C _LeanderJan_176Q_ Exam code: C Exam Name: IBM Security Qradar SIEM Implementation v Version 14.

Transcription

1 C _LeanderJan_176Q_ Number: C Passing Score: 800 Time Limit: 120 min File Version: 14.0 Exam code: C Exam Name: IBM Security Qradar SIEM Implementation v Version 14.0

2 C QUESTION 1 The following message is displayed in the System Notification Widget on the Dashboard: Which script should be run to help determine the cause of the dropped events? A. /opt/qradar/support/dumpgvdata.sh B. /opt/qradar/support/dumpdsminfo.sh C. /opt/qradar/support/cleanassetmodel.sh D. /opt/qradar/support/findexpensivecustomrules.sh Correct Answer: D /Reference: QUESTION 2 What is used to collect netflow and jflow traffic in a QRadar Distributed Deployment? A. QRadar 3105 Console B. QRadar 1705 Processor C. QRadar 1605 Processor D. QRadar 700 Risk Manager Correct Answer: A /Reference:

3 Reference: (page 3) QUESTION 3 What should the format of a CSV file be while importing assets on the QRadar console? A. ip,portweight,description B. ip,name,weightmagnitude C. ip.name.weight.description D. ip.name.severity.description Correct Answer: C /Reference: Reference: (search for name, weight, description) QUESTION 4 Which option needs to be specified in the syslinux configuration file to reinstall an IBM QRadar appliance via serial port from an USB flash-drive? A. USB to serial B. Default serial C. Serial to USB D. serial redirect Correct Answer: B /Reference: Reference: ftp://ftp.software.ibm.com/software/security/products/qradar/documents/7.2.0/qlm/en/usb_in stallation.pdf (page 5) QUESTION 5 There is a Data Deletion Policy of "When storage is required." Data will remain in storage until which scenario is reached? A. If used disk space reaches 88% for records and 85% for payloads.

4 B. If used disk space reaches 85% for records and 88% for payloads. C. If used disk space reaches 85% for records and 83% for payloads. D. If used disk space reaches 83% for records and 85% for payloads. Correct Answer: C /Reference: Reference: guide.pdf (page 85, see the table, 5th row, second column, first bulleted point) QUESTION 6 Which two actions can be selected from the license drop-down in the system and license management screen when working with a new license? (Choose two.) A. Apply license B. Upload license C. Allocate license to system D. Allocate system to license E. Register system to license Correct Answer: AC /Reference: QUESTION 7 How frequently does the Automated Update Process run if Configuration files are updated on Primary and then Deploy Changes is not performed, and the updates are made on the Secondary host through an Automated Update Process?

5 A. Every 10 minutes B. Every 15 minutes C. Every 30 minutes D. Every 60 minutes Correct Answer: D /Reference: Reference: (page 68, see the second note) QUESTION 8 What two are valid actions that a user can perform when monitoring offenses? (Choose two.) A. Import offenses B. Backup offenses C. Restore offenses D. Send notifications E. Hide or close an offense from any offense list Correct Answer: BE /Reference: QUESTION 9 What is a valid QVM scan status? A. Active B. Paused C. Scanning D. Complete

6 Correct Answer: A /Reference: QUESTION 10 Which NetFlow versions does QRadar SIEM support? A. 1, 2, 3, and 4 B. 1, 4, 7, and 9 C. 1, 3, 5, and 9 D. 1, 5, 7, and 9 Correct Answer: D /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_adm_ netflow.html (second para, first sentence) QUESTION 11 How do you view Raw Events on the Log Activity tab? A. Select "Raw Events" from the View list box B. Select "Raw Events" from the Actions list box C. Select "Raw Events" from the Display list box D. Select "Raw Events" from the Quick Searches list box Correct Answer: C /Reference: Reference: ftp://ftp.software.ibm.com/software/security/products/qradar/documents/71mr1/logmgr/lm- 71MR1-Usersguide.pdf (page 33)

7 QUESTION 12 There is a requirement at the customer site to double the default QFlow Maximum Content Capture size. What would be the resulting packet size? A. 64 bytes B. 128 bytes C. 256 bytes D bytes Correct Answer: B /Reference: QUESTION 13 What is the result when adding host definition building blocks to QRadar? A. Creates Offenses B. Reduces false positives C. Makes searches run faster D. Authorizes QRadar Services Correct Answer: B /Reference: QUESTION 14 What is used to collect netflow and jflow traffic in a QRadar Distributed Deployment? A. QRadar 3124 Console B. QRadar 1624 Processor C. QRadar 1724 Processor D. QRadar 700 Risk Manager

8 Correct Answer: A /Reference: QUESTION 15 What will be restored when restoring event data or flow data for a particular period to a MH? A. Only data sent to the console for that time period is restored to the MH. B. Only event data or flow data for the MH being restored will be restored to that MH. C. Only data that was accumulated for reports and searches will be restored to the MH. D. All data for all MHs for a specific time period is restored to its respective hosts in the deployment. Correct Answer: B /Reference: QUESTION 16 Where do you save the "Login Message File" on the system when setting up a banner message for the authentication page? A. /opt/qradar/conf/ B. /opt/qradar/www C. /opt/tomcat/conf/ D. /opt/qradar/webapps Correct Answer: A /Reference: Reference: file:///users/imac/downloads/qradar_721_adminguide.pdf (page 90, see the table, last row, second column) QUESTION 17

9 Which network monitoring port does Cisco NetFlow require to be configured in QRadar? A. Port 514 B. Port 161 C. Port 2055 D. Port 8080 Correct Answer: C /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/c_qradar_adm_f low_source_ovrvw.html QUESTION 18 A QRadar administrator needs to tune the system by enabling or disabling the appropriate rules in order to ensure that the QRadar console generates meaningful offenses for the environment. Which role permission is required for enabling and disabling the rule? A. Offenses > Maintain CRE Rules B. Offenses > Toggle Custom Rules C. Offenses > Manage Custom Rules D. Offenses > Maintain Custom Rules Correct Answer: C /Reference: QUESTION 19 Which operating system is supported for creating a bootable flash drive for recovery? A. Cisco IOS B. Florida Linux C. Debian Linux D. RedHat Linux

10 Correct Answer: D /Reference: QUESTION 20 Which three graph types are available for QRadar Log Manager reports? (Choose three.) A. Pie graph B. Histogram C. Bar graph D. Trivial graph E. Stacked bar graph F. Stacked table graph Correct Answer: ACF /Reference: Reference: user-guide.pdf (page 18) QUESTION 21 Which line color inside the deployment editor signals that encrypted communication has been selected for the managed hosts in a distributed environment? A. Blue B. Grey C. Black D. Yellow Correct Answer: A /Reference:

11 QUESTION 22 A QRadar SIEM administrator wants to create a Flow Rule that includes a building block definition (BB) that includes applications that indicate communication with file sharing sites. In which group will the administrator find this specified building block? A. Policy B. Host Definitions C. Network Definition D. Category Definitions Correct Answer: B /Reference: QUESTION 23 Which character is used for naming subgroups when using the option Add Group in the Network Hierarchy editor? A. +(plus) B.. (period) C. \ (Backslash) D. /(Forward Slash) Correct Answer: B /Reference: QUESTION 24 Which expression imports all xml files in the report directory if the administrator is configuring a Nessus Scanner? A. \xml B. 'xml' C. *\.xml D. */.xml

12 Correct Answer: C /Reference: Reference: ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71mr1/siem/coredocs/ ManagingVAGuide-71MR1.pdf (page 14) QUESTION 25 Which two file systems does QRadar support for offboard storage partitions? (Choose two.) A. XFS B. Btrfs C. F2FS D. EXT4 E. NTFS Correct Answer: AD /Reference: Reference: collections/jsa-configuring-offboard-storage.pdf (page 17) QUESTION 26 Assuming a Squid Proxy has logs in the following format: Time elapsed remotehost code/status bytes method URL rfc931 peerstatus/peerhost type And these are some sample logs from a Squid server:

13 Which regular expression would you use to pull out the bytes field into a custom property? A. \w+/\d+\s+(\d+)\s+ B. \w+/\d+\s+(\d+)\s+ C. \w+/\d+\s+(\d+)\s+ D. \w+/\d+\s+(\d+)\s+ Correct Answer: A /Reference: QUESTION 27 Which Permission Precedence should be applied to the users security profile assuming the administrators only want the group to have access to Windows events and flows and not events from other networks? A. No Restrictions B. Log Sources Only C. Networks OR Log Sources D. Networks AND Log Sources Correct Answer: D

14 /Reference: QUESTION 28 On the QRadar console you have received notification that CVE ID: CVE is being actively used. What search parameter should you select from the list of search parameters in this situation? A. Collateral Damage Reference B. Vulnerability External Reference C. Vulnerability Information System D. Vulnerability Internal System Reference Correct Answer: C /Reference: Reference: ftp://ftp.software.ibm.com/software/security/products/qradar/documents/7.2.1/qradar/en/b_qra dar_gs_guide.pdf (page 250 QUESTION 29 Which two statements are true regarding QRadar Log Sources and DSMs? (Choose two.) A. One log source must have one DSM. B. One DSM must have many log sources. C. One log source must have many DSMs. D. One DSM can have only one log source. E. One DSM can be used in many log sources. Correct Answer: CE /Reference: QUESTION 30

15 What are the two expected Host Statuses after HA setup if the initial synchronization is complete? (Choose two.) A. Primary: Active B. Primary: Offline C. Secondary: Failed D. Secondary: Active E. Secondary: Standby F. Primary: Synchronizing Correct Answer: AE /Reference: QUESTION 31 Which default flow source is included in the QRadar SIEM? A. IPFIX B. jflow C. QFlow D. NetFlow Correct Answer: D /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/c_qradar_adm_f low_source_ovrvw.html QUESTION 32 You have created an LSX log parser document to process the unknown log events from your unsupported log source. The events are coming up with Log source type GenericDSM and the correct Log Source Event ID. What is the next step in this process?

16 A. Create the high level and low level categories from the map id action B. Map the custom log records to existing QRadar high level and low level categories C. Create the high level and low level categories from the Rules section in the Offense tab D. Run the qidmap.pl script to create high level and low level categories from the command line Correct Answer: B /Reference: QUESTION 33 In which two ways can an administrator view all the events that are related to an offense from the Offense Details screen? (Choose two.) A. Top 5 Source IPs section B. Click on Display > Sources C. Click on Display > Destinations D. Click on Event/Flow Count field's Events link E. Click on Events button in Last 10 Events section Correct Answer: BD /Reference: QUESTION 34 Which tab in the QRadar web console allows flows to be monitored and investigated?

17 A. Admin B. Assets C. Offenses D. Network Activity Correct Answer: D /Reference: Reference: QUESTION 35 An off-site source can connect to which component? A. Flow collector B. Event collector C. Flow processor D. Event processor Correct Answer: B

18 /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_adm_ qradar_siem_component.html?cp=ss42vs_7.2.1%2f &lang=fr (see off-site source) QUESTION 36 Which two fields are required to be filled out when adding a new network to the network hierarchy? (Choose two.) A. Weight B. IP and CIDR C. Capture Filter D. Flow Source Interface E. Flow Retention Length Correct Answer: BD /Reference: QUESTION 37 A user of QRadar wishes to have a report showing the number of bytes per packet they see with their flows. The user decides to create a Custom Flow Property for this application. Which type of custom property is required for this to be accomplished? A. Regex Custom Property B. Advanced Custom Property C. Computation Custom Property D. Calculation Based Custom Property Correct Answer: A /Reference:

19 QUESTION 38 Which attribute is valid when defining the user roles to provide the necessary access? A. Admin: System Administrator B. Log Activity: View Custom Rules C. Log Activity: Manage Time Series D. Network Activity: Maintain custom Rules Correct Answer: A /Reference: QUESTION 39 Which configuration window defines the maximum number of TCP syslog connections? A. Log Sources B. System Setting C. Console Setting D. Deployment Editor Correct Answer: D /Reference: QUESTION 40 A customer has log files from Windows-based systems and wants to push those logs to the QRadar console. What options should the customer use in WinCollect to collect and forward these logs? A. File Forwarder B. Flow Forwarder

20 C. Event Forwarder D. Windows-based Event Log Forwarder Correct Answer: C /Reference: QUESTION 41 What is the minimum bandwidth needed between the primary and secondary HA host? A. 1 gigabits per second (Gbps) B. 2 gigabits per second (Gbps) C. 3 gigabits per second (Gbps) D. 4 gigabits per second (Gbps) Correct Answer: A /Reference: Reference: ftp://ftp.software.ibm.com/software/security/products/qradar/documents/71mr1/siem/coredoc s/qradar_71mr1_highavailabilityguide.pdf (page 9) QUESTION 42 Which directory from the QRadar host can be moved to offboard storage? A. A/ar B. /store C. /home D. /media Correct Answer: B /Reference:

21 QUESTION 43 You have been asked to forward all event logs from QRadar to another central syslog server with the IP of You also want the events to be processed by the CRE, but not stored on the system. What will allow you to do this process? A. Add a Routing Rule that under Current Filters "Matches All Incoming Events", under Routing Options, add a Forwarding destination for with the "Raw Event" format. Then select the 'Forward' and 'Drop' options. Save and deploy. B. Add a Routing Rule that, under Current Filters "Matches All Incoming Events", under Routing Options, add a Forwarding destination for with the "Normalized Event" format. Then select the 'Forward' and 'Drop' options. Save and deploy. C. Add a forwarding Destination for with the "Raw Event" format. Then add a Routing Rule that, under Current Filters "Matches All Incoming Events", under Routing Options, select the Forward destination that matches destination you created. Then select the 'Forward' and 'Drop' options. Save and deploy. D. Add a forwarding Destination for with the "Normalized Event" format. Then add a Routing Rule that, under Current Filters "Matches All Incoming Events", under Routing Options, select the Forward destination that matches destination you created. Then select the 'Forward* and 'Drop* options. Save and deploy. Correct Answer: A /Reference: QUESTION 44 Which function allows a custom event property to be removed from a selected event? A. Anomaly B. Map Event C. False Positive D. Extract Property Correct Answer: D /Reference:

22 QUESTION 45 Which two authentication methods for the QRadar User Interface are valid? (Choose two.) A. SecureID B. Digital Signatures C. Password Authentication Protocol (PAP) D. Remote Authentication Dial In User Service (RADIUS) E. Terminal Access Controller Access-Control System (TACACS) Correct Answer: DE /Reference: QUESTION 46 Which three tasks can an administrator perform from the QRadar SIEM reports tab? (Choose three.) A. Brand reports B. Ability to create custom reports C. Ability to create custom compliance templates D. Present statistics derived from source IP and destination IP E. Present measurements and statistics derived from real time data F. Present measurements and statistics derived from events, flows and offenses Correct Answer: BDF /Reference: QUESTION 47 What type of users can view all reports that are created by other users? A. Auditors

23 B. Analysts C. Managers D. Administrators Correct Answer: D /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.2/com.ibm.qradar.doc_7.2.2/c_qradar_report _mgt.html?cp=ss42vs_7.2.2%2f QUESTION 48 What does the message in the System Notification Widget on the Dashboard "Disk sentry: System disk usage back to normal levels." tell you? A. One of your File Systems has been reduced to below 92%. B. One of your File Systems has been reduced to below 95%. C. One of your File Systems has been reduced to below 98%. D. One of your File Systems has been reduced to below 90%. Correct Answer: A /Reference: Reference: ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71mr1/siem/coredocs/ QRadar_71MR1_TroubleshootingGuide.pdf (page 10) QUESTION 49 A QRadar administrator is sizing a distributed deployment. The deployment has approximately 2 million flows per minute (FPM) and needs at least 7 terabytes of storage. Which architecture is correct? A. One 1724 flow processor B. One 1705 flow processor C. Two 1724 flow processors D. Two 1705 flow processors

24 Correct Answer: C /Reference: QUESTION 50 A customer has a requirement to integrate with QRadar to capture events coming from IBM DB2. Which protocol should an administrator use to integrate Log Enhanced Event format (LEEF) events while configuring Log Sources on QRadar console? A. JDBC B. SNMP C. Syslog D. Log File Correct Answer: C /Reference: QUESTION 51 There are unknown log records from unsupported security device events in the Log activity tab. You are planning to write an LSX for an unsupported security device type based on UDSM. What is the file format and payload option for exporting the unknown log records? A. XLS and full export B. CSV and full export C. XML and visible column D. PDF and visible column Correct Answer: C /Reference:

25 QUESTION 52 Which command will install the patch after mounting the patch file? A. /media/updates/setup B. /media/updates/installer C. /media/updates/setup -patch D. /media/updates/installer -patch Correct Answer: B /Reference: Reference: QUESTION 53 What does QRadar use to group the event or flow according to the network? A. Network mapping B. Network hierarchy C. Application mapping D. Application hierarchy Correct Answer: A /Reference: QUESTION 54 Which option will display the rule that triggered an offense from Offense Details screen? A. Display > Rules B. Display > Sources C. Offenses tab > Rules D. Display > Annotations

26 Correct Answer: A /Reference: QUESTION 55 A mail server typically communicates with 50 hosts per second in the middle of the night and then suddenly starts communicating with 1,000 hosts a second. The administrator wants to get an alert whenever this situation is being observed. Which type of rule should an administrator create to monitor this situation? A. Flow Rule B. Anomaly Rule C. Threshold Rule D. Behavioral Rule Correct Answer: C /Reference: QUESTION 56 What should be the latency between the primary and secondary HA hosts? A. Less than 1 millisecond B. Less than 2 milliseconds C. Less than 3 milliseconds D. Less than 4 milliseconds Correct Answer: B /Reference:

27 Reference: ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71mr1/siem/coredocs/ QRadar_71MR1_HighAvailabilityGuide.pdf (page 14, link bandwidth and latency) QUESTION 57 Which two search filters are available on the QRadar console while making an asset search? (Choose two.) A. PCI Severity. NERC Severity B. Vulnerability CVSS Base Score. Vulnerability Risk Score C. Vulnerability on Open Port, Vulnerability on Open Service D. Vulnerability on Open Port, Vulnerability External Reference E. Vulnerability on Source Port, Vulnerability on Destination Port Correct Answer: BE /Reference: QUESTION 58 From the given event payload format: You are tasked with creating a Reference Set of the second IPs in the payload. What needs to be done to complete this task? A. Create a Custom Event Property to parse the second IP in the payload. From the Log Source config for the above event, choose "add to reference set" and select your reference set. B. From the Reference Set Management screen, select "create reference set from Log Source Event". Pick the Log Source from the drop down. Pick the Event Name from the drop down. C. From the Reference Set Management screen, select "create reference set from Log Source Event". Pick the Log Source from the drop down. Pick the Custom Event Property from the drop down.

28 D. Create a Custom Event Property to parse the second IP in the payload. Create a rule that tests for events from the Log Source that is collecting the above event, and for Rule Response add the Custom Event Property to the Reference Set. Correct Answer: A /Reference: QUESTION 59 What functionalities of QRadar provide the ability to collect, understand, and properly categorize events from external sources? A. Log sources B. Flow sources C. Syslog sources D. External sources Correct Answer: A /Reference: Reference: collections/jsa-log-source-user-guide.pdf (p. 14, log sources overview) QUESTION 60 What is a benefit of enabling indexes on event properties? A. Improved Offense Correlation B. Improved search performance C. Improved Performance of Custom Rules

29 D. Improved accuracy of auto-discovery log sources Correct Answer: B /Reference: QUESTION 61 Which IP address of a NATed server is used to access the server from outside the network? A. Public IP address B. Private IP address C. Cluster IP address D. Secondary IP address Correct Answer: A /Reference: QUESTION 62 You notice the following message in the System Notification Widget on the Dashboard: "Unable to automatically detect the associated log source for IP address." When you hover over the message, you see this pop-up message: What is the issue?

30 A. There are events coming from IP that cannot be autodiscovered and a Log Source Created B. There are events coming from IP that cannot be autodiscovered and a Log Source Created C. There are events coming from IP that cannot be autodiscovered and a Log Source Created D. There are events coming from hostname red6.color.com that cannot be autodiscovered and a Log Source Created Correct Answer: B /Reference: QUESTION 63 Which two proxy options are required to be set when using a Proxy Server for Auto Updates in QRadar? (Choose two.) A. Proxy Type B. Proxy Name C. Proxy Schedule D. Proxy Server URL E. Proxy Port number Correct Answer: DE /Reference: Correct Answers: Proxy Server, Proxy Port, Proxy Username and Proxy Password. QUESTION 64 What does Server discovery allow the QRadar administrator to do? A. Discover B. Define rules for hosts C. Create host searches D. Populate host definition building blocks Correct Answer: A

31 /Reference: Reference: (page 21, see the table, first row, second column, second bulleted point) QUESTION 65 Which statement is true with regard to planning QRadar SIEM high availability? A. The secondary host can be in different subnet as teh primary host. B. The secondary HA host that you want to add to the HA cluster can be a component in another HA cluster. C. The secondary HA host that you want to add to the HA cluster must be a component in another HA cluster. D. When the IP address of the primary host is reassigned as a cluster virtual IP, the new IP address that you assign to the primary must be in the same subnet. Correct Answer: D /Reference: QUESTION 66 Which two fileds are required to be filled out when adding a new network to the network hierarchy? (Choose two.) A. Name B. Country C. IP and CIDR D. Target Flow Collector E. Maximum Content Capture Correct Answer: AC /Reference: Correct Answers: Name, Description, Group, IP/CIDR(s) QUESTION 67

32 There are unknown log records from unsupported security device events in the Log activity tab. You are planning to write an LSX for an unsupported security device type based on UDSM. What is the file format for exporting the unknown log records? A. CSV B. PDF C. XLS D. Text Correct Answer: A /Reference: QUESTION 68 IBM Security QRadar SIEM can be forced to run an instant configuration backup by selecting which option? A. Backup Now B. On Demand Backup C. Launch On Demand Backup D. Configure On Demand Backup Correct Answer: B /Reference: QUESTION 69 Which attribute is valid when defining the user roles to provide the necessary access? A. Reports: Maintain Templates B. Network Activity: View Custom Rules C. Netwrok Activity: Manage Times Series D. Log Activity: User Defined Event Properties

33 Correct Answer: D /Reference: QUESTION 70 Which action can be performed on a license key? A. Reuse allocation of a license B. Revert allocation of a license C. Revoke allocation of a license D. Recover allocation of license Correct Answer: B /Reference: QUESTION 71 What does the message in the System Notification Widget on the Dashboard "Disk Sentry: Disk Usage exceeded max threshold" tell you? A. One of your Files Systems has exceeded 92%. B. One of your Files Systems has exceeded 95%. C. One of your Files Systems has exceeded 98%. D. One of your Files Systems has exceeded 90%. Correct Answer: B /Reference: Source: IBM QRadar Tuning and Troubleshooting Guide - Disk usage warning - Page QUESTION 72

34 From which screen can a Secondary Host be added to an HA host? A. Admin -> System Settings B. Admin -> Deployment Editor C. Admin -> Store and Forward D. Admin -> System and License Management Correct Answer: D /Reference: QUESTION 73 Which QRadar component requires the use of a NAPATECH card? A. QRadar 3105 Console B. QRadar 1705 Processor C. QRadar 1605 Processor D. QRadar QFlow Collector 1310 Correct Answer: D /Reference: Correct Answers: QFlow 1202, QFlow 1301 and QFlow Source: IBM QRadar Hardware Guide - Appliance Specifications Page 23. QUESTION 74 Which line color inside the deployment editor signals that encrypted communication has been selected for the managed hosts in a distributed environment? A. Red B. Blue C. Black D. Green

35 Correct Answer: B /Reference: There answer is either Black or Blue. WARNING: The answer in this question is NOT sure correct! Don't take the risk, verify the correct answer! QUESTION 75 What is used to define the server types in the server discovery scrreen? A. Ports B. Hostname C. Mac address D. IP addresses Correct Answer: A /Reference: QUESTION 76 A QRadar administrator is sizing a distributed deployment. The deployment has approximately 1.5 gigabytes of sustained throughput of traffic on a network tap. The network tap is a copper connection. A. Qflow Collector 1310 B. Qflow Collector 1202 C. Qflow Collector 1201 D. Qflow Collector 1301 Correct Answer: B

36 /Reference: QUESTION 77 What options on the Reports tab allows you to import logos and specific images for use on reports? A. Design B. Images C. Branding D. Customization Correct Answer: C /Reference: QUESTION 78 What is the command to mount the Patch file 721_QRadar_patchupdate sfs in QRadar 7.2.1? A. mount -o loop /media/updates 721_QRadar_patchupdate sfs B. mount -o squashfs -t loop 721_QRadar_patchupdate sfs /media/updates C. mount -o loop /media/updates -t squashfs 721_QRadar_patchupdate sfs D. mount -o loop -t squashfs 721_QRadar_patchupdate sfs /media/updates/ Correct Answer: D /Reference: Source: IBM Knowledge Center > Upgrading QRadar products QUESTION 79 A customer is getting sufficient detection of proxy servers and customer wants to tune the building block "Defualt--BB-Host-Definition: Proxy Servers". Which test the "Default-BB-Host Definition: Proxy Servers" need to be edited for tuning? A. Edit the "and when the destination IP is one of the following" test to include the IP addresses

37 B. Edit the "and when the source or destination netwirk is on of the following" test to include the network C. Edit the "and when the source IP is one of the follwoing" test to include the IP addresses of the proxy servers D. Edit the "and when either the source or destination IP is one of the following" test to include the IP addresses of the proxy servers Correct Answer: D /Reference: QUESTION 80 What inidicates if an offense is flagged for follow-up? A. A flag in the Flag column B. Follow-up System Notification C. Follow-up notification from that offense D. A flag in Offense Note inidicating follow-up required Correct Answer: D /Reference: QUESTION 81 Which option is used to set the Secondary host to an active state? A. Click on Primary, then click on High Availability > Set System Offline B. Click on Secondary, then click on High Availability > Restore System C. Click on Secondary, then click on High Availability > Set System Online D. Click on HA Cluster, then click on High Availability > Set System Offline Correct Answer: C /Reference:

38 QUESTION 82 Where does the information about total number of Assets and Vulnerability processed appear? A. Asset table in Assets tab B. VA Scanner Configuration screen C. Vulnerabilities Tab > Scan Result D. Mouse Ober popup on Schedule Scan Status field Correct Answer: C /Reference: QUESTION 83 Which user account in the QRadar host must be used to configure offboard storage? A. Root B. Admin C. Storage D. Administrator Correct Answer: A /Reference: QUESTION 84 What does My Offenses display? A. Offenses closed by the user B. Offenses assigned to the user C. Offenses protected by the user D. Offenses triggered byrules created by the user

39 Correct Answer: B /Reference: QUESTION 85 Where is an address from which you want to receive alerts on QRadar SIEM located? A. Admin > System settings > Alert From Address B. Admin > Console settings > Alert From Address C. Admin > System settings > Administrative Address D. Admin > Console settings > Administrative Address Correct Answer: A /Reference: QUESTION 86 Which sampling technology provides continuous monitoring of application level traffic flows on all interfaces simultaneously? A. Sflow B. J-flow C. Packeteer D. Flowlog file Correct Answer: A /Reference: QUESTION 87

40 What is used to collect security events in a QRadar Distributed Deployment? A. QRadar 3105 Console B. QRadar 1705 Processor C. QRadar 1605 Processor D. QRadar 1201 QFlow Collector Correct Answer: D /Reference: QUESTION 88 What is required to allow authentication to work properly when using a vendor authentication module like Active Directory? A. Authentication Bind password B. An SSH tunnel between QRadar and the authentication server C. QRadar and the authentication server must be on the same subnet D. Time Synchronization between QRadar and the authentication server Correct Answer: D /Reference: QUESTION 89 Which text box allows you to search event and flow payloads using a text string?

41 A. Display B. Add Filter C. Quick Filter D. Save Criteria Correct Answer: C /Reference: QUESTION 90 Which two types are available for the graph type "horizontal bar" on QRadar? (Choose tow.) A. Top Source IPs B. Top Source Ports C. Top Login Failures D. Top Destination IPs E. Top Destination Ports Correct Answer: AD /Reference: QUESTION 91 What defines the maximum number of objects in network hierarchy? A. QRadar patch level B. QRadar license key C. QRadar release level D. QRadar activiation key Correct Answer: A

42 /Reference: QUESTION 92 An of-site source can be connected to which component? A. QFlow B. Event Collector C. Flow Processor D. Event Processor Correct Answer: B /Reference: QUESTION 93 What is the benefits of enabling indexes on event properties? A. Decreased disk usage B. Improved report accuracy C. Improved search performance D. Improved performance for regular expression patterns Correct Answer: C /Reference: QUESTION 94 Given QRadar network heirarchy defined as /23 for the CIDR network , what is the customer's network IP range?

43 A B C D Correct Answer: A /Reference: The answer is Network: CIDR Notation: /23 Subnet Mask: Broadcast: QUESTION 95 How many streaming events per second can be displayed before being accumulated in a result buffer? A. 30 results per second B. 40 results per second C. 50 results per second D. 60 results per second Correct Answer: B /Reference: QUESTION 96 Which tab in the QRadar web console allows events to be monitored and investigated? A. Admin B. Offenses C. Forensics D. Log Activity

44 Correct Answer: D /Reference: QUESTION 97 A customer wants to detect users that logged in from IP addresses in different locations simultaneously. How can the customer achieve this using teh QRadar console? A. Create a rule to test for login failures from different country with 15 minutes B. Create a rule to check for a local login within corporate network and simultaneous remote login C. Create a rule to test for 2 or more logins from VPN or AD from different countries within 15 minutes D. Create an offense to test for 2 or more logins from VPN or AD from different countries within 15 minutes Correct Answer: D /Reference: WARNING: The answer in this question is NOT sure correct! Don't take the risk, verify the correct answer! QUESTION 98 Which flow source is sampled? A. sflow B. PCAP C. QFlow D. Flog log file Correct Answer: A /Reference:

45 QUESTION 99 Assuming a Squid Proxy has logs in the follwoing format: time elapsed remotehost code/status bytes method URL rfc931 peerstatus/peerhost type And these are some sample logs from Squid server: TCP_MISS/ GET image/jpeg TCP_MISS/ POST - DIRECT/ application/xml TCP_MISS/ GET - DIRECT/ text/html TCP_IMS_HIT/ GET - NONE/-text/html Which regular expression would you use to pull out the bytes field into custom property? A. \w+/\d+\s+(\d+)\s+(post GET) B. \w+/\d+\s+(\d+)\s+(post GET) C. \w+/\d+\s+(\d+)\s+^(post GET) D. \W+/\D+\D+(\D+)\D+(POST GET) Correct Answer: A /Reference: WARNING: The answer in this question is NOT sure correct! Don't take the risk, verify the correct answer! QUESTION 100 Which tab can used to create, edit, distribute and manage reports? A. Admin B. Assets C. Reports D. Dashboard Correct Answer: C /Reference:

46 QUESTION 101 Which operating system is supported for creating a bootable flash drive for recovery? A. IBM AIX B. MAC OS X C. Ubuntu Linux D. Windows OS Correct Answer: D /Reference: Correct Answers: * Red Hat Enterprise Linux 6.5 (Santiago) * Microsoft Windows Vista * Microsoft Windows 7 * Microsoft Windows 2008 * Microsoft Windows 2008 R2 Note: Ubuntu/Debian is NOT supported QUESTION 102 A QRadar administrator is sizing a distributed deployment. The deployment has approximately 25,000 events per second and needs at least 7 terabytes of storage. Which architecture is correct? A. One 1605 event processor B. One 1624 event processor C. Two 1605 event processors D. Two 1624 event processors Correct Answer: C

47 /Reference: Answer: Either Two or One 1605 event processor. Verify the correct answer. QUESTION 103 Which TCP port must be open to allow communication between the primary and secondary HA hosts? A B C D Correct Answer: C /Reference: QUESTION 104 Which offboard storage solution utilizes ethernet infrastructure rather than a dedicated SAN network? A. FTP B. NFS C. iscsi D. Fibre Channel Correct Answer: C /Reference: QUESTION 105 Which proxy option can be set in the QRadar Auto Update Advanced settings? A. Proxy Type

48 B. Proxy Name C. Proxy Schedule D. Proxy Password Correct Answer: D /Reference: Correct Answers: Proxy Server, Proxy Port, Proxy Username and Proxy Password. QUESTION 106 A user of QRadar wishes to have a report showing the total bytes seen on their Internet connection. The user decides to create a Custom Flow Property to add the bytes sent and bytes received together. Which type of custom property is required for this to be accomplished? A. Regex Custom Property B. Computed Custom Property C. Arithmetic Based Custom Property D. Calculation Based Custom Property Correct Answer: A /Reference: QUESTION 107 Which Security Profile Permission Precedence should be applied so the users of that profile can only see the flows related to the "Windows Servers" network? A. Network Only B. No Restrictions C. Log Sources Only D. Network AND Log Source Correct Answer: A

49 /Reference: WARNING: The answer in this question is NOT sure correct! Don't take the risk, verify the correct answer! QUESTION 108 Which feature of QRadar is used for correlation purposes to help reduce false positives? A. Flow information B. Events information C. Asset port information D. Asset profile information Correct Answer: D /Reference: QUESTION 109 A customer has developed a custom Universal Device Supprt Module (udsm's) for an unsupported device. The customer wants to parse Device Time field which is not in standard format. Which parameter should an administrator define in the LSX template in this situation? A. ext-time B. ext-date C. ext-data D. ext-devicedate Correct Answer: C /Reference: Source: IBM Security QRadar SIEM Version MR1 - Log Sources User Guide - Page 71 - DeviceTime QUESTION 110

50 Which two types of charts are available on QRadar SIEM Report editor? (Choose two.) A. Top Events B. Top Source IPs C. Top Login Failures D. Top Destination IPs E. Top Access Failures Correct Answer: BD /Reference: QUESTION 111 A QRadar SIEM administrator wants to report when a local system connects to the internet on more than 100 destination ports over a 2 hour period. The administrator created an anomaly rule to capture this scenario. Which type of rule should be selected in the rule creation wizard in this situation? A. Flow Tule B. Event Rule C. Offense Rule D. Common rule Correct Answer: C /Reference: QUESTION 112 Which two proxy options are supported by QRadar Auto Update Advanced settings? (Choose two.) A. Proxy Port B. Proxy Type C. Proxy Name

51 D. Proxy Category E. Proxy Username Correct Answer: AE /Reference: Correct Answers: Proxy Server, Proxy Port, Proxy Username and Proxy Password. QUESTION 113 Which serial option needs to be set in the syslinux configuration file to reinstall a malfunctioning appliance via serial port from an USB flash-drive? A. Default serial B. Serial port redirect C. Serial install option D. Serial console redirect Correct Answer: A /Reference: QUESTION 114 Which three messages are displayed in the Next Run Time Column while a QRadar Administrator is manually generating a report? (Choose three.) A. Generating B. (x hour(s) x min(s)) C. Generating Queues D. (x hour(s) x min(s) y sec(s)) E. Queued (position in the queue) F. Queued in the database column Correct Answer: ADE

52 /Reference: : When a report generates, the Next Run Time column displays one of the three following messages: * Generating - The report is generating * Queued (positioning the queue) - The report is queued for generation. The message indicates the position of the report in the queue. For example, 1 of 3. * (x hour(s) x min(s) y sec(s)) - The report is scheduled to run. The message is a count-down timer that specifies when the report will run next. Source: IBM Knowledge Center > Managing IBM Security QRadar Risk Manager reports > Manually generating a report QUESTION 115 What is used to collect security events in a QRadar Distributed Deployment? A. QRadar 3124 Console B. QRadar 1724 Processor C. QRadar 1624 Processor D. QRadar 1310 QFlow Collector Correct Answer: A /Reference: QUESTION 116 Which action prevents an offense from being removed from the database? A. Hide B. Show C. Export D. Protect

53 Correct Answer: A /Reference: QUESTION 117 Which string creates a network hierarchy group called WebServers inside a group called DMZ? A. DMZ/WebServers B. DMZ_WebServers C. DMZWebServers D. DMZ+WebServers Correct Answer: D /Reference: WARNING: The answer in this question is NOT sure correct! Don't take the risk, verify the correct answer! QUESTION 118 What does the message in the System Notification Widget in the Dashboard "Disk Sentry: Disk usage exceeded WARNING threshold" tell you? A. One of your File Systems has exceeded 92%. B. One of your File Systems has exceeded 95%. C. One of your File Systems has exceeded 98%. D. One of your File Systems has exceeded 90%. Correct Answer: D /Reference: QUESTION 119

54 Which scanners report vulnerabilities on all ports? (Choose two.) A. Axis B. NMap C. Qualys D. tcpdump E. ncircle IP360 Correct Answer: BC /Reference: QUESTION 120 Which two primary data sources send updates to the Asset profiler? (Choose two.) A. Source IP B. Source Port C. Scan Result D. Destination IP E. Identity Events Correct Answer: AB /Reference: WARNING: The answers in this question are NOT sure correct. Don't take the risk, verify the answers! QUESTION 121 What does Server discovery do? A. Defines rules for hosts B. Creates asset searches C. Populates host definition building blocks D. Builds complex search queries for events flows

55 Correct Answer: B /Reference: QUESTION 122 Which operating system is supported for creating a bootable flash drive for recovery? A. Cisco IOS B. Sun Solaris C. Debian Linux D. MS Windows Vista Correct Answer: D /Reference: Correct Answers: * Red Hat Enterprise Linux 6.5 (Santiago) * Microsoft Windows Vista * Microsoft Windows 7 * Microsoft Windows 2008 * Microsoft Windows 2008 R2 Note: Ubuntu/Debian is NOT supported

56 QUESTION 123 A flow is sequence of packets that have which common characteristics? A. Same source, MAC address, flow source and destination IP address B. Same source IP address, flow source and transport layer port information C. Same source and destination IP address and transport layer port information D. Same destination IP address, source bytes and transport layer port information Correct Answer: C /Reference: WARNING: The answer in this question is NOT sure correct! Don't take the risk, verify the correct answer! QUESTION 124 Which appliance is used to collect, store, and process event and flow data in case of hardware and network failure? A. Replicated appliance B. Secondary appliance C. High availability appliance D. High accessibility appliance Correct Answer: C /Reference: QUESTION 125 How do you view an offense that is associated with an event from the Log Activity tab? A. Double click the event B. Click the Offense icon next to the event C. Right click the event, select View Offenses D. Select the event, and select Offenses from the View list box

57 Correct Answer: A /Reference: QUESTION 126 Which network monitoring port does Juniper Jflow require to be configured in QRadar? A. Port 80 B. Port 443 C. Port 1080 D. Port 2055 Correct Answer: D /Reference: QUESTION 127 Which two options are available for Override parameter when an administrator views the Asset Profile Summary page? (Choose two.) A. Forever B. Until Next Scan C. After Next Scan D. Before Next Scan E. After Specified Time Correct Answer: AB /Reference: QUESTION 128

58 There are unknown log records from unsupported security device events in the Log activity tab. You are plannig to write an LSX for an unsupported security device type based on UDSM. What is the file format and payload option for exporting the unknown log records? A. PDF and full export B. CSV and full export C. XML and visible column D. CSV and visible column Correct Answer: C /Reference: QUESTION 129 Which two formats can reports be generated in? (Choose two.) A. JPEG imag (JPG) B. Comma Sperated Values (CSV) C. Microsoft Word Document (DOC) D. Hypertext Markup Language (HTML) E. Adobe Portable Document Format (PDF) Correct Answer: DE /Reference: QUESTION 130 What is QRadar QFlow Collector combined with QRadar SIEM designed to do? A. Collect Netflow records B. Layer 7 application visibility C. Receive Syslog messages

59 D. Ensure secure message collection Correct Answer: B /Reference: QUESTION 131 Who can view all offenses? A. All users B. Admin user C. User who has accesss to All Log Sources and All Networks D. Restricted User who has access to a Specific Log Source and Network Correct Answer: A /Reference: Answer: All users : All users can view all offenses regardless of which log source is associated with the offense. The Offenses tab does not use device level user permissions to determine which offenses each user is able to view; as determined by network permissions. Source: QUESTION 132 How many IP addresses are required if the customer is planning to do high availability installation of one 31xx, two 16xx, and one 171xx appliances? A. 8 B. 10 C. 12

60 D. 15 Correct Answer: A /Reference: WARNING: The answer in this question is NOT sure correct! Don't take the risk, verify the correct answer! QUESTION 133 Which parameter defines the location of the user profiles under the Admin tab? A. Authentication > User Data Files B. System settings > User Data Files C. Security Profiles > User Data Files D. Console settings > User Data Files Correct Answer: C /Reference: Answer: Authentication > User Data Files OR Security Profiles > User Data Files WARNING: The answer in this question is NOT sure correct! Don't take the risk, verify the correct answer! QUESTION 134 Which offboard storage solution provides the fastest performance? A. AoE B. NFS C. iscsi D. Fibre Channel Correct Answer: D

61 /Reference: QUESTION 135 How many days does QRadar keep record of Closed Offense by default? A. 1 day B. 5 days C. 3 days D. 7 days Correct Answer: C /Reference: QUESTION 136 Which Permission Precedence should be applied in the Security Profile so the users can see events from the "Windows Servers" log source group and from other log sources that match the destination or source network "Windows"? A. No Restrictions B. Log Sources Only C. Networks OR Log Sources D. Networks AND Log Sources Correct Answer: D /Reference: QUESTION 137 Which two IP Addresses are required to Add a HA host? (Choose two.) A. Public IP Address B. Private IP Address

62 C. Cluster IP Address D. Remote IP Address E. IP Address of Secondary Host Correct Answer: CE /Reference: QUESTION 138 Which two types of charts are available on QRadar SIEM Report editor? (Choose two.) A. Top Events B. Top Source IPs C. Top Login Failures D. Top Destination IPs E. Top Access Failures Correct Answer: BD /Reference: QUESTION 139 An off-site target can connect to which component A. Flow collector B. Event collector C. Flow processor D. Event processor Correct Answer: B

63 /Reference: QUESTION 140 A QRadar administrator is sizing a distributed deployment. The deployment has approximately 2 gigabytes of sustained throughput of traffic on a network tap. The network tap is a 10 gigabyte fiber connection. Which architecture is correct? A. Qflow Collector 1301 B. Qflow Collector 1201 C. Qflow Collector 1310 D. Qflow Collector 1202 Correct Answer: C /Reference: QUESTION 141 Which two data collection types are supported for SAINT scanner configurations? (Choose two.) A. App Scan B. Live Scan C. Report Only D. Passive Scan E. Vulnerability Scan Correct Answer: BC /Reference: QUESTION 142

64 The current settings for QFlow do not capture enough payload. How would you change the packet capture size? A. Console B. Command line C. System settings D. Deployment editor Correct Answer: D /Reference: QUESTION 143 Given the network IP range of to , what format would this be entered into a network hierarchy object? A /24 B /24 C /23 D /25 Correct Answer: D /Reference: QUESTION 144 A customer wants to view Log Sources based on functionality on QRadar console. The customer wants to categorize its Log Sources into multiple groups, which allows the customer to efficiently view and track its log sources. What is the maximum number of log sources a log source group can display on the QRadar console? A. 100 B. 500

65 C. 750 D Correct Answer: C /Reference: WARNING: The answer in this question is NOT sure correct! Don't take the risk, verify the correct answer! QUESTION 145 Which view option allows you to view events as they occur? A. Automatic B. Live Events C. Real Time (streaming) D. Last Interval (auto refresh) Correct Answer: C /Reference: QUESTION 146 Which two formats can events be exported to? (Choose two.) A. Web page (HTML) B. Excel Spreadsheet (XLS) C. Comma-Separated Values (CSV) D. Portable Document Format (PDF) E. Extensible Markup Language (XML) Correct Answer: CE /Reference:

66 QUESTION 147 Which attribute is valid when defining the user roles to provide the necessary access? A. Assets: Server Discovery B. Offenses: View Custom Rules C. Offenses: Maintain Custom Rules D. Network Activity: User Defined Flow Properties Correct Answer: D /Reference: WARNING: The answer in this question is NOT sure correct! Don't take the risk, verify the correct answer! QUESTION 148 Which two IP Addresses are required to setup NATed environment? (Choose two.) A. Public IP Address B. Private IP Address C. Remote IP Address D. Secondary IP Address E. Destination IP Address Correct Answer: AB /Reference: QUESTION 149 Which file needs to be installed to patch to QRadar release xxx? A. 721_QRadar_patchupdate xxx.iso B. 721_QRadar_patchupdate xxx.sfs