NEW QUESTION 1
Which QRadar component provides the user interface that delivers real-time flow views?

• A. QRadar Viewer
• B. QRadar Console
• C. QRadar Flow Collector
• D. QRadar Flow Processor

Answer: B

Explanation:
References:
http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/shc_qradar_comps.html

NEW QUESTION 2
What is the largest differentiator between a flow and event?

• A. Events occur at a moment in time while flows have a duration.
• B. Events can be forwarded to another destination, but flows cannot.
• C. Events allow for the creation of custom properties, but flows cannot.
• D. Flows only contribute to local correlated rules, while events are global.

Answer: A

NEW QUESTION 3
What are two common uses for a SI EM? (Choose two.)

• A. Managing and normalizing log source data
• B. Identifying viruses based on payload MD5s
• C. Blocking network traffic based on rules matched
• D. Enforcing governmental compliance auditing and remediation
• E. Performing near real-time analysis and observation of a network and its devices

Answer: AC

NEW QUESTION 4
What is a primary goal with the use of building blocks?

• A. A method to create reusable rule responses
• B. A reusable test stack that can be used in other rules
• C. A method to generate reference set updates without using a rule
• D. A method to create new events back into the pipeline without using a rule

Answer: B

NEW QUESTION 5
Which two actions can be performed on the Offense tab? (Choose two.)

• A. Adding notes
• B. Deleting notes
• C. Hiding offenses
• D. Deleting offenses
• E. Creating offenses

Answer: AC

NEW QUESTION 6
What is a key difference between the magnitude of an event and the magnitude of an offense?

• A. The magnitude of an event is derived when the event is received and does not vary, the magnitude of an offense can only increase.
• B. The magnitude of an event is derived when the event is received and does not vary, the magnitude of an offense can increase or decrease over time.
• C. The magnitude of an event is derived from the current magnitude of the offense it creates, the magnitude of an offense can increase or decrease overtime.
• D. The magnitude of an event is derived when the event is received and does not vary, the magnitude of an offense is derived when the offense is created and does not vary.

Answer: B

NEW QUESTION 7
Which two pieces of information can be found under the Log Activity tab? (Choose two )

• A. Offenses
• B. Vulnerabilities
• C. Firewall events
• D. Destination Bytes
• E. Internal QRadar messages

Answer: CD

NEW QUESTION 8
What is an effective method to fix an event that is parsed an determined to be unknown or in the wrong QReader category/

• A. Create a DSM extension to extract the category from the payload
• B. Create a Custom Property to extract the proper Category from the payload
• C. Open the event details, select map event, and assign it to the correct category
• D. Write a Custom Rule, and use Rule Response to send a new event in the proper category

Answer: B

NEW QUESTION 9
What are Mow sources used to monitor?

• A. Vulnerability information
• B. End point network activity
• C. Server performance metrics
• D. User account credential usage activity

Answer: C

NEW QUESTION 10
What is a main function of a Cisco Adaptive Security Appliance (ASA)?

• A. A Proxy
• B. A Switch
• C. A Firewall
• D. An Authentication device

Answer: C

NEW QUESTION 11
Which key elements does the Report Wizard use to help create a report?

• A. Layout, Container, Content
• B. Container, Orientation, Layout
• C. Report Classification, Time, Date
• D. Pagination Option, Orientation, Date

Answer: A

Explanation:
References:
IBM Security QRadar SIEM Users Guide. Page: 201

NEW QUESTION 12
Which approach allows a rule to test for Active Directory (AD) group membership?

• A. Import the AD membership information into the Asset Database using AXIS and use an asset rule test
• B. Use the built-in LDAP integration to execute a search for each event as it is received by the EventProcessor to test for group membership
• C. Maintain reference data for the AD group(s) of interest containing lists of usernames and then add rule tests to see if the normalized username is in the reference data
• D. Export the AD group membership information to a CSV file and place it inthe /store/AD_mapping.csv file on the console, then use the "is a member of AD group' test in the rule

Answer: B

NEW QUESTION 13
Which Anomaly Detection Rule type can test events or flows for volume changes that occur in regular patterns to detect outliers?

• A. Outlier Rule
• B. Anomaly Rule
• C. Threshold Rule
• D. Behavioral Rule

Answer: D

Explanation:
References:
http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_rul_anomaly_de

NEW QUESTION 14
Which QRadar add-on component can quickly retrace the step-by-step actions of an attacker?

• A. QRadar Risk Manager
• B. QRadar Flow Collector
• C. QRadar Incident Forensics
• D. QRadar Vulnerability Manager

Answer: B

NEW QUESTION 15
What is the key difference between Rules and Building Blocks in QRadar?

• A. Rules have Actions and Responses; Building Blocks do not.
• B. The Response Limiter is available on Building Blocks but not on Rules.
• C. Building Blocks are built-in to the product; Rules are customized for each deployment.
• D. Building Blocks are Rules which are evaluated on both Flows and Events; Rules are evaluated on Offenses of Flows or Events.

Answer: A

NEW QUESTION 16
Which type of search uses a structured query language to retrieve specified fields from the events, flows, and simarc tables?

• A. Add Filter
• B. Asset Search
• C. Quick Search
• D. Advanced Search

Answer: D

Explanation:
References:
http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_ug_search_bar.

NEW QUESTION 17
Where could you get additional details on why the offense was triggered when Summary page?

• A. Display > Notes
• B. Display > Rules
• C. Display > Flows
• D. Display > Events

Answer: B

NEW QUESTION 18
What set of Key fields can trigger coalescing?

• A. Source IP address, Source port, Severity, Username, and Event ID
• B. Source IP address, Destination IP address, Destination port, Direction, and Event ID
• C. Source IP address, Destination IP address, Destination port, Username, and Event ID
• D. Destination IP address, Destination port, Relevance, Username, and Low Level Category

Answer: C

Explanation:
References:
http://www-01.ibm.com/support/docview.wss?uid=swg21622709

NEW QUESTION 19
Which type of tests are recommended to be placed first in a rule to increase efficiency?

• A. Custom property tests
• B. Normalized property tests
• C. Preference set lookup tests
• D. Payload contains regex tests

Answer: B

NEW QUESTION 20
When QRadar processes an event it extracts normalized properties and custom properties. Which list includes only Normalized properties?

• A. Start time, Source IP, Username, Unix Filename
• B. Start time, Username, Unix Filename, RACF Profile
• C. Start time, Low Level Category, Source IP, Username
• D. Low Level Category, Source IP, Username, RACF Profile

Answer: C

NEW QUESTION 21
What can be considered a log source type?

• A. ICMP
• B. SNMP
• C. Juniper IOP
• D. Microsoft SMBtail

Answer: C

NEW QUESTION 22
Which QRadar add-on component can generate a list of the unencrypted protocols that can communicate from a DMZ to an internal network?

• A. QRadar Risk Manager
• B. QRadar Flow Collector
• C. QRadar Incident Forensics
• D. QRadar Vulnerability Manager

Answer: A

NEW QUESTION 23
A Security Analyst has noticed that an offense has been marked inactive.
How long had the offense been open since it had last been updated with new events or flows?

• A. 1 day + 30 minutes
• B. 5 days + 30 minutes
• C. 10 days + 30 minutes
• D. 30 days + 30 minutes

Answer: B

NEW QUESTION 24
......