This partial Network diagram was provided to a QRadar deployment professional who is trying to determine if the deployment requires the definition of multiple domains.
How many domains are required, and why?
- A . Three domains are required, one for each network: HR-A, HR-B, and FIN.
- B . At least two domains are required to handle overlapping address spaces for the HR-B and FIN networks.
- C . Three domains are required: one for each of the event processors, plus the default domain for the console.
- D . No domains are required, but they might be useful to separate stored events and flows between the HR and Finance teams.
Which two options does a QRadar analyst need to configure in the False Positive window of the QRadar Console to mark an event or flow as False Positive?
- A . Event or flow property and username
- B . Asset and traffic direction
- C . Event or flow property and traffic direction
- D . Event or flow property and port number
A QRadar deployment professional is asked to migrate the configuration of a system from Log Manager to QRadar SIEM.
How should the custom rules, saved searches, and reports be migrated?
- A . Use the QRadar config backup and restore process to transfer all configurations.
- B . Use the content management tool (CMT) to transfer the security configuration.
- C . The only option is to use the GUI to manually recreate any required content.
- D . Use rsync to transfer the contents of the /store partition to the new system.
Which two statements are prerequisites for an to upgrade of QRadar? (Choose two.)
- A . Verify that scan runs and reports are complete.
- B . Verify that all changes are deployed on the appliances.
- C . Ensure an admin account is logged on the UI.
- D . Clean up all the Offenses before any version upgrade.
- E . Ensure that the ISO file is copied to all the appliances.
A QRadar deployment professional has been asked to merge two QRadar deployments (AIO_A and AIO_B) into one new environment (AIO_C). Each environment consists of an All-in-One appliance. There is no requirement to migrate the Ariel data.
What is the way to approach the migration?
- A . Take configuration backups of AIO_A and AIO_B. Restore AIO_A onto AIO_C, then restore AIO_B onto AIO_C.
- B . Take a configuration backup of AIO_A and restore it onto AIO_B. Then take a configuration backup of AIO_B and restore it onto AIO_C.
- C . Take configuration backups of AIO_A and AIO_B. Merge the backup files with the UNIX merge command, then restore the merged file onto AIO_C.
- D . Take a configuration backup of AIO_A and a CMT export of AIO_B. Restore AIO_A onto AIO_C, then import the config export from AIO_B onto AIO_C.
In a multitenant environment, what is prevented by assigning log sources to a specific domain?
- A . Data integrity
- B . User creation for each domain
- C . No security roles need to be created
- D . Data leakage and data separation across domains
Which two of these authentication types are valid for RADIUS authentication? (Choose two.)
- A . MSCHAP
- B . ASCII
- C . TCP
- D . PAP
- E . XML
What happens to events and flows when data bursts exceed the license?
- A . All data beyond the license is lost.
- B . QRadar allows a 35-day grace period to update the license.
- C . The backlog is processed from a temporary queue when the license allows
- D . QRadar automatically enables the License Pool app, which finds allocations for the extra traffic.
While reviewing apps in QRadar Assistant, an analyst wants to view the apps that work properly.
What sort option should the analyst choose?
- A . Running
- B . Installed
- C . Error/Stopped
- D . Install Failed
To increase the amount of storage for IBM Security QRadar, data is moved to an offboard storage device.
Which method for adding external storage must be used for /store/ariel?
- A . /store/ariel/ cannot be moved off of a QRadar appliance.
- B . Manually copy files at regular intervals.
- C . Use NFS (Network File System) for external storage.
- D . Use iSCSI for external storage.
Which item can be used in the configuration of a domain in QRadar?
- A . The tenant that owns the log source that the event is allocated to
- B . The network the event comes from
- C . A custom event property in an event
- D . The type of the log source that the event is allocated to
Where does QRadar display R2R events?
- A . The Testing interface in the Log Source Manager app
- B . The Tuning interface in the Use Case Manager app
- C . The Remote Services window
- D . The Network Activity tab
Which tool can be used to check the connections to all managed hosts and verify the versions of ECS and ECS-Ingress services after an upgrade?
- A . validate_ecs-ingress_service.sh
- B . deployment_info.sh
- C . collectGvStats.sh
- D . validate_ecs_service.sh
A QRadar user wants to edit a building block to include geographic locations that they want to prevent from accessing their network. The user will edit the "and when the source is located in" test in the building block.
Which building block will the user edit?
- A . BB:NetworkDefinition: Remote Networks
- B . BB:NetworkDefinition: NAT Address Range
- C . BB:Category Definition: Forbidden Countries
- D . BB:Category Definition: Countries with no Remote Access
Which are stored events?
- A . All events in QRadar
- B . Events which cannot be coalesced
- C . Events that cannot be understood or parsed by QRadar
- D . Events that do not have the storage time in the payload
There are 10 retention buckets in Qradar SIEM. The default is placed in the last line with retention policy of 30 days. Action is set to delete the data immediately after retention period has expired. Admin creates another policy on top of the default policy to keep firewall data for 10 days.
What will happen to the data after 30 days?
- A . Firewall data will be erased after 30 days
- B . Everything will be erased after 30 days
- C . Everything will be erased after 10 days
- D . Firewall data will be erased after 10 days
Which data is processed by the IBM Security QRadar Network Threat Analytics app?
- A . User data
- B . Flow data
- C . Asset data
- D . Event data
Which command can be used to check the amount of available physical and swap memory?
- A . free
- B . topmem
- C . ramstat
- D . memoryfree
One data gateway appliance can collect up to ____ number of EPS.
- A . 10000
- B . 5000
- C . 15000
- D . 20000
- E . 30000
Which of these is a benefit of the QRadar Assistant Guide Center?
- A . View the IBM QRadar Twitter feed from IBM Security.
- B . Search, sort, and filter available apps by various categories.
- C . View tuning and use cases videos recorded by QRadar experts.
- D . View the latest QRadar related questions from IBM developerWorks forums.
What is an approach to tuning a "noisy" rule, that is, a rule that generates too many offenses?
- A . Determine whether the rule matches too many conditions in the traffic.
- B . In the offense output, scroll down and review the "Excessive" flags.
- C . Confirm that the rule is enabled.
- D . Use the QRadar Pulse app to map noisy offense output.
The ____________command removes a directory and all files in it.
- A . rf -rm
- B . rm -rp
- C . rm -rf
- D . rf -rr
The Server Discovery process updates building blocks based on which of these?
- A . Malware detection
- B . Port-based filtering
- C . MAC address filtering
- D . CMDB integration
After a successful upgrade, which two actions does a deployment professional perform to complete the installation?
- A . Rebuild the reference data.
- B . Run mount /media/updates.
- C . Delete the SFS file from all appliances.
- D . Disconnect all managed host from the deployment.
- E . Clear the browser cache before logging in to the Console.
Which of these procedures duplicates a report from the Reports tab?
- A . Click Action > Duplicate Report. Select the report to duplicate and click Finish.
- B . Click Actions, then select the report to duplicate from the pop-up window. Click Duplicate and type a new name for the report.
- C . Right-click the report to duplicate. Click Duplicate and type a new name for the report.
- D . Select the report to duplicate. From the Actions list, click Duplicate and type a new name for the report.
A security analyst uses Use Case Manager > Active Rules and detects which TOP rule-generating offenses are triggered due to inbound traffic that is dropped by the firewall. The company decides that the rule should only trigger only when there are firewall permit events.
Which of these does the analyst implement to meet the above requirement?
- A . Open Rule Wizard add a test condition > and when the context is Local to Local, Local to Remote
- B . Open Rule Wizard add a test condition > and when an event matches any of the following BB:CategoryDefinition: Firewall or ACL Accept
- C . Open Rule Wizard add a test condition > and NOT when an event matches any of the following BB:CategoryDefinition: Firewall or ACL Accept
- D . Open Rule Wizard add a test condition > and when the event category for the event is one of the following Access.Misc Application Action Denied
What are the types of reference data collections in QRadar?
- A . Reference data, Reference table and Reference event
- B . Reference set, Reference map and Reference map of maps
- C . Reference set, Reference data and Reference rule
- D . Reference event, Reference map of sets and Reference data
Which component processes unallocated syslog messages, identifies the DSMs that are installed on the system, and then assigns the appropriate log source type to a new log source?
- A . Discovery analysis
- B . Autodetect traffic
- C . Traffic analysis
- D . DSM discovery analysis
What does QRadar attempt to do when the system generates “Accumulator is falling behind” warnings?
- A . QRadar tries to aggregate the events and flows during the next 60 seconds.
- B . QRadar automatically drops the incoming events and flows during that time period.
- C . The events that QRadar processes during that period are categorized as stored.
- D . Time-series graphs and reports omit columns for the period when the problem occurred.
What information is provided by using the Sharing MITRE-mapping files in Use Case Manager?
- A . Mapping to the customize template
- B . Mapping to the Use Case Explorer page
- C . Mapping directly to rules
- D . Mapping directly to dependencies
What demarcation is added to a custom event property to let you know that this value is held in memory for a set amount of time?
- A . Catalogued
- B . Indexed
- C . Stored
- D . Tabulated
Which statement about the Extensions Management tool in QRadar is true?
- A . The Extensions Management tool cannot be used to export content out of QRadar.
- B . QRadar can be updated by using the Extensions Management tool.
- C . CSV extensions can be imported into QRadar.
- D . The Extensions Management tool can be used to add a log source.