IBM Security Qradar SIEM Implementation v 7.2.

IBM C2150-400

Question No : 1 -

Which command will install the patch after mounting the patch file?

 A. /media/updates/setup
 B. /media/updates/installer
 C. /media/updates/setup -patch
 D. /media/updates/installer -patch

Answer : B

Question No : 2 -

What will be restored when restoring event data or flow data for a particular period to a
MH?

 A. Only data sent to the console for that time period is restored to the MH.
 B. Only event data or flow data for the MH being restored will be restored to that
MH.
 C. Only data that was accumulated for reports and searches will be restored to
the MH.
 D. All data for all MHs for a specific time period is restored to its respective hosts
in the deployment.

Answer : B

Question No : 3 -

In QRadar SIEM, customer wants to tune one of the firewall deny event which shows
firewall deny for all events coming from a Syslog Server and has been identified as false
positive. The customer clicked on the "false positive" button to tune the specific event.
What are the traffic directions that will be available during declaring this event as a false
positive? (Choose two.)

 A. SourceIP to Local Network

 B. SourceIP to Any Destination
 C. Any source to Any Destination
 D. Destination IP to Local Network
 E. Source IP to Destination Network

Answer : B,E
Question No : 4 -

What is a benefit of enabling indexes on event properties?

 A. Improved Offense Correlation

 B. Improved search performance
 C. Improved Performance of Custom Rules
 D. Improved accuracy of auto-discovery log sources

Answer : B

Question No : 5 -

Which two IP Addresses are required to Add a HA host? (Choose two.)

 A. Public IP Address
 B. Private IP Address
 C. Cluster IP Address
 D. Remote IP Address
 E. IP Address of Secondary Host

Answer : C,E

Question No : 6 -

With a Data Deletion Policy of "When storage is required", data will remain in storage
until
which scenario is reached?
D. If used disk space reaches 83% for records and 85% for payloads.

 A. If used disk space reaches 88% for records and 85% for payloads.
 B. If used disk space reaches 85% for records and 88% for payloads.
 C. If used disk space reaches 85% for records and 83% for payloads.

Answer : C

Question No : 7 -

There are unknown log records from unsupported security device events in the Log
activity
tab. You are planning to write an LSX for an unsupported security device type based on
UDSM.
What is the file format for exporting the unknown log records?

 A. CSV
 B. PDF
 C. XLS
 D. Text

Answer : D
Question No : 8 -

What are the two expected Host Statuses after HA setup if the initial synchronization is
complete? (Choose two.)

 A. Primary: Active
 B. Primary: Offline
 C. Secondary: Failed
 D. Secondary: Active
 E. Secondary: Standby
 F. Primary: Synchronizing

Answer : A,E

Question No : 9 -

A QRadar SIEM administrator wants to report when a local system connects to the
internet
on more than 100 destination ports over a 2 hour period. The administrator created an
anomaly rule to capture this scenario.
Which type of rule should be selected in the rule creation wizard in this situation?

 A. Flow Tule
 B. Event Rule
 C. Offense Rule
 D. Common rule

Answer : B

Question No : 10 -

Who can view all offenses?

 A. All users
 B. Admin user
 C. User who has access to All Log Sources and All Networks
 D. Restricted User who has access to a Specific Log Source and Network

Answer : B

Question No : 11 -

Which appliance is used to collect, store, and process event and flow data in case of
hardware and network failure?

 A. Replicated appliance
 B. Secondary appliance
 C. High availability appliance
 D. High accessibility appliance
Answer : B

Question No : 12 -

Which line color inside the deployment editor signals that encrypted communication has
been selected for the managed hosts in a distributed environment?

 A. Blue
 B. Grey
 C. Black
 D. Yellow

Answer : D

Question No : 13 -

Which Permission Precedence should be applied to the users security profile assuming
the
administrators only want the group to have access to Windows events and flows and not
events from other networks?

 A. No Restrictions
 B. Log Sources Only
 C. Networks OR Log Sources
 D. Networks AND Log Sources

Answer : D

Question No : 14 -

What does My Offenses display?

 A. Offenses closed by the user

 B. Offenses assigned to the user
 C. Offenses protected by the user
 D. Offenses triggered by rules created by the user

Answer : B

Question No : 15 -

In which two ways can an administrator view all the events that are related to an offense
from the Offense
Details screen? (Choose two.)

 A. Top 5 Source IPs section

 B. Click on Display > Sources
 C. Click on Display > Destinations
 D. Click on Event/Flow Count field's Events link
 E. Click on Events button in Last 10 Events section
Answer : B,D

Question No : 16 -

Which three tasks can an administrator perform from the QRadar SIEM reports tab?
(Choose three.)

 A. Brand reports
 B. Ability to create custom reports
 C. Ability to create custom compliance templates
 D. Present statistics derived from source IP and destination IP
 E. Present measurements and statistics derived from real time data
 F. Present measurements and statistics derived from events, flows and offenses

Answer : B,D,F

Question No : 17 -

What is QRadar QFlow Collector combined with QRadar SIEM designed to do?

 A. Encryption
 B. Netflow collection
 C. Syslog forwarding
 D. Layer 7 application visibility

Answer : B

Explanation: QRadar QFlow Collector - Collects data from devices, and various live and
recorded feeds, such as network taps, span/mirror ports, NetFlow, and QRadar SIEM
flow logs. When the data is collected, the QRadar QFlow Collector groups related
individual packets into a flow. QRadar SIEM defines these flows as a communication
session between two pairs of unique IP address and ports that use the same protocol. A
flow starts when the QRadar QFlow Collector detects the first packet with a unique
source IP address, destination IP address, source port, destination port, and other
specific protocol options that determine the start of a communication. Each additional
packet is evaluated. Counts of bytes and packets are added to the statistical counters in
the flow record. At the end of an interval, a status record of the flow is sent to an Event
Collector and statistical counters for the flow are reset. A flow ends when no activity for
the flow is detected within the configured period of time. Flow reporting generates
records of all active or expired flows during a specified period of time. If the protocol
does not support port-based connections, QRadar SIEM combines all packets between
the two hosts into a= single flow record. However, a QRadar QFlow Collector does not
record flows until a connection is made to another QRadar SIEM component and data is
retrieved.
Question No : 18 -

Which TCP port must be open to allow communication between the primary and
secondary
HA hosts?

 A. 7709
 B. 7788
 C. 7789
 D. 7790

Answer : C

Question No : 19 -

Which three user-defined parameters contributes to the calculation of the Common

Vulnerability Scoring
System (CVSS) score on QRadar Assets tab? (Choose three.)

 A. Severity Requirement
 B. Security Requirement
 C. Capacity Requirement
 D. Availability Requirement
 E. Confidentiality Requirement
 F. Collateral Damage Potential

Answer : D,E,F

Question No : 20 -

A customer is observing the Asset tab on the QRadar console and is getting duplicate
assets in the console.
What is the reason for this asset duplication?

 A. There are multiple heterogeneous assets present in environment.

 B. There are multiple assets having same configuration details present in
environment.
 C. QRadar creates duplicate assets after a specific periodic interval without
considering asset activity orinactivity.
 D. Asset doesn't appear in network for specific time period; when it came back
QRadar detects it and createda new asset for the same.

Answer : C

Question No : 21 -

You have created an LSX log parser document to process the unknown log events from
your unsupported log source. The events are coming up with Log source type
GenericDSM
and the correct Log Source Event ID.
What is the next step in this process?

 A. Create the high level and low level categories from the map id action
 B. Map the custom log records to your own custom high level and low level
categories
 C. Create the high level and low level categories from the Rules section in the
Offense tab
 D. Run the qidmap.pl script to create high level and low level categories from the
command line

Answer : D

Question No : 22 -

What should be the latency between the primary and secondary HA hosts?

 A. Less than 1 millisecond

 B. Less than 2 milliseconds
 C. Less than 3 milliseconds
 D. Less than 4 milliseconds

Answer : B

Question No : 23 -

Which three graph types are available for QRadar Log Manager reports? (Choose
three.)

 A. Pie graph
 B. Histogram
 C. Bar graph
 D. Trivial graph
 E. Stacked bar graph
 F. Stacked table graph

Answer : A,C,F

Question No : 24 -

Which two types are available for the graph type "horizontal bar" on QRadar? (Choose
two.)

 A. Top Source IPs

 B. Top Source Ports
 C. Top Login Failures
 D. Top Destination IPs
 E. Top Destination Ports

Answer : A,E
Question No : 25 -

From which screen can a Secondary Host be added to an HA host?

 A. Admin -> System Settings

 B. Admin -> Deployment Editor
 C. Admin -> Store and Forward
 D. Admin -> System and License Management

Answer : D

Question No : 26 -

The following message is displayed in the System Notification Widget on the Dashboard:
Which script should be run to help determine the cause of the dropped events?

 A. /opt/qradar/support/dumpGvData.sh
 B. /opt/qradar/support/dumpDSMInfo.sh
 C. /opt/qradar/support/cleanAssetModel.sh
 D. /opt/qradar/support/findExpensiveCustomRules.sh

Answer : D

Question No : 27 -

Which two formats are available for reports generated from the QRadar Reporting Tab?
(Choose two.)

 A. TXT
 B. CSV
 C. PDF
 D. HTML
 E. PostScript

Answer : C,D

Question No : 28 -

Which two authentication methods for the QRadar User Interface are valid? (Choose
two.)

 A. SecureID
 B. Digital Signatures
 C. Password Authentication Protocol (PAP)
 D. Remote Authentication Dial In User Service (RADIUS)
 E. Terminal Access Controller Access-Control System (TACACS)

Answer : D,E
Question No : 29 -

A customer has developed a custom Universal Device Support Module (uDSM's) for an
unsupported device. The customer wants to parse Device Time field which is not in
standard format.
Which parameter should an administrator define in the LSX template in this situation?

 A. ext-time
 B. ext-date
 C. ext-data
 D. ext-devicedate

Answer : C

Question No : 30 -

Which default flow source is included in the QRadar SIEM?

 A. IPFIX
 B. jFlow
 C. QFlow
 D. NetFlow

Answer : D

Question No : 31 -

A customer wants to view Log Sources based on functionality on QRadar console. The
customer wants to categorize its Log Sources into multiple groups, which allows the
customer to efficiently view and track its log sources.
What is the maximum number of log sources a log source group can display on the
QRadar console?

 A. 100
 B. 500
 C. 750
 D. 1000

Answer : B

Question No : 32 -

Which two fields are required to be filled out when adding a new network to the network
hierarchy? (Choose two.)

 A. Name
 B. Country
 C. IP and CIDR
 D. Target Flow Collector
 E. Maximum Content Capture
Answer : A,C

Question No : 33 -

A customer is getting sufficient detection of proxy servers and customer wants to tune
the
building block "Default--BB-Host-Definition: Proxy Servers".
Which test the "Default-BB-Host Definition: Proxy Servers" need to be edited for tuning?

 A. Edit the "and when the destination IP is one of the following" test to include the
IP addresses
 B. Edit the "and when the source or destination network is one of the following"
test to include the network
 C. Edit the "and when the source IP is one of the following" test to include the IP
addresses of the proxyservers
 D. Edit the "and when either the source or destination IP is one of the following"
test to include the IPaddresses of the proxy servers

Answer : C

Question No : 34 -

There are unknown log records from unsupported security device events in the Log
activity
tab. You are planning to write an LSX for an unsupported security device type based on
UDSM. What is the file format and payload option for exporting the unknown log
records?

 A. XLS and full export

 B. CSV and full export
 C. XML and visible column
 D. PDF and visible column

Answer : C

Question No : 35 -

Which tab in the QRadar web console allows flows to be monitored and investigated?

 A. Admin
 B. Assets
 C. Offenses
 D. Network Activity

Answer : C

Question No : 36 -

How many streaming events per second can be displayed before being accumulated in
a
result buffer?
  A. 30 results per second
 B. 40 results per second
 C. 50 results per second
 D. 60 results per second

Answer : B

Question No : 37 -

Where do you save the "Login Message File" on the system when setting up a banner
message for the authentication page?

 A. /opt/qradar/conf/
 B. /opt/qradar/www
 C. /opt/tomcat/conf/
 D. /opt/qradar/webapps

Answer : A

Question No : 38 -

Which two search filters are available on the QRadar console while making an asset
search? (Choose two.)

 A. PCI Severity. NERC Severity

 B. Vulnerability CVSS Base Score. Vulnerability Risk Score
 C. Vulnerability on Open Port, Vulnerability on Open Service
 D. Vulnerability on Open Port, Vulnerability External Reference
 E. Vulnerability on Source Port, Vulnerability on Destination Port

Answer : B,E

Question No : 39 -

Which two options need to be set when adding host inside deployment editor? (Choose
two.)

 A. Netmask
 B. IP Address
 C. Root password
 D. QRadar version
 E. Gateway IP Address

Answer : B,E

Question No : 40 -

Which two statements are true regarding QRadar Log Sources and DSMs? (Choose
two.)
  A. One log source must have one DSM.
 B. One DSM must have many log sources.
 C. One log source must have many DSMs.
 D. One DSM can have only one log source.
 E. One DSM can be used in many log sources.

Answer : C,E

Question No : 41 -

Which serial option needs to be set in the syslinux configuration file to reinstall a
malfunctioning appliance via serial port from an USB flash-drive?

 A. Default serial
 B. Serial port redirect
 C. Serial install option
 D. Serial console redirect

Answer : A

Question No : 42 -

A QRadar administrator needs to tune the system by enabling or disabling the

appropriate
rules in order to ensure that the QRadar console generates meaningful offenses for the
environment. Which role permission is required for enabling and disabling the rule?

 A. Offenses > Maintain CRE Rules

 B. Offenses > Toggle Custom Rules
 C. Offenses > Manage Custom Rules
 D. Offenses > Maintain Custom Rules

Answer : C

Question No : 43 -

Which two types of charts are available on QRadar SIEM Report editor? (Choose two.)

 A. Top Events
 B. Top Source IPs
 C. Top Login Failures
 D. Top Destination IPs
 E. Top Access Failures

Answer : B,D

Question No : 44 -

Which operating system is supported for creating a bootable flash drive for recovery?
  A. Cisco IOS
 B. Sun Solaris
 C. Debian Linux
 D. MS Windows Vista

Answer : C

Question No : 45 -

What is QRadar QFlow Collector combined with QRadar SIEM designed to do?

 A. Collect Netflow records

 B. Layer 7 application visibility
 C. Receive Syslog messages
 D. Ensure secure message collection

Answer : A,B

Question No : 46 -

In which three ways can you create Log Sources? (Choose three.)

 A. Bulkload
 B. Manually
 C. Automatically
 D. Scripting
 E. Autoupdate
 F. QRadar Enterprise template

Answer : B,D,E

Question No : 47 -

Which view option allows you to view events as they occur?

 A. Automatic
 B. Live Events
 C. Real Time (streaming)
 D. Last Interval (auto refresh)

Answer : C

Question No : 48 -

Which two data collection types are supported for SAINT scanner configurations?
(Choose
two.)

 A. App Scan
  B. Live Scan
 C. Report Only
 D. Passive Scan
 E. Vulnerability Scan

Answer : B,C

Question No : 49 -

Which character is used for naming subgroups when using the option Add Group in the
Network Hierarchy editor?

 A. +(plus)
 B. . (period)
 C. \ (Backslash)
 D. /(Forward Slash)

Answer : B

Question No : 50 -

Where is an email address from which you want to receive email alerts on QRadar SIEM
located?

 A. Admin > System settings > Alert Email From Address

 B. Admin > Console settings > Alert Email From Address
 C. Admin > System settings > Administrative Email Address
 D. Admin > Console settings > Administrative Email Address

Answer : A

Question No : 51 -

A flow is sequence of packets that have which common characteristics?

 A. Same source, MAC address, flow source and destination IP address

 B. Same source IP address, flow source and transport layer port information
 C. Same source and destination IP address and transport layer port information
 D. Same destination IP address, source bytes and transport layer port
information

Answer : D

Question No : 52 -

How frequently does the Automated Update Process run if Configuration files are
updated
on Primary and then Deploy Changes is not performed, and the updates are made on
the
Secondary host through an Automated Update Process?

 A. Every 10 minutes
 B. Every 15 minutes
 C. Every 30 minutes
 D. Every 60 minutes

Answer : D

Question No : 53 -

There is a requirement at the customer site to double the default QFlow Maximum
Content
Capture size.
What would be the resulting packet size?

 A. 64 bytes
 B. 128 bytes
 C. 256 bytes
 D. 1024 bytes

Answer : B

Question No : 54 -

Which string creates a network hierarchy group called WebServers inside a group called
DMZ?
D. DMZ+WebServers

 A. DMZ/WebServers
 B. DMZ_WebServersC. DMZWebServers

Answer : A

Question No : 55 -

Where does the information about total number of Assets and Vulnerability processed
appear?

 A. Asset table in Assets tab

 B. VA Scanner Configuration screen
 C. Vulnerabilities Tab > Scan Result
 D. Mouse Ober popup on Schedule Scan Status field

Answer : C
Question No : 56 -

Which option will display the rule that triggered an offense from Offense Details screen?

 A. Display > Rules

 B. Display > Sources
 C. Offenses tab > Rules D. Display > Annotations

Answer : A

Question No : 57 -

What is the easiest method to populate host definition building blocks?

 A. Setup Rules
 B. Server Discovery
 C. Authorized Services
 D. Manually Define Building Blocks

Answer : A

Question No : 58 -

Which action can be performed on a license key?

 A. Erase a license key

 B. Delete a license key
 C. Unload a license key
 D. Unallocate a license key

Answer : B

Question No : 59 -

What does the message in the System Notification Widget in the Dashboard "Disk
Sentry:
Disk usage exceeded WARNING threshold" tell you?

 A. One of your File Systems has exceeded 92%.

 B. One of your File Systems has exceeded 95%.
 C. One of your File Systems has exceeded 98%.
 D. One of your File Systems has exceeded 90%.

Answer : D

Question No : 60 -

Which directory from the QRadar host can be moved to offboard storage?

 A. A/ar
  B. /store
 C. /home
 D. /media

Answer : B

Question No : 61 -

You have been asked to forward all event logs from QRadar to another central syslog
server with the IP of 172.16.77.133. You also want the events to be processed by the
CRE,
but not stored on the system.
What will allow you to do this process?
Routing Rule that, under Current Filters "Matches All Incoming Events", under Routing
Options, select the Forward destination that matches destination you created. Then
select
the 'Forward* and 'Drop* options. Save and deploy.

 A. Add a Routing Rule that under Current Filters "Matches All Incoming Events",
under Routing Options, add aForwarding destination for 172.16.77.133 with the
"Raw Event" format. Then select the 'Forward' and 'Drop' options. Save and
deploy.
 B. Add a Routing Rule that, under Current Filters "Matches All Incoming Events",
under Routing Options, add aForwarding destination for 172.16.77.133 with the
"Normalized Event" format. Then select the 'Forward' and 'Drop' options. Save
and deploy.
 C. Add a forwarding Destination for 172.16.77.133 with the "Raw Event" format.
Then add a Routing Rule that,under Current Filters "Matches All Incoming
Events", under Routing Options, select the Forward destination that matches
destination you created. Then select the 'Forward' and 'Drop' options. Save and
deploy.
 D. Add a forwarding Destination for 172.16.77.133 with the "Normalized Event"
format. Then add a

Answer : A

Question No : 62 -

There are unknown log records from unsupported security device events in the Log
activity
tab. You are planning to write an LSX for an unsupported security device type based on
UDSM.
What is the file format and payload option for exporting the unknown log records?

 A. PDF and full export

 B. CSV and full export
 C. XML and visible columnD. CSV and visible column

Answer : C
Question No : 63 -

Which action can be performed on a license key?

 A. Reuse allocation of a license

 B. Revert allocation of a license
 C. Revoke allocation of a license
 D. Recover allocation of license

Answer : B

Question No : 64 -

Which configuration window defines the maximum number of TCP syslog connections?

 A. Log Sources
 B. System Setting
 C. Console Setting
 D. Deployment Editor

Answer : D

Question No : 65 -

Which two fields are required to be filled out when adding a new network to the network
hierarchy? (Choose two.)

 A. Weight
 B. IP and CIDR
 C. Capture Filter
 D. Flow Source Interface
 E. Flow Retention Length

Answer : A,D

Question No : 66 -

Assuming a Squid Proxy has logs in the following format: time elapsed remotehost
code/status bytes method URL rfc931 peerstatus/peerhost type
And these are some sample logs from Squid server:
1286536310.075 452 192.168.0.227 TCP_MISS/200 5067 GET
http://www.test.com/vi/VfnuY/default.jpgDIRECT/10.20.153.118 image/jpeg
1286536310.524 935 192.168.0.68 TCP_MISS/200 1021 POST
http://www.test.com/services DIRECT/172.16.41.128 application/xml
1286536310.550 495 192.168.0.227 TCP_MISS/204 406 GET
http://test.com/get_video? -
DIRECT/10.12.231.1.136 text/html 1153239176.287 632 172.16.10.92
TCP_IMS_HIT/304
215 GET http:// www.test.com/index.html - NONE/-text/html
Which regular expression would you use to pull out the bytes field into custom property?
  A. \w+/\d+\s+(\d+)\s+(POST|GET)
 B. \w+/\d+\S+(\d+)\S+(POST|GET)
 C. \w+/\d+\s+(\d+)\s+^(POST|GET)
 D. \W+/\D+\D+(\D+)\D+(POST|GET)

Answer : D

Question No : 67 -

Which flow source is sampled?

 A. sFlow
 B. PCAP
 C. QFlow
 D. Flog log file

Answer : A

Question No : 68 -

A QRadar administrator is developing custom uDSM's for an unsupported device.

Given this event payload:
<13> Jan 28 12:57:23 9.77.16.19 AgentDevice=FileForwarder AgentLogFile=logger1.log
Payload=January
28,2014 12:53:50 PM GMT+05:30|HOST_CREATE_ERROR|Host{1:testserver40}
create
failed on array {0:Abc}
Which regular expression should the administrator define for parsing the hostname
"testserfvefr40"?

 A. \w+\s+{.*?\\s}
 B. \w+\s+{\d+\:(\.*?)\}
 C. \w+\s+{\d+\:(\w+)\}
 D. \w+\s+{\d+\:([a-zA-Z]+)\}

Answer : D

Question No : 69 -

Which tab in the QRadar web console allows events to be monitored and investigated?

 A. Admin
 B. Offenses
 C. Forensics
 D. Log Activity

Answer : D
Question No : 70 -

A user of QRadar wishes to have a report showing the number of bytes per packet they
see with their flows. The user decides to create a Custom Flow Property for this
application.
Which type of custom property is required for this to be accomplished?

 A. Regex Custom Property

 B. Advanced Custom Property
 C. Computation Custom Property
 D. Calculation Based Custom Property

Answer : A

Question No : 71 -

On the QRadar console you have received notification that CVE ID: CVE-2010-000 is
being
actively used.
What search parameter should you select from the list of search parameters in this
situation?

 A. Collateral Damage Reference

 B. Vulnerability External Reference
 C. Vulnerability Information System
 D. Vulnerability Internal System Reference

Answer : C

Question No : 72 -

Which attribute is valid when defining the user roles to provide the necessary access?

 A. Assets: Server Discovery

 B. Offenses: View Custom Rules
 C. Offenses: Maintain Custom Rules
 D. Network Activity: User Defined Flow Properties

Answer : A

Question No : 73 -

What two are valid actions that a user can perform when monitoring offenses? (Choose
two.)

 A. Import offenses
 B. Backup offenses
 C. Restore offenses
 D. Send email notifications
 E. Hide or close an offense from any offense list
Answer : B,E

Question No : 74 -

What is the minimum bandwidth needed between the primary and secondary HA host?

 A. 1 gigabits per second (Gbps)

 B. 2 gigabits per second (Gbps)
 C. 3 gigabits per second (Gbps)
 D. 4 gigabits per second (Gbps)

Answer : A

Question No : 75 -

A QRadar administrator is sizing a distributed deployment. The deployment has

approximately 1.5 gigabytes of sustained throughput of traffic on a network tap. The
network tap is a copper connection. Which Qflow collector should be chosen?

 A. Qflow Collector 1310

 B. Qflow Collector 1202
 C. Qflow Collector 1201
 D. Qflow Collector 1301

Answer : B

Explanation: The Qflow Collector 1202 supports up to 1 Gbps 10/100/1000 Base-

T connections and supports up to 3 Gbps of network traffic.
http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.do
c/c_hwg_1 202.html

Question No : 76 -

Which attribute is valid when defining the user roles to provide the necessary access?

 A. Admin: System Administrator

 B. Log Activity: View Custom Rules
 C. Log Activity: Manage Time Series
 D. Network Activity: Maintain custom Rules

Answer : A

Question No : 77 -

Which action prevents an offense from being removed from the database?

 A. Hide
 B. Show
 C. Export
 D. Protect
Answer : D

Question No : 78 -

Which proxy option can be set in the QRadar Auto Update Advanced settings?

 A. Proxy Type
 B. Proxy Name
 C. Proxy Schedule
 D. Proxy Password

Answer : D

Question No : 79 -

What does the message in the System Notification Widget on the Dashboard "Disk
Sentry:
Disk Usage exceeded max threshold" tell you?

 A. One of your Files Systems has exceeded 92%.

 B. One of your Files Systems has exceeded 95%.
 C. One of your Files Systems has exceeded 98%
 D. One of your Files Systems has exceeded 90%.

Answer : B

 Explanation: Section: (none) Explanation This message is displayed when disk

usage reaches 95% on any of the monitored partitions. QRadar SIEM data
collection (ecs) and search processes (ariel) are shut down in order to protect the
file system from reaching 100% References:

Question No : 80 -

Given QRadar network hierarchy defined as 9.182.160.0/23 for the CIDR network
9.182.160.0, what is the customer's network IP range?

 A. 9.182.160.0 - 9.182.161.255
 B. 9.182.160.0 - 9.182.160.255
 C. 9.182.160.1 - 9.182.160.255
 D. 9.182.160.1 - 9.182.160.127

Answer : B

Question No : 81 -

What is required to allow authentication to work properly when using a vendor

authentication module like Active Directory?
  A. Authentication Bind password
 B. An SSH tunnel between QRadar and the authentication server
 C. QRadar and the authentication server must be on the same subnet
 D. Time Synchronization between QRadar and the authentication server

Answer : B

Question No : 82 -

Which Log Source Type should be used to add a Log Source with Log Source
Extension?

 A. Any
 B. Custom
 C. Universal DSM
 D. Log Source Extension

Answer : D

Question No : 83 -

Assuming a Squid Proxy has logs in the following format:

Time elapsed remotehost code/status bytes method URL rfc931 peerstatus/peerhost
type
And these are some sample logs from a Squid server:
Which regular expression would you use to pull out the bytes field into a custom
property?

 A. \w+/\d+\s+(\d+)\s+
 B. \w+/\d+\s+(\d+)\S+
 C. \w+/\d+\S+(\d+)\s+
 D. \w+/\D+\s+(\D+)\s+

Answer : A

Question No : 84 -

An off-site source can be connected to which component?

 A. QFlow
 B. Event Collector
 C. Flow Processor
 D. Event Processor

Answer : C

Question No : 85 -

An off-site source can connect to which component?

 A. Flow collector
  B. Event collector
 C. Flow processor
 D. Event processor

Answer : B

Question No : 86 -

Which two formats can events be exported to? (Choose two.)

 A. Web page (HTML)

 B. Excel Spreadsheet (XLS)
 C. Comma-Separated Values (CSV)
 D. Portable Document Format (PDF)
 E. Extensible Markup Language (XML)

Answer : C,E

Question No : 87 -

How many days does QRadar keep record of Closed Offense by default?

 A. 1 day
 B. 5 days
 C. 3 days
 D. 7 days

Answer : C

Question No : 88 -

Which option is used to set the Secondary host to an active state?

 A. Click on Primary, then click on High Availability > Set System Offline
 B. Click on Secondary, then click on High Availability > Restore System
 C. Click on Secondary, then click on High Availability > Set System Online
 D. Click on HA Cluster, then click on High Availability > Set System Offline

Answer : C
Explanation: When you set the secondary HA host to Online, the secondary HA host
becomes the standby system. If you set the primary HA host to Online while the
secondary system is Active, the primary HA host becomes the active system and the
secondary HA host automatically becomes the standby system.

Question No : 89 -

You notice the following message in the System Notification Widget on the Dashboard:
"Unable to automatically detect the associated log source for IP address."
When you hover over the message, you see this pop-up message:
What is the issue?
Created

 A. There are events coming from IP 127.0.0.1 that cannot be autodiscovered and
a Log Source Created
 B. There are events coming from IP 192.168.2.90 that cannot be autodiscovered
and a Log Source Created
 C. There are events coming from IP 172.16.77.25 that cannot be autodiscovered
and a Log Source Created
 D. There are events coming from hostname red6.color.com that cannot be
autodiscovered and a Log Source

Answer : C

Question No : 90 -

What does monitoring offenses grouped by category provide?

 A. A list of offenses grouped on the user category

 B. A list of offenses grouped on the low-level category
 C. A list of offenses grouped on the high-level category
 D. A list of offenses grouped on the event or flow category

Answer : C

Question No : 91 -

Which two fields are required to be filled out when adding a new network to the network
hierarchy? (Choose two.)

 A. Group
 B. Country
 C. Mail Server
 D. DNS Server
 E. IP and CIDR

Answer : D,E

Question No : 92 -

Which operating system is supported for creating a bootable flash drive for recovery?

 A. Cisco IOS
 B. Florida Linux
 C. Debian Linux
 D. RedHat Linux

Answer : D
Question No : 93 -

Which QRadar component requires the use of a NAPATECH card?

 A. QRadar 3105 Console

 B. QRadar 1705 Processor
 C. QRadar 1605 Processor
 D. QRadar QFlow Collector 1310

Answer : D

Question No : 94 -

A QRadar administrator has created a custom rule for investigation of DoS attack on a
network using netflow data as well as events coming from a Checkpoint firewall.
Where should the tests be performed to detect this type of unusual activity?

 A. Perform tests on offenses to detect unusual activity in your network

 B. Perform tests on events and flows to detect unusual activity in your network
 C. Perform tests on events, flows and offenses to detect unusual activity in your
network
 D. Perform tests on the events, flows, offenses and results of saved flow or event
searches in your network

Answer : C

Question No : 95 -

Which statement is true with regard to planning QRadar SIEM high availability?

 A. The secondary host can be in different subnet as the primary host.

 B. The secondary HA host that you want to add to the HA cluster can be a
component in another HA cluster.
 C. The primary HA host that you want to add to the HA cluster must be a
component in another HA cluster.
 D. When the IP address of the primary host is reassigned as a cluster virtual IP,
the new IP address that youassign to the primary must be in the same subnet.

Answer : D

Question No : 96 -

Which attribute is valid when defining the user roles to provide the necessary access?

 A. Reports: Maintain Templates

 B. Network Activity: View Custom Rules
 C. Network Activity: Manage Times Series
 D. Log Activity: User Defined Event Properties

Answer : C
Question No : 97 -

What does Server discovery do?

 A. Defines rules for hosts

 B. Creates asset searches
 C. Populates host definition building blocks
 D. Builds complex search queries for events flows

Answer : C

Question No : 98 -

Which offboard storage solution must only be used to mount the /store/backup file
system?

 A. FTP
 B. NFS
 C. iSCSI
 D. Fibre Channel

Answer : B

Question No : 99 -

Which operating system is supported for creating a bootable flash drive for recovery?

 A. IBM AIX
 B. MAC OS X
 C. Ubuntu Linux
 D. Windows OS

Answer : C

Question No : 100 -

A mail server typically communicates with 50 hosts per second in the middle of the night
and then suddenly starts communicating with 1.000 hosts a second. The administrator
wants to get an email alert whenever this situation is being observed.
Which type of rule should an administrator create to monitor this situation?

 A. Flow Rule
 B. Anomaly Rule
 C. Threshold Rule D. Behavioral Rule

Answer : C