Where can a user add a note to an offense in the user interface?
- A . Dashboard and Offenses Tab
- B . Offenses Tab and Offense Detail Window
- C . Offenses Detail Window, Dashboard, and Admin Tab
- D . Dashboard, Offenses Tab, and Offense Detail Window
B
Explanation:
Reference: IBM Security QRadar SIEM Users Guide. Page: 34
When might a Security Analyst want to review the payload of an event?
- A . When immediately after login, the dashboard notifies the analyst of payloads that must be investigated
- B . When “Review payload” is added to the offense description automatically by the “System: Notification” rule
- C . When the event is associated with an active offense, the payload may contain information that is not normalized or extracted fields
- D . When the event is associated with an active offense with a magnitude greater than 5, the payload should be reviewed, otherwise it is not necessary
Which key elements does the Report Wizard use to help create a report?
- A . Layout, Container, Content
- B . Container, Orientation, Layout
- C . Report Classification, Time, Date
- D . Pagination Option, Orientation, Date
A
Explanation:
Reference: IBM Security QRadar SIEM Users Guide. Page: 201
How is an event magnitude calculated?
- A . As the sum of the three properties Severity, Credibility and Relevance of the Event
- B . As the sum of the three properties Severity, Credibility and Importance of the Event
- C . As a weighted mean of the three properties Severity, Credibility and Relevance of the Event
- D . As a weighted mean of the three properties Severity, Credibility and Importance of the Event
What is a benefit of using a span port, mirror port, or network tap as flow sources for QRadar?
- A . These sources are marked with a current timestamp.
- B . These sources show the ASN number of the remote system.
- C . These sources show the username that generated the flow.
- D . These sources include payload for layer 7 application analysis.
D
Explanation:
Reference:
https://www.ibm.com/developerworks/community/forums/html/topic?id=dd3861e0-f630-4a53-94c3b426a47b6e02
What is the primary goal of data categorization and normalization in QRadar?
- A . It allows data from different kinds of devices to be compared.
- B . It preserves original data allowing for forensic investigations.
- C . It allows for users to export data and import it into other system.
- D . It allows for full-text indexing of data to improve search performance.
Which set of information is provided on the asset profile page on the assets tab in addition to ID?
- A . Asset Name, MAC Address, Magnitude, Last user
- B . IP Address, Asset Name, Vulnerabilities, Services
- C . IP Address, Operating System, MAC Address, Services
- D . Vulnerabilities, Operative System, Asset Name, Magnitude
C
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_ug_asset_sum.html
Which type of search uses a structured query language to retrieve specified fields from the events, flows, and simarc tables?
- A . Add Filter
- B . Asset Search
- C . Quick Search
- D . Advanced Search
D
Explanation:
Reference:
http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_ug_search_bar.html
When using the right click event filtering functionality on a Source IP, one can filter by “Source IP is not [*]”.
Which two other filters can be shown using the right click event filtering functionality? (Choose two.)
- A . Filter on DNS entry [*]
- B . Filter on Source IP is [*]
- C . Filter on Time and Date is [*]
- D . Filter on Source or Destination IP is [*]
- E . Filter on Source or Destination IP is not [*]
What is indicated by an event on an existing log in QRadar that has a Low Level Category of “Unknown”?
- A . That event could not be parsed
- B . That event arrived out of order from the original device
- C . That event was from a device that is not supported by QRadar
- D . That the event was parsed, but not mapped to an existing QRadar category
D
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.dsm.doc/c_DSM_guide_UniversalLEEF_eventmap.html#c_dsm_guide_universalleef_eventmap
A Security Analyst found multiple connection attempts from suspicious remote IP addresses to a local host on the DMZ over port 80. After checking related events no successful exploits were detected. Upon checking international documentation, this activity was part of an expected penetration test which requires no immediate investigation.
How can the Security Analyst ensure results of the penetration test are retained?
- A . Hide the offense and add a note with a reference to the penetration test findings
- B . Protect the offense to not allow it to delete automatically after the offense retention period has elapsed
- C . Close the offense and mark the source IP for Follow-Up to check if there are future events from the host
- D . Email the Offense Summary to the penetration team so they have the offense id, add a note, and close the Offense
B
Explanation:
Reference:
http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_Off_Retention.html
Which list is only Rule Actions?
- A . Modify Credibility; Send SNMP trap; Drop the Detected Event; Dispatch New Event.
- B . Modify Credibility; Annotate Event; Send to Forwarding Destinations; Dispatch New Event.
- C . Modify Severity; Annotate Event; Drop the Detected Event; Ensure the detected event is part of an offense.
- D . Modify Severity; Send to Forwarding Destinations; Drop the Detected Event; Ensure the detected event is part of an offense.
A
Explanation:
Reference:
http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_create_cust_rul.html
What are the two available formats for exporting event and flow data for external analysis? (Choose two.)
- A . XML
- B . DOC
- C . PDF
- D . CSV
- E . HTML
Which information can be found under the Network Activity tab?
- A . Flows
- B . Events
- C . Reports
- D . Offenses
Which type of tests are recommended to be placed first in a rule to increase efficiency?
- A . Custom property tests
- B . Normalized property tests
- C . Reference set lookup tests
- D . Payload contains regex tests
When reviewing Network Activity, a flow shows a communication between a local server on port 443, and a random, remote port. The bytes from the local destination host are 2 GB, and the bytes from the remote, source host address are 40KB.
What is the flow bias of this session?
- A . Other
- B . Mostly in
- C . Near-same
- D . Mostly out
Which pair of options are available in the left column on the Reports Tab?
- A . Reports and Owner
- B . Reports and Branding
- C . Reports and Report Grouping
- D . Reports and Scheduled Reports
Which QRadar rule could detect a possible potential data loss?
- A . Apply “Potential data loss” on event of flows which are detected by the local system and when any IP is part of any of the following XForce premium Premium_Malware
- B . Apply “Potential data loss” on flows which are detected by the local system and when at least 1000 flows are seen with the same Destination IP and different Source IP in 2 minutes
- C . Apply “Potential data loss” on events which are detected by the local system and when the event category for the event is one of the following Authentication and when any of Username are contained in any of Terminated_User
- D . Apply “Potential data loss” on flows which are detected by the local system and when the source bytes is greater than 200000 and when at least 5 flows are seen with the same Source IP, Destination IP, Destination Port in 12 minutes
What is the default view when a user first logs in to QRadar?
- A . Report Tab
- B . Offense Tab
- C . Dashboard tab
- D . Messages menu
C
Explanation:
Reference:
http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_dash_tab.html
What is a Device Support Module (DSM) function within QRadar?
- A . Unites data received from logs
- B . Provides Vendor specific configuration information
- C . Scans log information based on a set of rules to output offenses
- D . Parses event information for SIEM products received from external sources
Which file type is available for a report format?
- A . TXT
- B . DOC
- C . PDF
- D . PowerPoint
What is the default reason for closing an Offense within QRadar?
- A . Actioned
- B . Non-Issue
- C . Blocked Traffic
- D . Acceptable Traffic
B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/t_qradar_closing_offenses.html?pos=2
How does flow data contribute to the Asset Database?
- A . Correlated Flows are used to populate the Asset Database.
- B . It provides administrators visibility on how systems are communicating on the network.
- C . Flows are used to enrich the Asset Database except for the assets that were discovered by scanners.
- D . It delivers vulnerability and ports information collected from scanners responsible for evaluating network assets.
Where are events related to a specific offense found?
- A . Offenses Tab and Event List window
- B . Dashboard and List of Events window
- C . Offense Summary Page and List of Events window
- D . Under Log Activity, search for Events associated with an Offense
While on the Offense Summary page, a specific Category of Events associated with the Offense can be investigated.
Where should a Security Analyst click to view them?
- A . Click on Events, then filter on Flows
- B . Highlight the Category and click the Events icon
- C . Scroll down to Categories and view Top 10 Source IPs
- D . Right Click on Categories and choose Filter on Network Activity
B
Explanation:
Reference: IBM Security QRadar SIEM Users Guide. Page: 42
Which QRadar add-on component can generate a list of the unencrypted protocols that can communicate from a DMZ to an internal network?
- A . QRadar Risk Manager
- B . QRadar Flow Collector
- C . QRadar Incident Forensics
- D . QRadar Vulnerability Manager
What are the various timestamps related to a flow?
- A . First Packet Time, Storage Time, Log Source Time
- B . First Packet Time, Storage Time, Last Packet Time
- C . First Packet Time, Log Source Time, Last Packet Time
- D . First Packet Time, Storage Time, Log Source Time, End Time
B
Explanation:
Reference: IBM Security QRadar SIEM Users Guide. Page: 101
What is a common purpose for looking at flow data?
- A . To see which users logged into a remote system
- B . To see which users were accessing report data in QRadar
- C . To see application versions installed on a network endpoint
- D . To see how much information was sent from a desktop to a remote website
Which saved searches can be included on the Dashboard?
- A . Event and Flow saved searches
- B . Asset and Network saved searches
- C . User and Vulnerability saved searches
- D . Network Activity and Risk saved searches
What is the key difference between Rules and Building Blocks in QRadar?
- A . Rules have Actions and Responses; Building Blocks do not.
- B . The Response Limiter is available on Building Blocks but not on Rules.
- C . Building Blocks are built-in to the product; Rules are customized for each deployment.
- D . Building Blocks are Rules which are evaluated on both Flows and Events; Rules are evaluated on Offenses of Flows or Events.
Which Anomaly Detection Rule type can test events or flows for volume changes that occur in regular patterns to detect outliers?
- A . Outlier Rule
- B . Anomaly Rule
- C . Threshold Rule
- D . Behavioral Rule
D
Explanation:
Reference:
http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/ c_qradar_rul_anomaly_detection.html
Given these default options for dashboards on the QRadar Dashboard Tab: Which will display a list of offenses?
- A . Network Overview
- B . System Monitoring
- C . Vulnerability Management
- D . Threat and Security Monitoring
What is an example of the use of a flow data that provides more information than an event data?
- A . Represents a single event on the network
- B . Automatically identifies and better classifies new assets found on a network
- C . Performs near real-time comparisons of application data with logs sent from security devices
- D . Represents network activity by normalizing IP addresses ports, byte and packet counts, as well as other details
D
Explanation:
Reference: http://www-01.ibm.com/support/docview.wss?uid=swg21682445
What is a primary goal with the use of building blocks?
- A . A method to create reusable rule responses
- B . A reusable test stack that can be used in other rules
- C . A method to generate reference set updates without using a rule
- D . A method to create new events back into the pipeline without using a rule
Which two are top level options when right clicking on an IP Address within the Offense Summary page? (Choose two.)
- A . WHOIS
- B . Navigate
- C . DNS Lookup
- D . Information
- E . Asset Summary Page
Which three log sources are supported by QRadar? (Choose three.)
- A . Log files via SFTP
- B . Barracuda Web Filter
- C . TLS multiline Syslog
- D . Oracle Database Listener
- E . Sourcefire Defense Center
- F . Java Database Connectivity (JDBC)
Which three pages can be accessed from the Navigation menu on the Offenses tab? (Choose three.)
- A . Rules
- B . By Category
- C . My Offenses
- D . By Event Name
- E . Create Offense
- F . Closed Offenses
What is a capability of the Network Hierarchy in QRadar?
- A . Determining and identifying local and remote hosts
- B . Capability to move hosts from local to remote network segments
- C . Viewing real-time PCAP traffic between host groups to isolate malware
- D . Controlling DHCP pools for segments groups (i.e. marketing, DMZ, VoIP)
A
Explanation:
Reference: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_gs_ntwrk_hrchy.html
An event is happening regularly and frequently; each event indicates the same target username. There is a rule configured to test for this event which has a rule action to create an offense indexed on the username.
What will QRadar do with the triggered rule assuming no offenses exist for the username and no offenses are closed during this time?
- A . Each matching event will be tagged with the Rule name, but only one Offense will be created.
- B . Each matching event will cause a new Offense to be created and will be tagged with the Rule name.
- C . Events will be tagged with the rule name as long as the Rule Response limiter is satisfied. Only one offense will be created.
- D . Each matching event will be tagged with the Rule name, and an Offense will be created if the event magnitude is greater than 6.
What is the difference between TCP and UDP?
- A . They use different port number ranges
- B . UDP is connectionless, whereas TCP is connection based
- C . TCP is connectionless, whereas UDP is connection based
- D . TCP runs on the application layer and UDP uses the Transport layer
Which QRadar component is designed to help increase the search speed in a deployment by allowing more data to remain uncompressed?
- A . QRadar Data Node
- B . QRadar Flow Processor
- C . QRadar Event Collector
- D . Qradar Event Processor
What is the maximum number of supported dashboards for a single user?
- A . 10
- B . 25
- C . 255
- D . 1023
C
Explanation:
Reference:
http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_custom_dboard.html