How many normalized timestamp field(s) does an event contain?
- A . 2
- B . 3
- C . 4
- D . 1
B
Explanation:
There are 3 timestamp fields on events in Qradar.
Reference: https://www.ibm.com/mysupport/s/question/0D50z00006PEG2mCAH/why-do-i-see-different-time-stamps-for-qradar-events?language=en_US
What information is included in flow details but is not in event details?
- A . Network summary information
- B . Magnitude information
- C . Number of bytes and packets transferred
- D . Log source information
A
Explanation:
Flows represent network activity by normalizing IP addresses, ports, byte and packet counts, and other data, into flow records, which effectively are records of network sessions between two hosts.
Reference: https://www.ibm.com/docs/en/qsip/7.3.2?topic=overview-qradar-events-flows
An analyst is working on Offense management and finds that a few of the offenses are not being removed from the Offense tab even after the Offense retention period has elapsed.
What could be the reason that these offenses are not being removed?
- A . Offense has been annotated
- B . Offense is inactive
- C . Offense is released
- D . Offense is protected
D
Explanation:
https://www.ibm.com/docs/en/qsip/7.4?topic=management-offense-retention
An analyst is searching for a list of events that meet specific search criteria and wants to display only the source IP and destination IP information for the events.
To get the required information, the analyst can open the Log Activity tab and then:
- A . select the field names, select the start and end time from the drop down fields in the filters section, then click search.
- B . click add filter, select the desired parameters, operators, values and field names, then click search.
- C . select advanced search , type the corresponding AQL query, then click search.
- D . select search, then new search, scroll down and select time range, column definitions, the search parameters then click search.
When ordering these tests in an event rule, which of them is the best test to place at the top of the list for rule performance?
- A . When the source is [local or remote]
- B . When the destination is [local or remote]
- C . When the event(s) were detected by one or more of [these log sources]
- D . When an event matches all of the following [Rules or Building Blocks]
Which consideration should be given to the position of rule tests that evaluate regular expressions (Regex tests)?
- A . They can only be used in Building Blocks to ensure they are evaluated as infrequently as possible.
- B . They are usually the most specific. As such, they should appear first in the order.
- C . They are usually the most expensive. As such, they should appear last in the order.
- D . They are stateful tests. As such QRadar automatically evaluates them last.
A
Explanation:
Reference: https://towardsdatascience.com/everything-you-need-to-know-about-regular-expressions-8f622fe10b03
The SOC team complained that they have can only see one Offense in the Offenses tab. space of 10 minutes, but the analyst
How can the analyst ensure only one email is sent in this circumstance?
- A . Configure the postfix mail server on the Console to suppress duplicate items
- B . Ensure that the Rule Action Limiter is configured the same way as the Rule Response Limiter.
- C . Add a Response Limiter to the Rule, configured to execute only once every 30 minutes.
- D . Disable Automated Offense Notification – by email, in Advanced System Settings.
Why would an analyst update host definition building blocks in QRadar?
- A . To reduce false positives.
- B . To narrow a search.
- C . To stop receiving events from the host.
- D . To close an Offense
D
Explanation:
Building blocks to reduce the number of offenses that are generated by high volume traffic servers.
Reference: https://www.ibm.com/docs/en/qsip/7.4?topic=phase-qradar-building-blocks
Which graph types are available for QRadar SIEM reports? (Choose two)
- A . Histogram
- B . Pie
- C . Trivial curve
- D . Frequency curve
- E . Stacked Bar
B,E
Explanation:
https://www.ibm.com/docs/en/qsip/7.4?topic=management-graph-types
Which considering the ability to tune False Positives with the Confidence factor Setting, which statement applies?
- A . Secure areas should have a lower confidence value, while less secure areas should have a higher confidence value.
- B . Secure areas should have a higher confidence value, while less secure areas should have a lower confidence value a higher,,
- C . When setting a confidence factor, using a higher value will result in a higher number of Offenses.
- D . To ensure that the results are comparable, it is important to apply a common Confidence Factor across all network segments.
QRadar collects information from numerous log sources and other agents. Sometimes these agents stop reporting to QRadar for a variety of reasons. There is a default rule in QRadar to help identify these cases called the Device Stopped Sending Events (DSSE) Rule.
What does the DSSE Rule do?
- A . It checks for log sources which are reporting that they have not had any communication in a certain amount of time.
- B . It checks for Rules which have fired due to an absence of Events.
- C . It runs when there is an absence of Events.
- D . It listens for log sources that send out regular health events and triggers the Rule when encountered
An analyst is encountering a large number of false positive results. Legitimate internal network traffic contains valid flows and events which are making it difficult to identify true security incidents.
What can the analyst do to reduce these false positive indicators?
- A . Create X-Force rules to detect false positive events.
- B . Create an anomaly rule to detect false positives and suppress the event.
- C . Filter the network traffic to receive only security related events.
- D . Modify rules and/or Building Block to suppress false positive activity.
A new analyst is tasked to identify potential false positive Offenses, then send details of those Offenses to the Security Operations Center (SOC) manager for review by using the send email notification feature.
- A . Total number of sources, top five categories, total number of destinations. Contributing CRE rules total number of packets.
- B . Total number of sources, top five sources by magnitude, total number of destinations, destination networks, total number of packets.
- C . Total number of sources, top five sources by magnitude, total number of destinations, destination networks, total number of events.
- D . Total number of sources, top five number of categories, total number of destinations, destination networks, total number of packets.
What event information within an offense would provide the analyst with a deep insight as to how it was created?
- A . Event Category
- B . Event QID
- C . Event Payload
- D . Event Magnitude
An analyst needs to create a rule that includes a building block definition that identifies a communication to a local SMTP server that then connects to an unapproved remote peer.
In which group will the analyst find this specified building block?
- A . Category Definitions
- B . Host Definitions
- C . Network Definitions
- D . Policy
An analyst needs to create a new custom dashboard to view dashboard items that meet a particular requirement.
What are the main steps in the process?
- A . Select New Dashboard and enter unique name, description, add items and save.
- B . Select New Dashboard and copy name, add description, items and save.
- C . Request the administrator to create the custom dashboard with required items.
- D . Locate existing dashboard and modify to include indexed items required and save.
C
Explanation:
To create or edit your dashboards, log in as an administrator, click the Dashboards tab, and then click the gear icon. In edit mode, you can create new dashboards, add and remove widgets, edit display values in existing widgets, and reorder tabs.
Reference: https://documentation.solarwinds.com/en/success_center/tm/content/threatmonitor/tm-editdashboards.htm
Which statement about False Positive Building Blocks applies?
Using False Positive Building Blocks:
- A . helps to prevent unwanted alerts, but there is no effect on performance.
- B . helps to prevent unwanted alerts, and reduces the performance impact of testing rules that do not need to be tested.
- C . has no impact on unwanted alerts, but it does reduce the performance impact of testing rules that do not need to be tested.
- D . has no impact on unwanted alerts, or performance.
A
Explanation:
Reference: https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-Understanding-Eliminating-Unwanted-Alerts/ta-p/44924
An analyst needs to find all events that are creating offenses that are triggered by rules that contain the word suspicious in the rule name.
Which query can the analyst use as a working sample?
- A . SELECT LOGSOURCENAME(logsourceid), * from events where RULENAME(creeventlist) ILIKE ‘%suspicious%’
- B . SELECT LOGGEDOFFENSE(logsourceid), * from offense_events where RULENAME(creeventlist) ILIKE ,%suspicious%’
- C . SELECT LOGSOURCETYPE(logsourceid), – from log_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’
- D . SELECT LOGSOURCERULES(logsourceid), " from rule_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’
A
Explanation:
Reference: https://www.ibm.com/docs/en/qradar-on-cloud?topic=searches-advanced-search-options
Where can an analyst working with Offenses add a regular expression test into an existing rule?
- A . Top
- B . Right
- C . Bottom
- D . Left
Where can an analyst investigate a security incident to determine the root cause of an issue, and then work to resolve it?
- A . Risk tab
- B . Network Activity tab
- C . Offense tab
- D . Vulnerabilities tab
What happens to a Closed Offense after the offense retention period which defaults to 30 days7
- A . It is automatically archived.
- B . It is hidden from view.
- C . It is deleted from the system.
- D . It is manually deleted by the administrator
What is required to create an anomaly rule?
- A . triggered events
- B . a grouped saved search
- C . triggered flows
- D . baseline anomalies
Which QRadar component stores Event data?
- A . App Host
- B . Event Collector
- C . Event Processor
- D . Flow Collector
Which QRadar timestamp specifies when the event was received from the log source?
- A . Collect time
- B . Start time
- C . Storage time
- D . Log Source time
B
Explanation: https://www.ibm.com/mysupport/s/question/0D50z00006PEG2mCAH/why-do-i-see-different-time-stamps-for-qradar-events?language=en_US
Which use case type is appropriate for VPN log sources? (Choose two.)
- A . Advanced Persistent Threat (APT)
- B . Insider Threat
- C . Critical Data Protection
- D . Securing the Cloud
A,B
Explanation:
Reference: https://www.ibm.com/docs/en/dsm?topic=management-threat-use-cases-by-log-source-type
What is the intent of the magnitude of an offense?
- A . It measures the age of the event attached to the offense.
- B . It measures the age of the offense.
- C . It measures the importance of the offense.
- D . It measures the importance of the event attached to the offense.
B
Explanation:
The age of the offense.
Reference: https://www.ibm.com/docs/en/qsip/7.3.3?topic=management-offense-prioritization
To provide insight into why QRadar considers the event to be threatening, what does QRadar add to the Offense that users cannot edit or delete?
- A . Annotations
- B . Attack path
- C . Location
- D . Source IP
A
Explanation: https://www.ibm.com/docs/en/qsip/7.4?topic=investigations-investigating-offense-by-using-summary-information
Annotations provide insight into why QRadar considers the event or observed traffic to be threatening.
QRadar can add annotations when it adds events or flows to an offense. The oldest annotation shows information that QRadar added when the offense was created. Users cannot add, edit, or delete annotations.
Which component in QRadar collects and creates flow information?
- A . sflow
- B . NetFIow
- C . Qflow
- D . J-Flow
C
Explanation: https://www.ibm.com/support/pages/qradar-about-flows-and-difference-between-qflow-collector-and-qradar-event-collector
How can an analyst search for all events that include the keyword ‘vims’?
- A . By going to the Network Activity tab and run a quick search with the ‘virus’ keyword.
- B . By going to the Log Activity tab and run a quick search with the ‘virus’ keyword.
- C . By going to the Offenses tab and run a quick search with the ‘virus’ keyword.
- D . By going to the Log Activity tab and run this AQL: select * from events where eventname like "virus’
An analyst has created a custom property from the events for searching for critical information. The analyst also needs to reduce the number of event logs and data volume that is searched when looking for the critical information to maintain the efficiency and performance of QRadar.
Which feature should the analyst use?
- A . Index Management
- B . Log Management
- C . Database Management
- D . Event Management