NEW QUESTION 1
What is a main function of a Cisco Adaptive Security Appliance (ASA)?

• A. A Proxy
• B. A Switch
• C. A Firewall
• D. An Authentication device

Answer: C

NEW QUESTION 2
When QRadar processes an event it extracts normalized properties and custom properties. Which list includes only Normalized properties?

• A. Start time, Source IP, Username, Unix Filename
• B. Start time, Username, Unix Filename, RACF Profile
• C. Start time, Low Level Category, Source IP, Username
• D. Low Level Category, Source IP, Username, RACF Profile

Answer: C

NEW QUESTION 3
A Security Analyst is looking on the Assets Tab at an asset with offenses associated to it.
With a "Right Click" on the IP address, where could the Security Analyst go to obtain all offenses associated with it?

• A. Information > Asset Profile
• B. Navigate > View by Network
• C. Run Vulnerability Scan > Source offenses
• D. Navigate > View Source Summary or Destination Summary

Answer: C

NEW QUESTION 4
A Security Analyst, looking at a Log Activity search result, wants to limit the results to one Log Source. Which right-click method would be the fastest way for the Security Analyst to ensure this?

• A. Right click on a Log Source name, then select Filter on Log Source is <log source>
• B. Right click on a Source IP Address, then select Filter on Log Source is <log source>
• C. Right click on the Log Source Type name, then select Filter on Log Source Group is <log source group>
• D. Right click on the Log Source Group name, then select Filter on Log Source Group is <log source group>

Answer: A

NEW QUESTION 5
What are the various timestamps related to a flow?

• A. First Packet Time, Storage Time, Log Source Time
• B. First Packet Time, Storage Time, Last Packet Time
• C. First Packet Time, Log Source Time, Last Packet Time
• D. First Packet Time, Storage Time, Log Source Time, End Time

Answer: B

Explanation:
References:
IBM Security QRadar SIEM Users Guide. Page: 101

NEW QUESTION 6
What is a capability of the Network Hierarchy in QRadar?

• A. Determining and identifying local and remote hosts
• B. Capability to move hosts from local to remote network segments
• C. Viewing real-time PCAP traffic between host groups to isolate malware
• D. Controlling DHCP pools for segments groups (i.
• E. marketing, DMZ, VoIP)

Answer: A

Explanation:
References:
http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_gs_ntwrk_hrchy.ht

NEW QUESTION 7
Which QRadar rule could detect a possible potential data loss?

• A. Apply “Potential data loss” on event of flows which are detected by the local system and when any IP is part of any of the following XForce premium Premium_Malware
• B. Apply “Potential data loss” on flows which are detected by the local system and when at least 1000 flows are seen with the same Destination IP and different source in 2 minutes
• C. Apply “Potential data loss” on events which are detected by the local system and when the event category for the event is one of the following Authentication and when any of Username are contained in any of Terminated_User
• D. Apply “Potential data loss” on flows which are detected by the local system and when the source bytes is greater than 200000 and when at least 5 flows are seen with the same Source IP, Destination PortDestination IP in 12 minutes

Answer: D

NEW QUESTION 8
Which approach allows a rule to test for Active Directory (AD) group membership?

• A. Import the AD membership information into the Asset Database using AXIS and use an asset rule test
• B. Use the built-in LDAP integration to execute a search for each event as it is received by the EventProcessor to test for group membership
• C. Maintain reference data for the AD group(s) of interest containing lists of usernames and then add rule tests to see if the normalized username is in the reference data
• D. Export the AD group membership information to a CSV file and place it inthe /store/AD_mapping.csv file on the console, then use the "is a member of AD group' test in the rule

Answer: B

NEW QUESTION 9
When using the right click event filtering functionality on a Source IP, one can filter by “Source IP is not [*]”. Which two other filters can be shown using the right click event filtering functionality? (Choose two.)

• A. Filter on DNS entry [*]
• B. Filter on Source IP is [*]
• C. Filter on Time and Date is [*]
• D. Filter on Source or Destination IP is [*]
• E. Filter on Source or Destination IP is not [*]

Answer: BD

NEW QUESTION 10
In a distribution QReader deployment with multiple Event Collectors, from where can syslog and JDBC log sources collected?

• A. Syslog log sources and JDBC log sources may be collected by any Event Collector.
• B. One Event Collector must collect ALL syslog events and another Event Collector must collect All JDBC events.
• C. Syslog log sources and JDBC log sources are always collected by the collector assigned in the log source definition.
• D. Syslog log sources may be collected by any Event Collector, but JDBC log sources will always be collected by collector assigned in the log source definition.

Answer: C

NEW QUESTION 11
Which type of rule requires a saved search that must be grouped around a common parameter

• A. Flow Rule
• B. Event Rule
• C. Common Rule
• D. Anomaly Rule

Answer: B

NEW QUESTION 12
An event is happening regularly and frequently; each event indicates the same target username. There is a rule configured to test for this event which has a rule action to create an offense indexed on the username.
What will QRadar do with the triggered rule assuming no offenses exist for the username and no offenses are closed during this time?

• A. Each matching event will be tagged with the Rule name, but only one Offense will be created.
• B. Each matching event will cause a new Offense to be created and will be tagged with the Rule name.
• C. Events will be tagged with the rule name as long as the Rule Response limiter is satisfie
• D. Only one offense will be created.
• E. Each matching event will be tagged with the Rule name, and an Offense will be created if the event magnitude is greater than 6.

Answer: C

NEW QUESTION 13
Which Anomaly Detection Rule type can test events or flows of activity that are greater than or less than a specified range?

• A. Outlier Rule
• B. Anomaly Rule
• C. Threshold Rule
• D. Behavioral Rule

Answer: B

NEW QUESTION 14
What is the effect of toggling the Global/Local option to Global in a Custom Rule?

• A. It allows a rule to compare events & flows in real time.
• B. It allows a rule to analyze the geographic location of the event source.
• C. It allows rules to be tracked by the central processor for detection by any Event Processor.
• D. It allows a rule to inject new events back into the pipeline to affect and update other incoming events.

Answer: D

NEW QUESTION 15
What is a primary goal with the use of building blocks?

• A. A method to create reusable rule responses
• B. A reusable test stack that can be used in other rules
• C. A method to generate reference set updates without using a rule
• D. A method to create new events back into the pipeline without using a rule

Answer: B

NEW QUESTION 16
Which flow fields should be used to determine how long a session has been active on a network?

• A. Start time and end time
• B. Start time and storage time
• C. Start time and last packet time
• D. Last packet time and storage time

Answer: C

NEW QUESTION 17
Which QRadar component stores and forwards events from local and remote log sources?

• A. QRadar Data Node
• B. QRadar Event Collector
• C. QRadar Event Processor
• D. QRadar Distributed Console

Answer: B

NEW QUESTION 18
Which type of tests are recommended to be placed first in a rule to increase efficiency?

• A. Custom property tests
• B. Normalized property tests
• C. Preference set lookup tests
• D. Payload contains regex tests

Answer: B

NEW QUESTION 19
What is a primary benefit of building blocks?

• A. They can notify users of strange behavior.
• B. They allow the execution of its test within all rules.
• C. They generate new events into the pipeline before rules fire.
• D. They allow for report results to be used in custom rules tests.

Answer: B

NEW QUESTION 20
Which QRadar component is designed to help increase the search speed in a deployment by allowing more data to remain uncompressed?

• A. QRadar Data Node
• B. QRadar Flow Processor
• C. QRadar Event Collector
• D. Qradar Event Processor

Answer: A

NEW QUESTION 21
What is the key difference between Rules and Building Blocks in QRadar?

• A. Rules have Actions and Responses; Building Blocks do not.
• B. The Response Limiter is available on Building Blocks but not on Rules.
• C. Building Blocks are built-in to the product; Rules are customized for each deployment.
• D. Building Blocks are Rules which are evaluated on both Flows and Events; Rules are evaluated on Offenses of Flows or Events.

Answer: A

NEW QUESTION 22
......