IBM C2150-400
Question No : 1 -
Which command will install the patch after mounting the patch file?
A. /media/updates/setup
B. /media/updates/installer
C. /media/updates/setup -patch
D. /media/updates/installer -patch
Answer : B
Question No : 2 -
What will be restored when restoring event data or flow data for a particular period to a
MH?
A. Only data sent to the console for that time period is restored to the MH.
B. Only event data or flow data for the MH being restored will be restored to that
MH.
C. Only data that was accumulated for reports and searches will be restored to
the MH.
D. All data for all MHs for a specific time period is restored to its respective hosts
in the deployment.
Answer : B
Question No : 3 -
In QRadar SIEM, customer wants to tune one of the firewall deny event which shows
firewall deny for all events coming from a Syslog Server and has been identified as false
positive. The customer clicked on the "false positive" button to tune the specific event.
What are the traffic directions that will be available during declaring this event as a false
positive? (Choose two.)
Answer : B,E
Question No : 4 -
Answer : B
Question No : 5 -
A. Public IP Address
B. Private IP Address
C. Cluster IP Address
D. Remote IP Address
E. IP Address of Secondary Host
Answer : C,E
Question No : 6 -
With a Data Deletion Policy of "When storage is required", data will remain in storage
until
which scenario is reached?
D. If used disk space reaches 83% for records and 85% for payloads.
A. If used disk space reaches 88% for records and 85% for payloads.
B. If used disk space reaches 85% for records and 88% for payloads.
C. If used disk space reaches 85% for records and 83% for payloads.
Answer : C
Question No : 7 -
There are unknown log records from unsupported security device events in the Log
activity
tab. You are planning to write an LSX for an unsupported security device type based on
UDSM.
What is the file format for exporting the unknown log records?
A. CSV
B. PDF
C. XLS
D. Text
Answer : D
Question No : 8 -
What are the two expected Host Statuses after HA setup if the initial synchronization is
complete? (Choose two.)
A. Primary: Active
B. Primary: Offline
C. Secondary: Failed
D. Secondary: Active
E. Secondary: Standby
F. Primary: Synchronizing
Answer : A,E
Question No : 9 -
A QRadar SIEM administrator wants to report when a local system connects to the
internet
on more than 100 destination ports over a 2 hour period. The administrator created an
anomaly rule to capture this scenario.
Which type of rule should be selected in the rule creation wizard in this situation?
A. Flow Tule
B. Event Rule
C. Offense Rule
D. Common rule
Answer : B
Question No : 10 -
A. All users
B. Admin user
C. User who has access to All Log Sources and All Networks
D. Restricted User who has access to a Specific Log Source and Network
Answer : B
Question No : 11 -
Which appliance is used to collect, store, and process event and flow data in case of
hardware and network failure?
A. Replicated appliance
B. Secondary appliance
C. High availability appliance
D. High accessibility appliance
Answer : B
Question No : 12 -
Which line color inside the deployment editor signals that encrypted communication has
been selected for the managed hosts in a distributed environment?
A. Blue
B. Grey
C. Black
D. Yellow
Answer : D
Question No : 13 -
Which Permission Precedence should be applied to the users security profile assuming
the
administrators only want the group to have access to Windows events and flows and not
events from other networks?
A. No Restrictions
B. Log Sources Only
C. Networks OR Log Sources
D. Networks AND Log Sources
Answer : D
Question No : 14 -
Answer : B
Question No : 15 -
In which two ways can an administrator view all the events that are related to an offense
from the Offense
Details screen? (Choose two.)
Question No : 16 -
Which three tasks can an administrator perform from the QRadar SIEM reports tab?
(Choose three.)
A. Brand reports
B. Ability to create custom reports
C. Ability to create custom compliance templates
D. Present statistics derived from source IP and destination IP
E. Present measurements and statistics derived from real time data
F. Present measurements and statistics derived from events, flows and offenses
Answer : B,D,F
Question No : 17 -
What is QRadar QFlow Collector combined with QRadar SIEM designed to do?
A. Encryption
B. Netflow collection
C. Syslog forwarding
D. Layer 7 application visibility
Answer : B
Explanation: QRadar QFlow Collector - Collects data from devices, and various live and
recorded feeds, such as network taps, span/mirror ports, NetFlow, and QRadar SIEM
flow logs. When the data is collected, the QRadar QFlow Collector groups related
individual packets into a flow. QRadar SIEM defines these flows as a communication
session between two pairs of unique IP address and ports that use the same protocol. A
flow starts when the QRadar QFlow Collector detects the first packet with a unique
source IP address, destination IP address, source port, destination port, and other
specific protocol options that determine the start of a communication. Each additional
packet is evaluated. Counts of bytes and packets are added to the statistical counters in
the flow record. At the end of an interval, a status record of the flow is sent to an Event
Collector and statistical counters for the flow are reset. A flow ends when no activity for
the flow is detected within the configured period of time. Flow reporting generates
records of all active or expired flows during a specified period of time. If the protocol
does not support port-based connections, QRadar SIEM combines all packets between
the two hosts into a= single flow record. However, a QRadar QFlow Collector does not
record flows until a connection is made to another QRadar SIEM component and data is
retrieved.
Question No : 18 -
Which TCP port must be open to allow communication between the primary and
secondary
HA hosts?
A. 7709
B. 7788
C. 7789
D. 7790
Answer : C
Question No : 19 -
A. Severity Requirement
B. Security Requirement
C. Capacity Requirement
D. Availability Requirement
E. Confidentiality Requirement
F. Collateral Damage Potential
Answer : D,E,F
Question No : 20 -
A customer is observing the Asset tab on the QRadar console and is getting duplicate
assets in the console.
What is the reason for this asset duplication?
Answer : C
Question No : 21 -
You have created an LSX log parser document to process the unknown log events from
your unsupported log source. The events are coming up with Log source type
GenericDSM
and the correct Log Source Event ID.
What is the next step in this process?
A. Create the high level and low level categories from the map id action
B. Map the custom log records to your own custom high level and low level
categories
C. Create the high level and low level categories from the Rules section in the
Offense tab
D. Run the qidmap.pl script to create high level and low level categories from the
command line
Answer : D
Question No : 22 -
What should be the latency between the primary and secondary HA hosts?
Answer : B
Question No : 23 -
Which three graph types are available for QRadar Log Manager reports? (Choose
three.)
A. Pie graph
B. Histogram
C. Bar graph
D. Trivial graph
E. Stacked bar graph
F. Stacked table graph
Answer : A,C,F
Question No : 24 -
Which two types are available for the graph type "horizontal bar" on QRadar? (Choose
two.)
Answer : A,E
Question No : 25 -
Answer : D
Question No : 26 -
The following message is displayed in the System Notification Widget on the Dashboard:
Which script should be run to help determine the cause of the dropped events?
A. /opt/qradar/support/dumpGvData.sh
B. /opt/qradar/support/dumpDSMInfo.sh
C. /opt/qradar/support/cleanAssetModel.sh
D. /opt/qradar/support/findExpensiveCustomRules.sh
Answer : D
Question No : 27 -
Which two formats are available for reports generated from the QRadar Reporting Tab?
(Choose two.)
A. TXT
B. CSV
C. PDF
D. HTML
E. PostScript
Answer : C,D
Question No : 28 -
Which two authentication methods for the QRadar User Interface are valid? (Choose
two.)
A. SecureID
B. Digital Signatures
C. Password Authentication Protocol (PAP)
D. Remote Authentication Dial In User Service (RADIUS)
E. Terminal Access Controller Access-Control System (TACACS)
Answer : D,E
Question No : 29 -
A customer has developed a custom Universal Device Support Module (uDSM's) for an
unsupported device. The customer wants to parse Device Time field which is not in
standard format.
Which parameter should an administrator define in the LSX template in this situation?
A. ext-time
B. ext-date
C. ext-data
D. ext-devicedate
Answer : C
Question No : 30 -
A. IPFIX
B. jFlow
C. QFlow
D. NetFlow
Answer : D
Question No : 31 -
A customer wants to view Log Sources based on functionality on QRadar console. The
customer wants to categorize its Log Sources into multiple groups, which allows the
customer to efficiently view and track its log sources.
What is the maximum number of log sources a log source group can display on the
QRadar console?
A. 100
B. 500
C. 750
D. 1000
Answer : B
Question No : 32 -
Which two fields are required to be filled out when adding a new network to the network
hierarchy? (Choose two.)
A. Name
B. Country
C. IP and CIDR
D. Target Flow Collector
E. Maximum Content Capture
Answer : A,C
Question No : 33 -
A customer is getting sufficient detection of proxy servers and customer wants to tune
the
building block "Default--BB-Host-Definition: Proxy Servers".
Which test the "Default-BB-Host Definition: Proxy Servers" need to be edited for tuning?
A. Edit the "and when the destination IP is one of the following" test to include the
IP addresses
B. Edit the "and when the source or destination network is one of the following"
test to include the network
C. Edit the "and when the source IP is one of the following" test to include the IP
addresses of the proxyservers
D. Edit the "and when either the source or destination IP is one of the following"
test to include the IPaddresses of the proxy servers
Answer : C
Question No : 34 -
There are unknown log records from unsupported security device events in the Log
activity
tab. You are planning to write an LSX for an unsupported security device type based on
UDSM. What is the file format and payload option for exporting the unknown log
records?
Answer : C
Question No : 35 -
Which tab in the QRadar web console allows flows to be monitored and investigated?
A. Admin
B. Assets
C. Offenses
D. Network Activity
Answer : C
Question No : 36 -
How many streaming events per second can be displayed before being accumulated in
a
result buffer?
A. 30 results per second
B. 40 results per second
C. 50 results per second
D. 60 results per second
Answer : B
Question No : 37 -
Where do you save the "Login Message File" on the system when setting up a banner
message for the authentication page?
A. /opt/qradar/conf/
B. /opt/qradar/www
C. /opt/tomcat/conf/
D. /opt/qradar/webapps
Answer : A
Question No : 38 -
Which two search filters are available on the QRadar console while making an asset
search? (Choose two.)
Answer : B,E
Question No : 39 -
Which two options need to be set when adding host inside deployment editor? (Choose
two.)
A. Netmask
B. IP Address
C. Root password
D. QRadar version
E. Gateway IP Address
Answer : B,E
Question No : 40 -
Which two statements are true regarding QRadar Log Sources and DSMs? (Choose
two.)
A. One log source must have one DSM.
B. One DSM must have many log sources.
C. One log source must have many DSMs.
D. One DSM can have only one log source.
E. One DSM can be used in many log sources.
Answer : C,E
Question No : 41 -
Which serial option needs to be set in the syslinux configuration file to reinstall a
malfunctioning appliance via serial port from an USB flash-drive?
A. Default serial
B. Serial port redirect
C. Serial install option
D. Serial console redirect
Answer : A
Question No : 42 -
Answer : C
Question No : 43 -
Which two types of charts are available on QRadar SIEM Report editor? (Choose two.)
A. Top Events
B. Top Source IPs
C. Top Login Failures
D. Top Destination IPs
E. Top Access Failures
Answer : B,D
Question No : 44 -
Which operating system is supported for creating a bootable flash drive for recovery?
A. Cisco IOS
B. Sun Solaris
C. Debian Linux
D. MS Windows Vista
Answer : C
Question No : 45 -
What is QRadar QFlow Collector combined with QRadar SIEM designed to do?
Answer : A,B
Question No : 46 -
In which three ways can you create Log Sources? (Choose three.)
A. Bulkload
B. Manually
C. Automatically
D. Scripting
E. Autoupdate
F. QRadar Enterprise template
Answer : B,D,E
Question No : 47 -
A. Automatic
B. Live Events
C. Real Time (streaming)
D. Last Interval (auto refresh)
Answer : C
Question No : 48 -
Which two data collection types are supported for SAINT scanner configurations?
(Choose
two.)
A. App Scan
B. Live Scan
C. Report Only
D. Passive Scan
E. Vulnerability Scan
Answer : B,C
Question No : 49 -
Which character is used for naming subgroups when using the option Add Group in the
Network Hierarchy editor?
A. +(plus)
B. . (period)
C. \ (Backslash)
D. /(Forward Slash)
Answer : B
Question No : 50 -
Where is an email address from which you want to receive email alerts on QRadar SIEM
located?
Answer : A
Question No : 51 -
Answer : D
Question No : 52 -
How frequently does the Automated Update Process run if Configuration files are
updated
on Primary and then Deploy Changes is not performed, and the updates are made on
the
Secondary host through an Automated Update Process?
A. Every 10 minutes
B. Every 15 minutes
C. Every 30 minutes
D. Every 60 minutes
Answer : D
Question No : 53 -
There is a requirement at the customer site to double the default QFlow Maximum
Content
Capture size.
What would be the resulting packet size?
A. 64 bytes
B. 128 bytes
C. 256 bytes
D. 1024 bytes
Answer : B
Question No : 54 -
Which string creates a network hierarchy group called WebServers inside a group called
DMZ?
D. DMZ+WebServers
A. DMZ/WebServers
B. DMZ_WebServersC. DMZWebServers
Answer : A
Question No : 55 -
Where does the information about total number of Assets and Vulnerability processed
appear?
Answer : C
Question No : 56 -
Which option will display the rule that triggered an offense from Offense Details screen?
Answer : A
Question No : 57 -
A. Setup Rules
B. Server Discovery
C. Authorized Services
D. Manually Define Building Blocks
Answer : A
Question No : 58 -
Answer : B
Question No : 59 -
What does the message in the System Notification Widget in the Dashboard "Disk
Sentry:
Disk usage exceeded WARNING threshold" tell you?
Answer : D
Question No : 60 -
Which directory from the QRadar host can be moved to offboard storage?
A. A/ar
B. /store
C. /home
D. /media
Answer : B
Question No : 61 -
You have been asked to forward all event logs from QRadar to another central syslog
server with the IP of 172.16.77.133. You also want the events to be processed by the
CRE,
but not stored on the system.
What will allow you to do this process?
Routing Rule that, under Current Filters "Matches All Incoming Events", under Routing
Options, select the Forward destination that matches destination you created. Then
select
the 'Forward* and 'Drop* options. Save and deploy.
A. Add a Routing Rule that under Current Filters "Matches All Incoming Events",
under Routing Options, add aForwarding destination for 172.16.77.133 with the
"Raw Event" format. Then select the 'Forward' and 'Drop' options. Save and
deploy.
B. Add a Routing Rule that, under Current Filters "Matches All Incoming Events",
under Routing Options, add aForwarding destination for 172.16.77.133 with the
"Normalized Event" format. Then select the 'Forward' and 'Drop' options. Save
and deploy.
C. Add a forwarding Destination for 172.16.77.133 with the "Raw Event" format.
Then add a Routing Rule that,under Current Filters "Matches All Incoming
Events", under Routing Options, select the Forward destination that matches
destination you created. Then select the 'Forward' and 'Drop' options. Save and
deploy.
D. Add a forwarding Destination for 172.16.77.133 with the "Normalized Event"
format. Then add a
Answer : A
Question No : 62 -
There are unknown log records from unsupported security device events in the Log
activity
tab. You are planning to write an LSX for an unsupported security device type based on
UDSM.
What is the file format and payload option for exporting the unknown log records?
Answer : C
Question No : 63 -
Answer : B
Question No : 64 -
Which configuration window defines the maximum number of TCP syslog connections?
A. Log Sources
B. System Setting
C. Console Setting
D. Deployment Editor
Answer : D
Question No : 65 -
Which two fields are required to be filled out when adding a new network to the network
hierarchy? (Choose two.)
A. Weight
B. IP and CIDR
C. Capture Filter
D. Flow Source Interface
E. Flow Retention Length
Answer : A,D
Question No : 66 -
Assuming a Squid Proxy has logs in the following format: time elapsed remotehost
code/status bytes method URL rfc931 peerstatus/peerhost type
And these are some sample logs from Squid server:
1286536310.075 452 192.168.0.227 TCP_MISS/200 5067 GET
http://www.test.com/vi/VfnuY/default.jpgDIRECT/10.20.153.118 image/jpeg
1286536310.524 935 192.168.0.68 TCP_MISS/200 1021 POST
http://www.test.com/services DIRECT/172.16.41.128 application/xml
1286536310.550 495 192.168.0.227 TCP_MISS/204 406 GET
http://test.com/get_video? -
DIRECT/10.12.231.1.136 text/html 1153239176.287 632 172.16.10.92
TCP_IMS_HIT/304
215 GET http:// www.test.com/index.html - NONE/-text/html
Which regular expression would you use to pull out the bytes field into custom property?
A. \w+/\d+\s+(\d+)\s+(POST|GET)
B. \w+/\d+\S+(\d+)\S+(POST|GET)
C. \w+/\d+\s+(\d+)\s+^(POST|GET)
D. \W+/\D+\D+(\D+)\D+(POST|GET)
Answer : D
Question No : 67 -
A. sFlow
B. PCAP
C. QFlow
D. Flog log file
Answer : A
Question No : 68 -
A. \w+\s+{.*?\\s}
B. \w+\s+{\d+\:(\.*?)\}
C. \w+\s+{\d+\:(\w+)\}
D. \w+\s+{\d+\:([a-zA-Z]+)\}
Answer : D
Question No : 69 -
Which tab in the QRadar web console allows events to be monitored and investigated?
A. Admin
B. Offenses
C. Forensics
D. Log Activity
Answer : D
Question No : 70 -
A user of QRadar wishes to have a report showing the number of bytes per packet they
see with their flows. The user decides to create a Custom Flow Property for this
application.
Which type of custom property is required for this to be accomplished?
Answer : A
Question No : 71 -
On the QRadar console you have received notification that CVE ID: CVE-2010-000 is
being
actively used.
What search parameter should you select from the list of search parameters in this
situation?
Answer : C
Question No : 72 -
Which attribute is valid when defining the user roles to provide the necessary access?
Answer : A
Question No : 73 -
What two are valid actions that a user can perform when monitoring offenses? (Choose
two.)
A. Import offenses
B. Backup offenses
C. Restore offenses
D. Send email notifications
E. Hide or close an offense from any offense list
Answer : B,E
Question No : 74 -
What is the minimum bandwidth needed between the primary and secondary HA host?
Answer : A
Question No : 75 -
Answer : B
Question No : 76 -
Which attribute is valid when defining the user roles to provide the necessary access?
Answer : A
Question No : 77 -
Which action prevents an offense from being removed from the database?
A. Hide
B. Show
C. Export
D. Protect
Answer : D
Question No : 78 -
Which proxy option can be set in the QRadar Auto Update Advanced settings?
A. Proxy Type
B. Proxy Name
C. Proxy Schedule
D. Proxy Password
Answer : D
Question No : 79 -
What does the message in the System Notification Widget on the Dashboard "Disk
Sentry:
Disk Usage exceeded max threshold" tell you?
Answer : B
Question No : 80 -
Given QRadar network hierarchy defined as 9.182.160.0/23 for the CIDR network
9.182.160.0, what is the customer's network IP range?
A. 9.182.160.0 - 9.182.161.255
B. 9.182.160.0 - 9.182.160.255
C. 9.182.160.1 - 9.182.160.255
D. 9.182.160.1 - 9.182.160.127
Answer : B
Question No : 81 -
Answer : B
Question No : 82 -
Which Log Source Type should be used to add a Log Source with Log Source
Extension?
A. Any
B. Custom
C. Universal DSM
D. Log Source Extension
Answer : D
Question No : 83 -
A. \w+/\d+\s+(\d+)\s+
B. \w+/\d+\s+(\d+)\S+
C. \w+/\d+\S+(\d+)\s+
D. \w+/\D+\s+(\D+)\s+
Answer : A
Question No : 84 -
A. QFlow
B. Event Collector
C. Flow Processor
D. Event Processor
Answer : C
Question No : 85 -
A. Flow collector
B. Event collector
C. Flow processor
D. Event processor
Answer : B
Question No : 86 -
Answer : C,E
Question No : 87 -
How many days does QRadar keep record of Closed Offense by default?
A. 1 day
B. 5 days
C. 3 days
D. 7 days
Answer : C
Question No : 88 -
A. Click on Primary, then click on High Availability > Set System Offline
B. Click on Secondary, then click on High Availability > Restore System
C. Click on Secondary, then click on High Availability > Set System Online
D. Click on HA Cluster, then click on High Availability > Set System Offline
Answer : C
Explanation: When you set the secondary HA host to Online, the secondary HA host
becomes the standby system. If you set the primary HA host to Online while the
secondary system is Active, the primary HA host becomes the active system and the
secondary HA host automatically becomes the standby system.
Question No : 89 -
You notice the following message in the System Notification Widget on the Dashboard:
"Unable to automatically detect the associated log source for IP address."
When you hover over the message, you see this pop-up message:
What is the issue?
Created
A. There are events coming from IP 127.0.0.1 that cannot be autodiscovered and
a Log Source Created
B. There are events coming from IP 192.168.2.90 that cannot be autodiscovered
and a Log Source Created
C. There are events coming from IP 172.16.77.25 that cannot be autodiscovered
and a Log Source Created
D. There are events coming from hostname red6.color.com that cannot be
autodiscovered and a Log Source
Answer : C
Question No : 90 -
Answer : C
Question No : 91 -
Which two fields are required to be filled out when adding a new network to the network
hierarchy? (Choose two.)
A. Group
B. Country
C. Mail Server
D. DNS Server
E. IP and CIDR
Answer : D,E
Question No : 92 -
Which operating system is supported for creating a bootable flash drive for recovery?
A. Cisco IOS
B. Florida Linux
C. Debian Linux
D. RedHat Linux
Answer : D
Question No : 93 -
Answer : D
Question No : 94 -
A QRadar administrator has created a custom rule for investigation of DoS attack on a
network using netflow data as well as events coming from a Checkpoint firewall.
Where should the tests be performed to detect this type of unusual activity?
Answer : C
Question No : 95 -
Which statement is true with regard to planning QRadar SIEM high availability?
Answer : D
Question No : 96 -
Which attribute is valid when defining the user roles to provide the necessary access?
Answer : C
Question No : 97 -
Answer : C
Question No : 98 -
Which offboard storage solution must only be used to mount the /store/backup file
system?
A. FTP
B. NFS
C. iSCSI
D. Fibre Channel
Answer : B
Question No : 99 -
Which operating system is supported for creating a bootable flash drive for recovery?
A. IBM AIX
B. MAC OS X
C. Ubuntu Linux
D. Windows OS
Answer : C
Question No : 100 -
A mail server typically communicates with 50 hosts per second in the middle of the night
and then suddenly starts communicating with 1.000 hosts a second. The administrator
wants to get an email alert whenever this situation is being observed.
Which type of rule should an administrator create to monitor this situation?
A. Flow Rule
B. Anomaly Rule
C. Threshold Rule D. Behavioral Rule
Answer : C