BrainDumps.C _35,Questions

Transcription

1 BrainDumps.C _35,Questions Number: C Passing Score: 800 Time Limit: 120 min File Version: A "brain dump," as it relates to the certification exams, is a source of success. This dump is enough to pass the exam and I have to do. This VCE has a lot of questions where all answers are up-to-date.

2 Exam A QUESTION 1 Assuming a Squid Proxy has logs in the following format: Time elapsed remotehost code/status bytes method URL rfc931 peerstatus/peerhost type And these are some sample logs from a Squid server: Which regular expression would you use to pull out the bytes field into a custom property? A. \w+/\d+\s+(\d+)\s+ B. \w+/\d+\s+(\d+)\s+ C. \w+/\d+\s+(\d+)\s+ D. \w+/\d+\s+(\d+)\s+ /Reference: QUESTION 2 Which Permission Precedence should be applied to the users security profile assuming the administrators only want the group to have access to Windows events and flows and not events from other networks? A. No Restrictions B. Log Sources Only C. Networks OR Log Sources D. Networks AND Log Sources Correct Answer: D /Reference: answer is verified. QUESTION 3 On the QRadar console you have received notification that CVE ID: CVE is being actively used. What search parameter should you select from the list of search parameters in this situation? A. Collateral Damage Reference B. Vulnerability External Reference C. Vulnerability Information System

3 D. Vulnerability Internal System Reference /Reference: Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/7.2.1/QRadar/E N/ b_qradar_gs_guide.pdf(page 250 QUESTION 4 From the given event payload format: You are tasked with creating a Reference Set of the second IPs in the payload. What needs to be done to complete this task? A. Create a Custom Event Property to parse the second IP in the payload. From the Log Source config for the above event, choose "add to reference set" and select your reference set. B. From the Reference Set Management screen, select "create reference set from Log Source Event". Pick the Log Source from the drop down. Pick the Event Name from the drop down. C. From the Reference Set Management screen, select "create reference set from Log Source Event". Pick the Log Source from the drop down. Pick the Custom Event Property from the drop down. D. Create a Custom Event Property to parse the second IP in the payload. Create a rule that tests for events from the Log Source that is collecting the above event, and for Rule Response add the Custom Event Property to the Reference Set. /Reference: : QUESTION 5 What functionalities of QRadar provide the ability to collect, understand, and properly categorize events from external sources? Real 23 IBM C Exam A. Log sources B. Flow sources C. Syslog sources D. External sources

4 /Reference: Reference: collections/jsa-logsource-user-guide.pdf(p. 14, log sources overview) QUESTION 6 What is a benefit of enabling indexes on event properties? A. Improved Offense Correlation B. Improved search performance C. Improved Performance of Custom Rules D. Improved accuracy of auto-discovery log sources /Reference: : QUESTION 7 Which IP address of a NATed server is used to access the server from outside the network? A. Public IP address B. Private IP address C. Cluster IP address D. Secondary IP address /Reference: : QUESTION 8 With a Data Deletion Policy of "When storage is required", data will remain in storage until which scenario is reached? A. If used disk space reaches 88% for records and 85% for payloads. B. If used disk space reaches 85% for records and 88% for payloads. C. If used disk space reaches 85% for records and 83% for payloads. D. If used disk space reaches 83% for records and 85% for payloads. /Reference: Reference: guide.pdf(page 85, see the table, 5throw, second column, first bulleted point) QUESTION 9 Which two actions can be selected from the license drop-down in the system and license management screen when working with a new license? (Choose two.) Real 3

5 IBM C Exam A. Apply license B. Upload license C. Allocate license to system D. Allocate system to license E. Register system to license C /Reference: : QUESTION 10 How frequently does the Automated Update Process run if Configuration files are updated on Primary and then Deploy Changes is not performed, and the updates are made on the Secondary host through an Automated Update Process? A. Every 10 minutes B. Every 15 minutes C. Every 30 minutes D. Every 60 minutes Correct Answer: D /Reference: Reference: pdf(page 68, see the second note) QUESTION 11 What two are valid actions that a user can perform when monitoring offenses? (Choose two.) A. Import offenses B. Backup offenses C. Restore offenses D. Send notifications E. Hide or close an offense from any offense list E /Reference: QUESTION 12 Real 4 IBM C Exam What is a valid QVM scan status? A. Active B. Paused C. Scanning D. Complete

6 /Reference: : QUESTION 13 Which NetFlow versions does QRadar SIEM support? A. 1,2,3, and 4 B. 1,4,7, and 9 C. 1,3,5,and 9 D. 1,5,7,and 9 Correct Answer: D /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_adm_n etflow.html(second para, first sentence) QUESTION 14 How do you view Raw Events on the Log Activity tab? A. Select "Raw Events" from the View list box B. Select "Raw Events" from the Actions list box C. Select "Raw Events" from the Display list box D. Select "Raw Events" from the Quick Searches list box /Reference: Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/71MR1/LogMgr /LM- 71MR1-Usersguide.pdf(page 33) QUESTION 15 There is a requirement at the customer site to double the default QFlow Maximum Content Capture size. What would be the resulting packet size? A. 64 bytes B. 128 bytes C. 256 bytes D bytes /Reference: QUESTION 16 What is the result when adding host definition building blocks to QRadar?

7 A. Creates Offenses B. Reduces false positives C. Makes searches run faster D. Authorizes QRadar Services /Reference: answer is up-to-date. QUESTION 17 What is used to collect netflow and jflow traffic in a QRadar Distributed Deployment? A. QRadar 3124 Console B. QRadar 1624 Processor C. QRadar 1724 Processor D. QRadar 700 Risk Manager /Reference: QUESTION 18 What will be restored when restoring event data or flow data for a particular period to a MH? A. Only data sent to the console for that time period is restored to the MH. B. Only event data or flow data for the MH being restored will be restored to that MH. C. Only data that was accumulated for reports and searches will be restored to the MH. D. All data for all MHs for a specific time period is restored to its respective hosts in the deployment. /Reference: QUESTION 19 Where do you save the "Login Message File" on the system when setting up a banner message for the authentication page? A. /opt/qradar/conf/ B. /opt/qradar/www C. /opt/tomcat/conf/ D. /opt/qradar/webapps /Reference: Reference:file:///Users/iMac/Downloads/QRadar_721_AdminGuide.pdf(page 90, see the table, last row, second column)

8 QUESTION 20 Which network monitoring port does Cisco NetFlow require to be configured in QRadar? A. Port 514 B. Port 161 C. Port 2055 D. Port 8080 /Reference: Reference: 01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/c_qradar_adm_fl ow_source_ovrvw.html QUESTION 21 A QRadar administrator needs to tune the system by enabling or disabling the appropriate rules in order to ensure that the QRadar console generates meaningful offenses for the environment. Which role permission is required for enabling and disabling the rule? A. Offenses > Maintain CRE Rules B. Offenses > Toggle Custom Rules C. Offenses > Manage Custom Rules D. Offenses > Maintain Custom Rules /Reference: : QUESTION 22 Which operating system is supported for creating a bootable flash drive for recovery? A. Cisco IOS B. Florida Linux C. Debian Linux D. RedHat Linux Correct Answer: D /Reference: QUESTION 23 Which three graph types are available for QRadar Log Manager reports? (Choose three.) A. Pie graph B. Histogram Real 8 IBM C Exam C. Bar graph D. Trivial graph

9 E. Stacked bar graph F. Stacked table graph CF /Reference: Reference: guide.pdf (page 18) QUESTION 24 Which line color inside the deployment editor signals that encrypted communication has been selected for the managed hosts in a distributed environment? A. Blue B. Grey C. Black D. Yellow Correct Answer: D /Reference: answer is valid. QUESTION 25 A QRadar SIEM administrator wants to create a Flow Rule that includes a building block definition (BB) that includes applications that indicate communication with file sharing sites. In which group will the administrator find this specified building block? A. Policy B. Host Definitions C. Network Definition D. Category Definitions /Reference: QUESTION 26 Which character is used for naming subgroups when using the option Add Group in the Network Hierarchy editor? A. +(plus) B.. (period) C. \ (Backslash) D. /(Forward Slash)

10 /Reference: : QUESTION 27 Which expression imports all xml files in the report directory if the administrator is configuring a Nessus Scanner? A. \xml B. 'xml' C. *\.xml D. */.xml /Reference: Reference:ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/Co redocs/ ManagingVAGuide-71MR1.pdf(page 14) QUESTION 28 Which two file systems does QRadar support for offboard storage partitions? (Choose two.) A. XFS B. Btrfs C. F2FS D. EXT4 E. NTFS D /Reference: Reference: collections/jsaconfiguring-offboard-storage.pdf(page 17) QUESTION 29 You notice the following message in the System Notification Widget on the Dashboard: Real 24 IBM C Exam "Unable to automatically detect the associated log source for IP address." When you hover over the message, you see this pop-up message: What is the issue? A. There are events coming from IP that cannot be autodiscovered and a Log Source Created B. There are events coming from IP that cannot be autodiscovered and a Log Source Created C. There are events coming from IP that cannot be autodiscovered and a Log Source Created

11 D. There are events coming from hostname red6.color.com that cannot be autodiscovered and a Log Source Created /Reference: : QUESTION 30 Which two proxy options are required to be set when using a Proxy Server for Auto Updates in QRadar? (Choose two.) A. Proxy Type B. Proxy Name C. Proxy Schedule D. Proxy Server URL E. Proxy Port number D /Reference: : QUESTION 31 Real 25 IBM C Exam What does Server discovery allow the QRadar administrator to do? A. Discover B. Define rules for hosts C. Create host searches D. Populate host definition building blocks /Reference: Reference: pdf (page 21, see the table, first row, second column, second bulleted point) QUESTION 32 The following message is displayed in the System Notification Widget on the Dashboard: Which script should be run to help determine the cause of the dropped events? A. /opt/qradar/support/dumpgvdata.sh B. /opt/qradar/support/dumpdsminfo.sh C. /opt/qradar/support/cleanassetmodel.sh

12 D. /opt/qradar/support/findexpensivecustomrules.sh Correct Answer: D /Reference: answer is modified. QUESTION 33 What is used to collect netflow and jflow traffic in a QRadar Distributed Deployment? A. QRadar 3105 Console B. QRadar 1705 Processor C. QRadar 1605 Processor D. QRadar 700 Risk Manager /Reference: Reference: 3) QUESTION 34 What should the format of a CSV file be while importing assets on the QRadar console? A. ip,portweight,description B. ip,name,weightmagnitude C. ip.name.weight.description D. ip.name.severity.description Real 2 IBM C Exam /Reference: Reference: for name, weight, description) QUESTION 35 Which option needs to be specified in the syslinux configuration file to reinstall an IBM QRadar appliance via serial port from an USB flash-drive? A. USB to serial B. Default serial C. Serial to USB D. serial redirect /Reference: Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/7.2.0/QLM/EN/ USB_Installation.pdf(page 5)

13