Passit4Sure.C _64,QA

Transcription

1 Passit4Sure.C _64,QA Number: C Passing Score: 800 Time Limit: 120 min File Version: This VCE covers all syllabus. After preparing it anyone pass the exam in high grades. Good explanation provided and the references added most of the questions. Pretty much all the questions we study that no answer in doubt. Any questions/info you can recall are on the VCEs. So the preparation of exam is very easy. Pretty much all the questions we study that may have multiple answers, no answer is in doubt, I got on the test.

2

3 Exam A QUESTION 1 How do you view Raw Events on the Log Activity tab? A. Select "Raw Events" from the View list box B. Select "Raw Events" from the Actions list box C. Select "Raw Events" from the Display list box D. Select "Raw Events" from the Quick Searches list box Correct Answer: C /Reference: Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/71MR1/LogMgr /LM-71MR1-Usersguide.pdf(page 33) QUESTION 2 There is a requirement at the customer site to double the default QFlow Maximum Content Capture size. What would be the resulting packet size? A. 64 bytes B. 128 bytes C. 256 bytes D bytes Correct Answer: B /Reference: QUESTION 3 What is the result when adding host definition building blocks to QRadar? A. Creates Offenses B. Reduces false positives

4 C. Makes searches run faster D. Authorizes QRadar Services Correct Answer: B /Reference: QUESTION 4 What is used to collect netflow and jflow traffic in a QRadar Distributed Deployment? A. QRadar 3124 Console B. QRadar 1624 Processor C. QRadar 1724 Processor D. QRadar 700 Risk Manager Correct Answer: A /Reference: answer is modified. QUESTION 5 What will be restored when restoring event data or flow data for a particular period to a MH? A. Only data sent to the console for that time period is restored to the MH. B. Only event data or flow data for the MH being restored will be restored to that MH. C. Only data that was accumulated for reports and searches will be restored to the MH.

5 D. All data for all MHs for a specific time period is restored to its respective hosts in the deployment. Correct Answer: B /Reference: QUESTION 6 Where do you save the "Login Message File" on the system when setting up a banner message for the authentication page? A. /opt/qradar/conf/ B. /opt/qradar/www C. /opt/tomcat/conf/ D. /opt/qradar/webapps Correct Answer: A /Reference: Reference:file:///Users/iMac/Downloads/QRadar_721_AdminGuide.pdf(page 90, see the table, last row, second column) QUESTION 7 Which network monitoring port does Cisco NetFlow require to be configured in QRadar? A. Port 514 B. Port 161 C. Port 2055 D. Port 8080 Correct Answer: C /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/c_qradar_adm_fl ow_source_ovrvw.html

6 QUESTION 8 A QRadar administrator needs to tune the system by enabling or disabling the appropriate rules in order to ensure that the QRadar console generates meaningful offenses for the environment. Which role permission is required for enabling and disabling the rule? A. Offenses > Maintain CRE Rules B. Offenses > Toggle Custom Rules C. Offenses > Manage Custom Rules D. Offenses > Maintain Custom Rules Correct Answer: C /Reference: : QUESTION 9 Which operating system is supported for creating a bootable flash drive for recovery? A. Cisco IOS B. Florida Linux C. Debian Linux D. RedHat Linux Correct Answer: D /Reference:

7 : QUESTION 10 Which three graph types are available for QRadar Log Manager reports? (Choose three.) A. Pie graph B. Histogram Real 8 C. Bar graph D. Trivial graph E. Stacked bar graph F. Stacked table graph Correct Answer: ACF /Reference: Reference: guide.pdf(page 18) QUESTION 11 Which line color inside the deployment editor signals that encrypted communication has been selected for the managed hosts in a distributed environment? A. Blue B. Grey C. Black D. Yellow Correct Answer: D /Reference: : QUESTION 12 A QRadar SIEM administrator wants to create a Flow Rule that includes a building block definition (BB) that includes applications that indicate communication with file sharing sites.

8 In which group will the administrator find this specified building block? A. Policy B. Host Definitions C. Network Definition D. Category Definitions Correct Answer: B /Reference: QUESTION 13 Which character is used for naming subgroups when using the option Add Group in the Network Hierarchy editor? A. +(plus) B.. (period) C. \ (Backslash) D. /(Forward Slash) Correct Answer: B /Reference: : QUESTION 14 Which expression imports all xml files in the report directory if the administrator is configuring a Nessus Scanner? A. \xml B. 'xml' C. *\.xml D. */.xml

9 Correct Answer: C /Reference: Reference:ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/Co redocs/managingvaguide-71mr1.pdf(page 14) QUESTION 15 Which two file systems does QRadar support for offboard storage partitions? (Choose two.) A. XFS B. Btrfs C. F2FS D. EXT4 E. NTFS Correct Answer: AD /Reference: Reference: collections/jsa-configuring-offboard-storage.pdf(page 17) Real 10 QUESTION 16 Assuming a Squid Proxy has logs in the following format: Time elapsed remotehost code/status bytes method URL rfc931 peerstatus/peerhost type And these are some sample logs from a Squid server:

10 Which regular expression would you use to pull out the bytes field into a custom property? A. \w+/\d+\s+(\d+)\s+ B. \w+/\d+\s+(\d+)\s+ C. \w+/\d+\s+(\d+)\s+ D. \w+/\d+\s+(\d+)\s+ Correct Answer: A /Reference: : QUESTION 17 Which Permission Precedence should be applied to the users security profile assuming the administrators only want the group to have access to Windows events and flows and not events from other networks? A. No Restrictions B. Log Sources Only C. Networks OR Log Sources D. Networks AND Log Sources Correct Answer: D

11 /Reference: : Real 11 QUESTION 18 On the QRadar console you have received notification that CVE ID: CVE is being actively used. What search parameter should you select from the list of search parameters in this situation? A. Collateral Damage Reference B. Vulnerability External Reference C. Vulnerability Information System D. Vulnerability Internal System Reference Correct Answer: C /Reference: Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/7.2.1/QRadar/E N/b_qradar_gs_guide.pdf(page 250 QUESTION 19 Which two statements are true regarding QRadar Log Sources and DSMs? (Choose two.) A. One log source must have one DSM. B. One DSM must have many log sources. C. One log source must have many DSMs. D. One DSM can have only one log source. E. One DSM can be used in many log sources. Correct Answer: CE /Reference: :

12 QUESTION 20 What are the two expected Host Statuses after HA setup if the initial synchronization is complete? (Choose two.) A. Primary: Active B. Primary: Offline C. Secondary: Failed D. Secondary: Active E. Secondary: Standby Real 12 F. Primary: Synchronizing Correct Answer: AE /Reference: : QUESTION 21 Which default flow source is included in the QRadar SIEM? A. IPFIX B. jflow C. QFlow D. NetFlow Correct Answer: D /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/c_qradar_adm_fl ow_source_ovrvw.html QUESTION 22 You have created an LSX log parser document to process the unknown log events from your unsupported log source. The events are coming up with Log source type GenericDSM and the correct Log Source Event ID.

13 What is the next step in this process? A. Create the high level and low level categories from the map id action B. Map the custom log records to your own custom high level and low level categories C. Create the high level and low level categories from the Rules section in the Offense tab D. Run the qidmap.pl script to create high level and low level categories from the command line Correct Answer: D /Reference: : QUESTION 23 In which two ways can an administrator view all the events that are related to an offense from the Real 13 Offense Details screen? (Choose two.) A. Top 5 Source IPs section B. Click on Display > Sources C. Click on Display > Destinations D. Click on Event/Flow Count field's Events link E. Click on Events button in Last 10 Events section Correct Answer: BD

14 /Reference: : QUESTION 24 Which tab in the QRadar web console allows flows to be monitored and investigated? A. Admin B. Assets C. Offenses D. Network Activity Correct Answer: C /Reference: Reference:ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/Co redocs/qradar_71mr1_gettingstartedguide.pdf(page 10, offenses tab) QUESTION 25 An off-site source can connect to which component? A. Flow collector B. Event collector C. Flow processor D. Event processor Correct Answer: B /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_adm_qr adar_siem_component.html?cp=ss42vs_7.2.1%2f &lang=fr(see off-site source) Real 14 QUESTION 26

15 Which two fields are required to be filled out when adding a new network to the network hierarchy? (Choose two.) A. Weight B. IPandCIDR C. Capture Filter D. Flow Source Interface E. Flow Retention Length Correct Answer: AD /Reference: : QUESTION 27 A user of QRadar wishes to have a report showing the number of bytes per packet they see with their flows. The user decides to create a Custom Flow Property for this application. Which type of custom property is required for this to be accomplished? A. Regex Custom Property B. Advanced Custom Property C. Computation Custom Property D. Calculation Based Custom Property Correct Answer: A /Reference: answer is valid. QUESTION 28 Which attribute is valid when defining the user roles to provide the necessary access? A. Admin: System Administrator B. Log Activity: View Custom Rules C. Log Activity: Manage Time Series

16 D. Network Activity: Maintain custom Rules Real 15 Correct Answer: A /Reference: : QUESTION 29 Which configuration window defines the maximum number of TCP syslog connections? A. Log Sources B. System Setting C. Console Setting D. Deployment Editor Correct Answer: D /Reference: : QUESTION 30 A customer has log files from Windows-based systems and wants to push those logs to the QRadar console. What options should the customer use in WinCollect to collect and forward these logs? A. File Forwarder B. Flow Forwarder C. Event Forwarder D. Windows-based Event Log Forwarder Correct Answer: C

17 /Reference: : QUESTION 31 What is the minimum bandwidth needed between the primary and secondary HA host? A. 1 gigabits per second (Gbps) B. 2 gigabits per second (Gbps) C. 3 gigabits per second (Gbps) Real 16 D. 4 gigabits per second (Gbps) Correct Answer: A /Reference: Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/C oredocs/qradar_71mr1_highavailabilityguide.pdf(page 9) QUESTION 32 Which directory from the QRadar host can be moved to offboard storage? A. A/ar B. /store C. /home D. /media Correct Answer: B /Reference: : QUESTION 33 You have been asked to forward all event logs from QRadar to another central syslog server with the IP of You also want the events to be processed by the CRE, but not stored on the system.

18 What will allow you to do this process? A. Add a Routing Rule that under Current Filters "Matches All Incoming Events", under Routing Options, add a Forwarding destination for with the "Raw Event" format. Then select the 'Forward' and 'Drop' options. Save and deploy. B. Add a Routing Rule that, under Current Filters "Matches All Incoming Events", under Routing Options, add a Forwarding destination for with the "Normalized Event" format. Then select the 'Forward' and 'Drop' options. Save and deploy. C. Add a forwarding Destination for with the "Raw Event" format. Then add a Routing Rule that, under Current Filters "Matches All IncomingEvents", under Routing Options,select the Forward destination that matches destination you created. Then select the 'Forward' and 'Drop' options. Save and deploy. D. Add a forwarding Destination for with the "Normalized Event" format. Then add a Routing Rule that, under Current Filters "Matches All Incoming Events", under Routing Options, select the Forward destination that matches destination you created. Then select the 'Forward* Real 17 and 'Drop* options. Save and deploy. Correct Answer: A /Reference: : QUESTION 34 Which function allows a custom event property to be removed from a selected event? A. Anomaly B. Map Event C. False Positive D. Extract Property Correct Answer: D /Reference: : QUESTION 35 Which two authentication methods for the QRadar User Interface are valid? (Choose two.)

19 A. SecureID B. Digital Signatures C. Password Authentication Protocol (PAP) D. Remote Authentication Dial In User Service (RADIUS) E. Terminal Access Controller Access-Control System (TACACS) Correct Answer: DE /Reference: : QUESTION 36 Which three tasks can an administrator perform from the QRadar SIEM reports tab? (Choose three.) A. Brand reports B. Ability to create custom reports C. Ability to create custom compliance templates Real 18 D. Present statistics derived from source IP and destination IP E. Present measurements and statistics derived from real time data F. Present measurements and statisticsderived from events, flows andoffenses Correct Answer: BDF

20 /Reference: : QUESTION 37 What type of users can view all reports that are created by other users? A. Auditors B. Analysts C. Managers D. Administrators Correct Answer: D /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.2/com.ibm.qradar.doc_7.2.2/c_qradar_report_ mgt.html?cp=ss42vs_7.2.2%2f QUESTION 38 What does the message in the System Notification Widget on the Dashboard "Disk sentry: System disk usage back to normal levels." tell you? A. One of your File Systems has been reduced to below 92%. B. One of your File Systems has been reduced to below 95%. C. One of your File Systems has been reduced to below 98%. D. One of your File Systems has been reduced to below 90%. Correct Answer: A /Reference: Reference:ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/Co redocs/qradar_71mr1_troubleshootingguide.pdf(page 10) QUESTION 39 Real 19 A QRadar administrator is sizing a distributed deployment. The deployment has approximately 2 million flows per minute (FPM) and needs at least 7 terabytes of storage.

21 Which architecture is correct? A. One 1724 flow processor B. One 1705 flow processor C. Two 1724 flow processors D. Two 1705 flow processors Correct Answer: C /Reference: answer is corrected. QUESTION 40 A customer has a requirement to integrate with QRadar to capture events coming from IBM DB2. Which protocol should an administrator use to integrate Log Enhanced Event format (LEEF) events while configuring Log Sources on QRadar console? A. JDBC B. SNMP C. Syslog D. Log File Correct Answer: C /Reference: : QUESTION 41 There are unknown log records from unsupported security device events in the Log activity tab. You are planning to write an LSX for an unsupported security device type based on UDSM. What is the file format and payload option for exporting the unknown log records? A. XLS and full export B. CSV and full export

22 C. XML and visible column D. PDF and visible column Real 20 Correct Answer: C /Reference: : QUESTION 42 Which command will install the patch after mounting the patch file? A. /media/updates/setup B. /media/updates/installer C. /media/updates/setup -patch D. /media/updates/installer -patch Correct Answer: B /Reference: Reference: QUESTION 43 What does QRadar use to group the event or flow according to the network? A. Network mapping B. Network hierarchy C. Application mapping D. Application hierarchy Correct Answer: A

23 /Reference: : QUESTION 44 Which option will display the rule that triggered an offense from Offense Details screen? A. Display > Rules B. Display > Sources C. Offenses tab > Rules D. Display > Annotations Correct Answer: A /Reference: verified. QUESTION 45 A mail server typically communicates with 50 hosts per second in the middle of the night and then suddenly starts communicating with hosts a second. The administrator wants to get an alert whenever this situation is being observed. Which type of rule should an administrator create to monitor this situation? A. Flow Rule B. Anomaly Rule C. Threshold Rule D. Behavioral Rule Correct Answer: C /Reference: : QUESTION 46 What should be the latency between the primary and secondary HA hosts?

24 A. Less than 1 millisecond B. Less than 2 milliseconds C. Less than 3 milliseconds D. Less than 4 milliseconds Correct Answer: B /Reference: Reference:ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/Co redocs/qradar_71mr1_highavailabilityguide.pdf(page 14, link bandwidth and latency) QUESTION 47 Which two search filters are available on the QRadar console while making an asset search? (Choose two.) Real 22 A. PCI Severity. NERC Severity B. Vulnerability CVSS Base Score. Vulnerability Risk Score C. Vulnerability on Open Port, Vulnerability on Open Service D. Vulnerability on Open Port, Vulnerability External Reference E. Vulnerability on Source Port, Vulnerability on Destination Port Correct Answer: BE /Reference: : QUESTION 48 From the given event payload format:

25 You are tasked with creating a Reference Set of the second IPs in the payload. What needs to be done to complete this task? A. Create a Custom Event Property to parse the second IP in the payload. From the Log Source config for the above event, choose "add to reference set" and select your reference set. B. From the Reference Set Management screen, select "create reference set from Log Source Event". Pick the Log Source from the drop down. Pick the Event Name from the drop down. C. From the Reference Set Management screen, select "create reference set from Log Source Event". Pick the Log Source from the drop down. Pick the Custom Event Property from the drop down. D. Create a Custom Event Property to parse the second IP in the payload. Create a rule that tests for events from the Log Source that is collecting the above event, and for Rule Response add the Custom Event Property to the Reference Set. Correct Answer: A /Reference: : QUESTION 49 What functionalities of QRadar provide the ability to collect, understand, and properly categorize events from external sources? Real 23

26 A. Log sources B. Flow sources C. Syslog sources D. External sources Correct Answer: A /Reference: Reference: collections/jsa-log-source-user-guide.pdf(p. 14, log sources overview) QUESTION 50 What is a benefit of enabling indexes on event properties? A. Improved Offense Correlation B. Improved search performance C. Improved Performance of Custom Rules D. Improved accuracy of auto-discovery log sources Correct Answer: B /Reference: : QUESTION 51 Which IP address of a NATed server is used to access the server from outside the network? A. Public IP address B. Private IP address C. Cluster IP address D. Secondary IP address Correct Answer: A

27 /Reference: : QUESTION 52 You notice the following message in the System Notification Widget on the Dashboard: Real 24 "Unable to automatically detect the associated log source for IP address." When you hover over the message, you see this pop-up message: What is the issue? A. There are events coming from IP that cannot be autodiscovered and a Log Source Created B. There are events coming from IP that cannot be autodiscovered and a Log Source Created C. There are events coming from IP that cannot be autodiscovered and a Log Source Created D. There are events coming from hostname red6.color.com that cannot be autodiscovered and a Log Source Created Correct Answer: C /Reference: : QUESTION 53 Which two proxy options are required to be set when using a Proxy Server for Auto Updates in QRadar? (Choose two.) A. Proxy Type B. Proxy Name

28 C. Proxy Schedule D. Proxy Server URL E. Proxy Port number Correct Answer: BD /Reference: : QUESTION 54 Real 25 What does Server discovery allow the QRadar administrator to do? A. Discover B. Define rules for hosts C. Create host searches D. Populate host definition building blocks Correct Answer: A /Reference: Reference: pdf(page 21, see the table, first row, second column, second bulleted point) Real 26 QUESTION 55 The following message is displayed in the System Notification Widget on the Dashboard:

29 Which script should be run to help determine the cause of the dropped events? A. /opt/qradar/support/dumpgvdata.sh B. /opt/qradar/support/dumpdsminfo.sh C. /opt/qradar/support/cleanassetmodel.sh D. /opt/qradar/support/findexpensivecustomrules.sh Correct Answer: D /Reference: : QUESTION 56 What is used to collect netflow and jflow traffic in a QRadar Distributed Deployment? A. QRadar 3105 Console B. QRadar 1705 Processor C. QRadar 1605 Processor D. QRadar 700 Risk Manager Correct Answer: A /Reference: Reference: 3) QUESTION 57 What should the format of a CSV file be while importing assets on the QRadar console?

30 A. ip,portweight,description B. ip,name,weightmagnitude C. ip.name.weight.description D. ip.name.severity.description Real 2 Correct Answer: C /Reference: Reference: for name, weight, description) QUESTION 58 Which option needs to be specified in the syslinux configuration file to reinstall an IBM QRadar appliance via serial port from an USB flash-drive? A. USB to serial B. Default serial C. Serial to USB D. serial redirect Correct Answer: B /Reference: Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/7.2.0/QLM/EN/ USB_Installation.pdf(page 5) QUESTION 59 With a Data Deletion Policy of "When storage is required", data will remain in storage until which scenario is reached? A. If used disk space reaches 88% for records and 85% for payloads. B. If used disk space reaches 85% for records and 88% for payloads. C. If used disk space reaches 85% for records and 83% for payloads. D. If used disk space reaches 83% for records and 85% for payloads. Correct Answer: C

31 /Reference: Reference: guide.pdf(page 85, see the table, 5throw, second column, first bulleted point) QUESTION 60 Which two actions can be selected from the license drop-down in the system and license management screen when working with a new license? (Choose two.) Real 3 A. Apply license B. Upload license C. Allocate license to system D. Allocate system to license E. Register system to license Correct Answer: AC /Reference: : QUESTION 61 How frequently does the Automated Update Process run if Configuration files are updated on Primary and then Deploy Changes is not performed, and the updates are made on the Secondary host through an Automated Update Process? A. Every 10 minutes B. Every 15 minutes C. Every 30 minutes D. Every 60 minutes Correct Answer: D /Reference:

32 Reference: pdf(page 68, see the second note) QUESTION 62 What two are valid actions that a user can perform when monitoring offenses? (Choose two.) A. Import offenses B. Backup offenses C. Restore offenses D. Send notifications E. Hide or close an offense from any offense list Correct Answer: BE /Reference: answer is up-to-date. QUESTION 63 Real 4 What is a valid QVM scan status? A. Active B. Paused C. Scanning D. Complete Correct Answer: A /Reference: : QUESTION 64 Which NetFlow versions does QRadar SIEM support?

33 A. 1,2,3, and 4 B. 1,4,7, and 9 C. 1,3,5,and 9 D. 1,5,7,and 9 Correct Answer: D /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_adm_n etflow.html(second para, first sentence)