C2150-196

Exam A QUESTION 1

What is the result of modifying a saved search?  A. The original search criteria is not changed. B. The user will be prompted prompted to save the new new search criteria criteria as a new saved saved search. C. The original search criteria is automatically automatically saved and updated with the the new criteria. criteria. D. The user will be prompted prompted to update the search criteria criteria to that of the modified modified criteria. criteria.  An sw er:  A Explanation/Reference: Explanation:

QUESTION 2

To overwrite an IBM Security QRadar SIEM V7.1 system, what must be typed in when prompted during the re-imaging process?  A. OK B. FLA FLATTEN C. REFR REFRES ESH H D. REIN REINST STAL ALL L  An sw er: B Explanation/Reference: Explanation:

QUESTION 3

Where does IBM Security QRadar SIEM V7.1 get the severity of an event?  A. from the QIDmap B. fromth fromtheev eevent entpay payload load C. from from the the Tomcat Tomcat server  server  D. from from the user' user's s definit definition ion

 An sw er:  A Explanation/Reference: Explanation:

QUESTION 4

IBM Security QRadar SIEM V7.1 can be forced to run an instant backup by selecting which option?  A. Backup Now B. On Dem Demand and Back Backup up C. Launch Launch On Demand Demand Back Backup up D. Config Configure ure On Dema Demand nd Backup Backup  An sw er: B Explanation/Reference: Explanation:

QUESTION 5

 An IBM Security QRadar QRadar SIEM V7.1 (QRadar) (QRadar) ALE agent should be installed on which which system to collect Windows logs?  A. the QRadar Console B. a QRadar QRadar Even Eventt Proce Processo ssor  r  C. any Windows Windows 2000 or or newer newer server  server  D. any Linux Linux server server with SMB installed installed  An sw er: C Explanation/Reference: Explanation:

QUESTION 6

Which statement best describes the supported external storage options in IBM Security QRadar SIEM V7.1 (QRadar)?  A. While QRadar supports NES for for external storage, NES is recommended for backups, not for storing active data

 An sw er:  A Explanation/Reference: Explanation:

QUESTION 4

IBM Security QRadar SIEM V7.1 can be forced to run an instant backup by selecting which option?  A. Backup Now B. On Dem Demand and Back Backup up C. Launch Launch On Demand Demand Back Backup up D. Config Configure ure On Dema Demand nd Backup Backup  An sw er: B Explanation/Reference: Explanation:

QUESTION 5

 An IBM Security QRadar QRadar SIEM V7.1 (QRadar) (QRadar) ALE agent should be installed on which which system to collect Windows logs?  A. the QRadar Console B. a QRadar QRadar Even Eventt Proce Processo ssor  r  C. any Windows Windows 2000 or or newer newer server  server  D. any Linux Linux server server with SMB installed installed  An sw er: C Explanation/Reference: Explanation:

QUESTION 6

Which statement best describes the supported external storage options in IBM Security QRadar SIEM V7.1 (QRadar)?  A. While QRadar supports NES for for external storage, NES is recommended for backups, not for storing active data

B. QRadar data is located in the /store file file system. An off board storage storage solution can be used to migrate the entire /store /store file system to an external system for faster performance. C. The /store/ariel directory is the most commonly commonly off boarded file file system. Subsequently, collected event logs and flow flow records data can be relocated to external storage using protocols such as SMB. D. Any subdirectory in the /store file system system can be used as a mount point for external storage device. By creating multiple volumes and mounting mounting / store/ariel/logs and /store/ariel/qflow,storage capabilities can be extended past the 64TB file system limit currently supported by QRadar   An sw er:  A Explanation/Reference: Explanation:

QUESTION 7

By default how often are events forwarded from an event collector to an event processor?  A. every hour  B. cont contin inuo uous usly ly C. ever every y 2 hour hours s D. it does not forwar forward d until the forwar forwarding ding schedule schedule is set  An sw er: B Explanation/Reference: Explanation:

QUESTION 8

What is required to configure users for successful external authentication?  A. Aconfigured External Authentication type B. Users with with no account on the IBM Security Security QRadar SIEM SIEM V7.1 (QRadar) (QRadar) appliance appliance C. Users with existing accounts on QRadar and a configured External External Authentication type D. Select which users require external external authentication and select the correct correct authentication type  An sw er: C Explanation/Reference: Explanation:

QUESTION 9

What are the main functions of the Report wizard within IBM Security QRadar SIEM V7.1?  A. to enable branding of reports with a customer's customer's logo or local identification information B. to specifythe schedule, layout, report content, output format, format, and distribution channels C. to create new report groups which are placed in the existing hierarchy of reporting groups D. to select from compliance compliance,, executive, executive, log source, network network management management,, and security¡¯ security¡¯ reports reports  An sw er: B Explanation/Reference: Explanation:

QUESTION 10

Where is the optimal location for IBM Security QRadar QFIow appliances to monitor Internet traffic?  A. inthedatacenter  B. at the the workst workstati ation on switc switches hes C. at the wire wireles less s access access points points D. at an ingress ingress/egres /egress s point in the networ network k  An sw er: D Explanation/Reference: Explanation:

QUESTION 11

How is the WinCollect agent enabled to communicate with the IBM Security QRadar SIEM V7.1 (QRadar) console?  A. Configure the WinCollect agent to forward forward syslog events to the QRadar Event Event Collector. B. Supply credentia credentials ls to connect to the WinCollect WinCollect agent when creating creating the Windows Windows log source. C. Apply the token created created for the WinCollect WinCollect agent during the WinCollect software installation on the target. D. WinCollect log sources collect using the QRadar console as host so the the WinCollect agent directly accesses the console.  An sw er: C

Explanation/Reference: Explanation:

QUESTION 12

In which section can event or flow hashing be enabled/disabled in IBM Security QRadar SIEM V7 .1?  A. Console B. Security C. System Setbngs D. Deployment Editor   An sw er: C Explanation/Reference: Explanation:

QUESTION 13

What action(s) can be taken from the Log and Network Activity tab?  A. close an offense based on existing anomaly rules B. create and edit rules and building blocks, and add log sources and flow sources C. open offenses based on users in the organization performing unauthorized activity D. create and edit searches, filter on specific details, sort, and right-click and filter on specific details  An sw er: D Explanation/Reference: Explanation:

QUESTION 14

Which user account is used to log in when installing the activation key?  A. root B. admin C. qradar 

D. default  An sw er:  A Explanation/Reference: Explanation:

QUESTION 15

What are three types of rules that can be created using the Rule Wizard? (Choose three.)  A. Flow Rule B. Event Rule C. Offense Rule D. Anomaly Rule E. Threshold Rule F. Behavioral Rule  An sw er:  ABC Explanation/Reference: Explanation:

QUESTION 16

What is an IBM Security QRadar network object?  A. An asset definition B. A vulnerability scanner  C. A collection of CIDR addresses D. A device sending logs to a QRadar   An sw er: C Explanation/Reference: Explanation:

QUESTION 17

Where is a LSX uploaded to IBM Security QRadar SIEM V7.1 to be used by a UDSM in the Admin Section?  A. Log Source Extensions> Add B. Log Sources> Add > Extensions C. System Settings> Extensions > Add D. Systems and License Management> Add > Extensions  An sw er:  A Explanation/Reference: Explanation:

QUESTION 18

When creating a behavioral rule in Automated Anomaly Analysis, which three components are weighted to determine the rule?  A. autoregressive pattern, fit to underlying curve, and moving average B. seasonal or cyclical behavior, underlying trend, and random fluctuation C. previous period value, current observation, and average of residuals for future observations D. length of the seasonal component, date range for the trend, and time window during the day  An sw er: B Explanation/Reference: Explanation:

QUESTION 19

Which statement best describes the advantages of implementing NetFlow monitoring?  A. If antivirus software signatures fail to detect malware infection, NetFlow monitoring can help identify malware propagation by using its own signatures. B. NetFlow provides the ability to detect suspicious log activity. Each log contains the number of bytes and packets transferred by both the SRC and DST allowing for volume-based reporting of network traffic. C. NetFlow provides deep packet inspection, from layers three to seven of the OSI model, increasing visibility into applications; whereas, traditional flow monitoring only provides visibility at layers three and four. D. NetFlow provides the ability to detect suspicious network activity, e.g. identify a potential botnet when Local to Remote traffic is matched to an IP address configured in a corresponding Remote Network group.

 An sw er: D Explanation/Reference: Explanation:

QUESTION 20

How are user permissions applied using Log Source groups?  A. using user roles B. applied to individual users C. applied to network objects D. applied to authorized services  An sw er:  A Explanation/Reference: Explanation:

QUESTION 21

This command provides what information when run from an IBM Security QRadar QFlow 1202 appliance: grep `Sent.\ + flows' /var/log/qradar.log?  A. total number of flows per minute sent to the Event Collector  B. total number of flows per minute sent to the Event Processor  C. total number of flows being sent since the system was restarted D. total number of flows per second sent to the Plow Collector or console  An sw er:  A Explanation/Reference: Explanation:

QUESTION 22

Which IBM Security QRadar SIEM V7.1 appliance types are designed to collect, process, an d store log event messages?  A. 12XX B. 13XX

C. 15XX D. 16XX  An sw er: D Explanation/Reference: Explanation:

QUESTION 23

How does the order of rule tests affect the ORE performance?  A. Itdoesnotaffecttheperformance. B. All tests in a rule are evaluated individually. Tests that have counters affect the ORE performance and not the order of tests. C. When analyzing the rules in pairs from top to bottom, the test at the top should always be the one most likely to fail because if it fails then ORE will not evaluate the following tests. D. When analyzing the rules in pairs going from top to bottom, the test at the bottom should always be the test that is most likely to fail. This ensures that the rule evaluation is optimized.  An sw er: C Explanation/Reference: Explanation:

QUESTION 24

What step must be completed before searching restored data on a newly installed console?  A. Tomcat must be shut down. B. All DSMs and RPMs should be restored. C. The hostcontext service should be restarted. D. The configuration backup must be restored to the new console.  An sw er: D Explanation/Reference: Explanation:

QUESTION 25

Given that ICMP pings from all hosts are dropped, which rule(s) allows ICMP pings and responses only from and to host 10.35.100.23?  A. iptables -A INPUT-p icmp -j ACCEPT B. i ptables -A OUTPUT-s 10.35.100.23-p i cmp -j ACCEPT C. iptables -A OUTPUT-p icmp --icmp-type echo-reply-j ACCEPT D. iptables -A INPUT-s 10.35.100.23 -p icmp --icmp-type echo-request-i ACCEPT  An sw er: D Explanation/Reference: Explanation:

QUESTION 26

What must be provided when utilizing kickstart disks to install IBM Security QRadar SIEM V7.1 software on customer supplied hardware?  A. access using the serial port B. support for a kickstart file is not supported C. access to the file share where the kickstart file is located D. a USB hard drive with enough room to support the kickstart file  An sw er: B Explanation/Reference: Explanation:

QUESTION 27

When scheduling a vulnerability scan which factor would be controlled by the Concurrency Mask?  A. The level of detail of the scan data based on the number of hosts involved in a particular run. B. The load placed on each host that is being scanned during the time that the scan is underway. C. The potential risk to the subnet being scanned due to the number and frequency of operations performed during the scan. D. The load placed on the network, scanner, and/or IBM Security QRadar SIEM V7.1 due to the number of scans being performed during a scanner  run.  An sw er: D Explanation/Reference:

Explanation:

QUESTION 28

Where is WinCollect configured as an Authorized Service?  A. the WinCollect icon under the Admin tab B. the Authorized Services icon under the Admin tab C. the WinCollect drop-down under Authorized Services > Add D. the Authorized Services drop-down under WinCollect> Add Authorized Service  An sw er: B Explanation/Reference: Explanation:

QUESTION 29

Which search option is mandatory before producing a time series graph?  A. The time range must include a definition of a specific interval. B. Search parameters must include at least one filter definition clause. C. The column definition must have a variable selected in the Order By chooser. D. The column definition must include at least one column in the Group By window.  An sw er: D Explanation/Reference: Explanation:

QUESTION 30

The ip_context_menu.xml file was edited in order to access additional details for selected IP addresses. Which service must be restarted for the changes to take effect?  A. tomcat B. webmin C. syslog-ng

D. hostcontext  An sw er:  A Explanation/Reference: Explanation:

QUESTION 31

What is the default download path directory where DSM, minor, and major updates are stored before being deployed?  A. /store/backup/autoupdates B. /store/configservices/staging/updates C. /store/configservices/staging/globalconfig D. /store/configservices/staging/autoupdates  An sw er: B Explanation/Reference: Explanation:

QUESTION 32

Which IBM Security QRadar SIEM V7.1 DSM protocol supports the collection of Microsoft SMTPI OWA, and message tracking logs?  A. Microsoft IS B. Microsoft DHCP C. Microsoft Exchange D. Microsoft Security Event Log  An sw er: C Explanation/Reference: Explanation:

QUESTION 33

How are values mapped in a LSXto parse data from a payload for a UDSM?

 A. quotes (`') B. backtics(`) C. regular expressions D. comma separated (,)  An sw er: C Explanation/Reference: Explanation:

QUESTION 34

 After clicking on the Backup and Recovery button in the Admin tab, which three options are found in the Backup Archives page? (Choose three.)  A. Revert B. Restore C. Remove D. Configure E. Backup Now F. On Demand Backup  An sw er: BDF Explanation/Reference: Explanation:

QUESTION 35

What must be done in order to use the data present on the Log Activity screen for a report?  A. save search criteria B. save search results C. save reporting criteria D. save search for reporting  An sw er:  A Explanation/Reference: Explanation:

QUESTION 36

Which two items must be provided prior to the initial installation and configuration of IBM Security QRadar SIEM V7.1 appliance? (Choose two.)  A. mouse B. monitor  C. keyboard D. serial console E. IBM Security QRadar SIFM license key  An sw er: BC Explanation/Reference: Explanation:

QUESTION 37

What must be done to enable High Availability (HA) disk synchronization?  A. Admin> HA Setting> Enable Disk Synchronization B. synchronization can only be set up while initializing the HA cluster  C. edit the HA cluster and select the Disk Synchronization check box D. synchronization can only be set up while installing the HA activation key for the secondary appliance  An sw er: B Explanation/Reference: Explanation:

QUESTION 38

Which Admin function enables system performance alerts?  A. System Settings B. Network Hierarchy C. Forwarding Destinations D. Global System Notifications

 An sw er: D Explanation/Reference: Explanation:

QUESTION 39

How does a rule generate a new Correlation Rule Engine (CRE) event?  A. CRE cannot create events, only log sources can. B. By letting it create an offense. Offenses are the same as CRE events. C. By creating a rule response. In the rule response, check the box Generate a New CRE Event. D. By forwarding the event as a syslog message to the local event collector using the rule response section.  An sw er: C Explanation/Reference: Explanation:

QUESTION 40

How is a new high level or low level event category added to IBM Security QRadar SIEM V7.1?  A. usetheAdmintab B. usetheMapEventscreen C. use the qidmap_cli.sh utility D. a new event category cannot be added  An sw er: D Explanation/Reference: Explanation:

QUESTION 41

By default the Server Discovery function inserts discovered servers into building blocks in which category?  A. Host Definitions

B. Device Definitions C. System Definitions D. Compliance Definitions  An sw er:  A Explanation/Reference: Explanation:

QUESTION 42

What is the allowable range for Object Weight when defining a network hierarchy object?  A. 0-9 B. 1-5 C. 1-10 D. 0-99  An sw er: D Explanation/Reference: Explanation:

QUESTION 43

What type of host name does IBM Security QRadar SIEM V7.1 require in the network settings Hostname field?  A. Internet Hostname B. NetBIOS Hostname C. Fully Qualified Host Name D. Fully Qualified Domain Name  An sw er: D Explanation/Reference: Explanation:

QUESTION 44

The Retention Properties screen provides many configuration items to allow for managing the contents of the retention bucket. Which two items are available for bucket management? (Choose two.)  A. offsite storage B. date of deletion C. retention encryption D. conditions of deletion E. criteria for compression  An sw er: DE Explanation/Reference: Explanation:

QUESTION 45

When adding a managed host using encryption, which network port must be open bi-directionally between the console and new host?  A. 22 B. 115 C. 443 D. 445  An sw er:  A Explanation/Reference: Explanation:

QUESTION 46

Which script is issued to make changes to the template?  A. /opt/qradar/conf/appconfig B. /optlqradar/conf/capabilities.conf  C. /optiqradar/bin/template_setup.pI D. /optlqradar/bin/qchange_netsetup  An sw er: C Explanation/Reference:

Explanation:

QUESTION 47

Which two fields are available for indexing in the Index Management page? (Choose two.)  A. Asset properties B. Flows properties C. Events properties D. Offenses properties E. Vulnerability properties  An sw er: BC Explanation/Reference: Explanation:

QUESTION 48

Which two flow sources provide layer 7 payload? (Choose two.)  A. JFlow B. SFlow C. NetFlow D. Packeteer  E. Network Interface  An sw er: BE Explanation/Reference: Explanation:

QUESTION 49

What is a defining characteristic of an asymmetric flow?  A. It is evidenced by receiving varying length NetElow records. B. It describes network traffic that is configured to take alternate paths for inbound and outbound traffic.

C. It describes where traffic volumes are significantly skewed towards either inbound or outbound communication. D. It describes network traffic that commonly resolves to a Superflow in the IBM Security QRadar QElow appliance.  An sw er: B Explanation/Reference: Explanation:

QUESTION 50

When creating a new IBM Security QRadar SIEM V7.1 user account, the administrator did not gi ve access to the log source group (called MS Domain Security Logs) that contains Microsoft Security Event logs. What happens if the user attempts to run a shared saved search for failed login attempts to a domain?  A. The user is not able to see any results from that search. B. Since the user is part of the domain, they are able to see the data in the search results. C. The user is notified that they do not have the proper permissions to run that search and are requested to contact their administrator. D. The search will run but since the userwas not given access to the MS Domain Security Logs group, the user cannot see results from those log sources contained in that group.  An sw er: D Explanation/Reference: Explanation:

QUESTION 51

Which statement best describes the available options when configuring a new routing rule?  A. A routing rule is defined to associate network configuration with the options for storing the data in the database as well processing events through the rules engine. B. A routing rule is used to define to IBM Security QRadar SIEM V7.1 the possible path through the internal network, and how to associate these paths with vulnerability data in the Asset Profiles. C. Associate each rule with an event collector, determine placement of the data within the Ariel database, choose the protocol, host, and port number  used to store the event, and then determine which alerts are generated. D. Scope the rule to a particular event collector, set up a filter, and then choose any combination of forward, drop, or bypassed correlation. Itis not necessary to define destinations in advance as that can be done when routing rules are defined.  An sw er: D

Explanation/Reference: Explanation:

QUESTION 52

Which statement applies to IBM Security QRadar SIEM V7.1 virtual appliances?  A. QRadarXX90appliances maybe installed into a Hyper-V environment. B. QRadarXX90appliances maybe installed into a VMware ESXi environment. C. QRadarXX90appliances may not be mixed with QRadar software licenses in a virtual server environment. D. QRadarXX90appliances may be installed as a native Os on appropriately configured customer premise hardware.  An sw er: B Explanation/Reference: Explanation:

QUESTION 53

How can asset profiles be searched?  A. From the Assets tab B. From the Offenses tab C. Right-click on any D. Address from the Actions pull-down menu  An sw er:  A Explanation/Reference: Explanation:

QUESTION 54

What must be done when creating a user's password on an IBM Security QRadar SIEM V7.1 (QRadar) system that is utilizing Active Directory authentication?  A. ensure the password has a minimum of 8 characters B. create the user's initial password and have them change it immediately

C. ensure the user's QRadar password matches their Active Directory password D. a password does not need to be set on QRadar when using Active Directory authentication  An sw er: D Explanation/Reference: Explanation:

QUESTION 55

What notation is used to enter a class A network 10.0.0.0 into an IBM Security QRadar SIEM V7.1 network hierarchy?  A. 10.*.*.* B. 10 .0 .0 .0/8 C. 10.0.0.0/255.0.0.0 D. 10.0.0.0-10.255.255.255  An sw er: B Explanation/Reference: Explanation:

QUESTION 56

What must be done first when changing the network settings on a console in a multi-system deployment?  A. installnewpatches B. reset the SIM model C. remove all managed hosts D. install a new license for the new IP address  An sw er: C Explanation/Reference: Explanation:

QUESTION 57

What must be done to put licenses into effect after applying a license file using the Managed License action of the System and License Management

dialog?  A. click on Deploy License B. select Restart System to activate the license key C. open the Deployment Editor, right-click on each host, and select Deploy D. select System and License Manage System and then select Deploy License Key  An sw er:  A Explanation/Reference: Explanation:

QUESTION 58

What is the default password to access the Integrated Management Module remote access controller for an IBM Security QRadar appl iance?  A. calvin B. default C. passw0rd D. PASSWORD  An sw er: C Explanation/Reference: Explanation:

QUESTION 59

Which option is available for sharing offenses with non-IBM Security QRadar users?  A. provide URLt0 offense B. invoke script for third-party¡¯ service desk C. selectthe option to e-mail offense details D. select the option to export the offense data as a PDE  An sw er: C Explanation/Reference: Explanation:

QUESTION 60

How are new reference sets created in IBM Security QRadar (QRadar)?  A. use the out-of-the-box tables B. use the ReferenceSetMod.pI script C. select New in the Rules Response Wizard D. log into the QRadar Console and the PostgreSQL database  An sw er: C Explanation/Reference: Explanation:

QUESTION 61

What must be done prior to clicking on False Positive if flows or events are being viewed in streaming mode?  A. clickonthePause button B. clickonthe Refresh button C. right-click on the event and click Filter  D. right-click on the event and click Additional Plug-ins  An sw er:  A Explanation/Reference: Explanation:

QUESTION 62

What is the last step to add a protocol based log source?  A. on the Admin tab click Deploy Changes B. from Log Sources, select Log Source Type, and click Save C. from Log Sources, select Log Source Identifier, and click Save D. on the Admin tab, select Actions and click Deploy Pull Configuration  An sw er:  A

Explanation/Reference: Explanation:

QUESTION 63

 After gathering all required files from the IBM Security QRadar SIEM V7.1 appliance using SSH connectivity which protocol can be used to retrieve the tar.bz2 file or any other files to send to support?  A. FTP B. TFTP C. HTTP D. SFTP  An sw er: D Explanation/Reference: Explanation:

QUESTION 64

Prom the Dashboard view, the Compliance Overview dashboard > Login Failures by User (real- time) workspace is being reviewed. Which link provides more details about these events?  A. ViewinAssets B. View in Offenses C. ViewinLogActivity D. ViewinNetworkActivity  An sw er: C Explanation/Reference: Explanation:

QUESTION 65

What happens to previously collected events when an event is mapped?  A. They are re-mapped to the new mapping.

B. They are not mapped to the new mapping. C. The user is prompted for the action to take. D. The new mapping is added to the old mapping  An sw er: D Explanation/Reference: Explanation:

QUESTION 66

How is a High Availability (HA) cluster installed from the Admin tab?  A. HA Management > Install HA Cluster  B. Systems and License Management > Actions > Add HA Host C. High Availability > Systems and License Management > Add HA Host D. Deployment Editor, add both the Primary and Secondary hosts to the deployment  An sw er: B Explanation/Reference: Explanation:

QUESTION 67

What are two ways an asset can be added to asset profiles? (Choose two.)  A. by flow data B. by offense data C. by anomaly rule D. by search queries E. by a vulnerability assessment or active network scan  An sw er:  AE Explanation/Reference: Explanation:

QUESTION 68

Which two actions allow modification of the current displayed search result set? (Choose two.)  A. click on the Actions button B. click on the Add Filter button C. click on Quick Filter then select Show All D. right-click on an item then select a filter option E. click Search then select Manage Search Results  An sw er: BD Explanation/Reference: Explanation:

QUESTION 69

Which function can be used to tune out Events/Flows with a specific QID and a specific destination IP address from contributing to an offense?  A. False Positive B. Tuning Window C. Asset Discovery D. Network Hierarchy  An sw er:  A Explanation/Reference: Explanation:

QUESTION 70

 After editing the IPTables configuration file, which command reloads the IPTables?  A. service iptables save B. /etc/sysconfig/iptables restart C. /opt/qradar/bin/iptables restart D. /opt/qradar/bin/iptables_update.pl  An sw er: D Explanation/Reference:

Explanation:

QUESTION 71

How can ALE be used to collect Windows 2008 events?  A. Use WinCollect because Windows 2008 is not supported by ALE. B. Install ALE on the Windows 2008 and start collecting from the local event log. C. Configure the ALE agent to receive forwarded events from the Windows 2008 systems. D. Configure Windows 2008 to forward its logs directly to the IBM Security QRadar SIEM system.  An sw er: B Explanation/Reference: Explanation:

QUESTION 72

What would be considerations for defining a Threshold Rule in the Automated Anomaly Analysis?  A. a change value and a length of time for accumulation B. a time window during the day and a moving average smoothing value C. a time interval for accumulation and a relative weight for the current observation D. a seasonal component, a trend component, and a delta or incremental change value  An sw er:  A Explanation/Reference: Explanation:

QUESTION 73

Where is the activation key located?  A. on the documentation CD B. on the appliance start screen C. in the End User License Agreement D. in the documentation package shipped with the server 

 An sw er: D Explanation/Reference: Explanation:

QUESTION 74

Where in the IBM Security QRadar SIEM V7.1 GUI can i nformation be added about a network hierarchy?  A. Admin Tab B. Assets Tab C. Network Activity Tab D. Network Hierarchy Tab  An sw er:  A Explanation/Reference: Explanation:

QUESTION 75

Which appliance can be used to throttle bandwidth of event collection?  A. 1501 Event Collector  B. 1705 Flow Processor  C. 1605 Event Processor  D. 1805 EventfFlow Processor   An sw er:  A Explanation/Reference: Explanation:

QUESTION 76

When a routing rule is configured, why might the Drop option be selected?  A. The Drop option allows alerting without storage in the database and can still be forwarded.

B. The Drop option is used to control disk storage usage on the event processor and to reduce overall network traffic. C. The Drop option is used when IBM Security QRadar SIEM V7.1 is used as the log source of record for deleting of events. D. The Drop option is convenient for preventing noisy sensors (such PIX firewalls or default SNORTs) from overwhelming the Custom Rule Engine.  An sw er:  A Explanation/Reference: Explanation:

QUESTION 77

 A network hierarchy consists of these objects: - DMZ 192.168.0.0/16 - Webservers 192.168.1.0/24 - MailServers 192.168.2.0/24 - UserNetwork 10.0.0.0/8 Which object(s) does 192.168.1.5 fall into?  A. DMZ B. Webservers C. UserNetwork D. DMZ and Webservers  An sw er: B Explanation/Reference: Explanation:

QUESTION 78

What is event and flow hashing used for in IBM Security QRadar SIEM V7.1?  A. to permit security flagging B. so events and flows can be indexed for quicker searching C. to determine if tampering has occurred on the events and flows records D. to add encryption to the events and flows so they cannot be tampered with

 An sw er: C Explanation/Reference: Explanation:

QUESTION 79

Which file should be sent to IBM Support if contacting them for system problems?  A. systemerr.outfile produced from /opt/ibm/esc/get_logs.pl B. sysoutput.log file produced from /opt/ibm/support/getjogs.sh C. logs_.tar.zip file produced from /opt/ibm/electronicsupport.sh D. logs_.tar.bz2 file produced from /opt/qradar/support/get_logs.sh  An sw er: D Explanation/Reference: Explanation:

QUESTION 80

Which three pieces of information must be supplied to properly set up a system user? (Choose three.)  A. user role B. full name C. room number  D. e-mail address E. valid user name F. contact phone number   An sw er:  ADE Explanation/Reference: Explanation:

QUESTION 81

What does using the Integrated Management Module of the IBM Security QRadar SEM V7.1 (QRadar) appliance allow a user to do?

 A. remotely manage the QRadar appliance to run reports B. remotely manage the QRadar custom rule configuration C. remotely manage the QRadar Web interface used to perform administrative functions D. remotely manage the QRadar appliance as if the user was sitting directly at the console  An sw er: D Explanation/Reference: Explanation:

QUESTION 82

Which family of analysis methods are commonly used with a time series?  A. deep packet intrusion detection B. packet content protocol detection C. network behavior anomaly detection D. N-gram based behavior attack detection  An sw er: C Explanation/Reference: Explanation:

QUESTION 83

What must be done to capture a new name/value pair for a rule that is not parsed as part of a regular Device Support Module?  A. open the event > Extract Property > assign a new property > Add RegEx for finding the value > Submit B. open the event > Actions > Add Custom Property > assign a name > highlight value in the payload > Submit C. highlight the event > Actions > Add Custom Property > assign a name> highlight value in the payload > Submit D. highlight the event > Actions > Extract Properly > assign a new property > Add RegEx for finding the value > Submit  An sw er:  A Explanation/Reference: Explanation:

QUESTION 84

Which two network setting parameters are optional? (Choose two.)  A. Gateway B. Public IP C. Primary DNS D. E-mail Server  E. Secondary DNS  An sw er: BE Explanation/Reference: Explanation:

QUESTION 85

Prior to installing IBM Security QRadar SIEM V7.1 on customer provided hardware, Red Hat Enterprise Linux must be installed. SELinux must be set to which option?  A. Enforce B. Enabled C. Disabled D. Permissive  An sw er: C Explanation/Reference: Explanation:

QUESTION 86

What are three default charting options available within the Report wizard? (Choose three.)  A. Delta B. Flows C. Identity D. Anomaly E. Events/Logs

F. Asset Vulnerabilities  An sw er: BEF Explanation/Reference: Explanation:

QUESTION 87

What is the purpose of the offense index?  A. When the offense is created it will create indexes for other offenses. B. It helps find the offenses faster when searching for offenses by a specific properly. C. When the offense is created it will be added to any existing similar open offense with the same indexed value. If none exist, a new offense will be opened. D. When the offense is created the magistrate will search for offenses with the same indexed value and add the offense to a list of offenses for the indexed value.  An sw er: C Explanation/Reference: Explanation:

QUESTION 88

Which statement is true about the IBM Security QRadar SIEM (QRadar) Network Hierarchy?  A. It is used by QRadar to detect botnets. B. It is used by QRadar to detect applications. C. It is used by QRadar only to track network activity. D. It is used by QRadar to determine which IP addresses are local and remote.  An sw er: D Explanation/Reference: Explanation:

QUESTION 89

From the Admin tab > System and License Management icon, what must be done to install and deploy an IBM Security QRadar SIEM V7.1 license for 

a set of newly installed hosts?  A. click each new hostname and select Actions menu > Manage License B. right-click each new hostname and select Manage License from the menu C. select all newly added hostnames using the Shift key + mouse click and then select the Actions drop-down menu > Manage License D. click each new hostname, select Actions drop-down menu > Manage Systems, and select Deploy License from the Managed Host Config list  An sw er:  A Explanation/Reference: Explanation:

QUESTION 90

What does the command qchange_netsetup do?  A. It is used to upgrade the appliance's network settings after the initial setup. B. It is used to define the MAC address of the interfaces during the initial setup. C. It is used to change the appliance's networking settings after the initial setup. D. It is used to define the appliance's networking settings during the initial setup.  An sw er: C Explanation/Reference: Explanation:

QUESTION 91

Which tuning template is available in IBM Security QRadar SIEM V7.1?  A. Custom B. Common C. Enterprise D. Small Business Edition  An sw er: C Explanation/Reference: Explanation:

QUESTION 92

What must be done to calculate EPS from the IBM Security QRadar SIEM V7.1 Web interface?  A. EPS rates are only viewable from the command line B. load the default built in report labeled EPS Over Time C. from the Log Activity tab, select New Search and load the EPS search D. from the Network Activity tab, select New Search and load the EPS search  An sw er: C Explanation/Reference: Explanation:

QUESTION 93

Which statement best describe the da ta migration process available in IBM Security QRadar SIEM V7.1 (QRadar)?  A. Launch the data_ariel_migrate.pl utility under the /opt/qradar/support directory. B. Move /store/ariel to /store/ariel_old, mount /store/ariel to external storage, and move the contents of ariel_old to ariel. C. Move the existing mount points under the Admin > System Settings Configuration option in the QRadar user interface. D. Mount to the external storage solution and allow the local content to auto-merge. Moving or copying any content ahead of mounting will likely lead to data loss and/or data corruption.  An sw er: B Explanation/Reference: Explanation:

QUESTION 94

If an IBM Security QRadar 1790 virtual appliance is added to a configuration, which capability becomes available?  A. additional storage capacity for event data Badditional Web interface for user browsing B. additional storage capacity for OFlow data C. internal storage capacity for event and QFlow data

 An sw er: C Explanation/Reference: Explanation:

QUESTION 95

How is a new UDSM device created?  A. Admin > Log Sources Extensions > Add > Universal DSM B. Admin > Log Source > Add > select Universal DSM as log source type C. Log Activity Tab > highlight unknown event > Actions > Create UDSM from this Event D. Log Activity Tab > highlight unknown event > right-click and select Create UDSM from this Event  An sw er: B Explanation/Reference: Explanation:

QUESTION 96

What is a purpose of a rule action?  A. to add an event or flow property to a reference set B. to send out the event or flow information by e-mail or SNMP C. to rename the offense description based on user entered text D. to change the current event or flow's magnitude, trigger an offense, or annotate the offense  An sw er: D Explanation/Reference: Explanation:

QUESTION 97

Which method does WinCollect use to collect Windows 2008 events?  A. It uses Windows file sharing to pull the Windows 2008 event logs. B. It uses the syslog forwarding facility of Windows 2008 Event Logger.

C. It uses the native Windows 2008 event log API to access the log records. D. It uses SNARE to convert the Windows 2008 events to syslog messages.  An sw er: C Explanation/Reference: Explanation:

QUESTION 98

Which statement best describes the expected increase in forensic capabilities when IBM Security QRadar QFlow (QRadar QFlow) is implemented?  A. IBM Security QRadar VFlow allows for QRadar QFlow collection on hypervisors such as Microsoft Hyper-V. B. QRadar QFlow provides visibility only at layers three and four, providing header information containing only the number of bytes and packets transferred by the SRC and DST. C. NetFlow provides deep packet inspection, up to layer seven of the OSI model, giving visibility on application information; whereas. QRadar QFlow only provides visibility at layers three and four. D. QRadar QFlow tracks the history of stateful connections and monitors for unique characteristics or properties through deep payload examination of  packets, further qualifying the identity of applications.  An sw er: D Explanation/Reference: Explanation:

QUESTION 99

 After configuring external authentication, which user can still log in to the Web interface if this external resource is not available?  A. root B. admin C. any user  D. all users added before switching to external authentication  An sw er: B Explanation/Reference: Explanation:

QUESTION 100

Which action can IBM Security QRadar SIEM V7.1 automatically perform on reference sets?  A. purge list B. delete elements C. create a new list D. add new elements  An sw er: D Explanation/Reference: Explanation:

QUESTION 101

What can IBM Security QRadar SIEM V7.1 be configured to back up in the Backup and Recovery Wizard?  A. data backups only B. configuration and data backups C. individual managed hosts configuration D. individual items such as users and/or database  An sw er: B Explanation/Reference: Explanation:

QUESTION 102

 A QID can belong to how many categories?  A. 1 B. 2 C. 3 D. unlimited  An sw er:  A Explanation/Reference:

Explanation:

QUESTION 103

What is required to conne ct a WinCollect agent to IBM Security QRadar SIEM V7.1?  A. SSH Keys B. domain credentials C. user name and password D. an authorized services token  An sw er: D Explanation/Reference: Explanation:

QUESTION 104

What does the IP Right Click Menu Extensions plug-in do in IBM Security QRadar SIEM V7.1?  A. It allows the selected IP address to be deleted. B. It allows the selected IP address to be tuned as a false positive. C. It allows the selected IP address to be added to a reference set. D. It allows additional details to be accessed for the selected IP address.  An sw er: D Explanation/Reference: Explanation:

QUESTION 105

How is a Universal DSM configured to collect different data types from various log sources?  A. UDSM Data Type B. Log Source Identifier  C. Protocol Configuration D. Log Source Extension

 An sw er: C Explanation/Reference: Explanation:

QUESTION 106

Where are firewall event details located using the IBM Security QRadar SIEM V7.1 interface?  A. Admin B. Assets C. Log Activity D. Network Activity  An sw er: C Explanation/Reference: Explanation:

QUESTION 107

Which group of tests is used to test the sequence of rules that have been triggered by events or flows?  A. DateyTime tests B. Behavioral tests C. Common Property tests D. Function Sequence tests  An sw er: D Explanation/Reference: Explanation:

QUESTION 108

What are two ways asymmetric flow support can be enabled? (Choose two.)  A. use the Flow Source configuration

B. use the right-click menu option for an affected flow C. use the auto-discover capabilities of the log source D. use a Custom Rule Engine test for asymmetric flows E. use the QFlow Collector Configuration in the deployment editor   An sw er:  AE Explanation/Reference: Explanation:

QUESTION 109

Categorizing log sources into groups allows clients to efficiently view and track log sources. Which statement best characterize Log Source groups?  A. By default log sources go into the Temp folder. B. User access is required to create, edit, or delete log source groups. C. Each log source group can display a maximum of 10,000 log sources. D. The default log source group for auto discovered log sources is Other.  An sw er: D Explanation/Reference: Explanation:

QUESTION 110

Which component processes events against defined custom rules?  A. Magistrate B. Flow Collector  C. Event Collector  D. Event Processor   An sw er: D Explanation/Reference: Explanation:

QUESTION 111

Which scenario best describes the actions that take place during a restore?  A. Existing files and database are backed up, archived files and database are restored, the event collection service is restarted. B. Tomcat and all system processes are shut down, files and data records are extracted from the backup archive and restored to disk and the database, Tomcat and system processes are restarted. C. Tomcat and database processes are shut down, existing files and database are backed up, archive contents are restored to disk and the database, Tomcat and the system processes a re restarted. D. Existing files and database records are merged with the archived files and database records, Tomcat and system services shut down, the merged records are inserted into their respective file locations and database tables, Tomcat and system services restart.  An sw er: B Explanation/Reference: Explanation:

QUESTION 112

What is the default setting for Major Updates in Auto Updates > Change Settings > Update Types?  A. Disable B. Auto Install C. Auto Update D. Auto Integrate  An sw er:  A Explanation/Reference: Explanation:

QUESTION 113

What does the % of Searches Using Property column in the Index Management Page indicate?  A. The percentage of saved searches created by users that reference the index. B. The total percentage of saved searches in the system that reference the index. C. The percentage of executed searches in the selected time range that used the index. D. The percentage of executed searches in the selected time range that successfully used the index.

 An sw er: C Explanation/Reference: Explanation:

QUESTION 114

When adding a new IBM Security QRadar SIEM managed host, the password is required for which user?  A. root on the new appliance B. root on the console appliance C. webmin on the console appliance D. configservices on the new appliance  An sw er:  A Explanation/Reference: Explanation:

QUESTION 115

What is the benefit of using server discovery?  A. Adding log sources is faster. B. Constructing a network hierarchy is easier. C. The system is tuned to minimize false positives. D. Assets are automatically added to asset profiles  An sw er: C Explanation/Reference: Explanation:

QUESTION 116

 A user can be assigned which two permissions? (Choose two.)  A. DSM Updates B. Network Activity

C. Remote Server Administration D. Ariel Database Administration E. IP right-click Menu Extensions  An sw er: BE Explanation/Reference: Explanation:

QUESTION 117

Which Admin setting allows the monitoring of system load over 15 minutes?  A. System Configuration B. System Activity Report C. Forwarding Destinations D. Global System Notifications  An sw er: D Explanation/Reference: Explanation:

QUESTION 118

Which SNMP protocol should be used when confidentiality, integrity, and authentication are required?  A. SNMPv1 B. SNMPv2 C. SNMPv3 D. SNMPv4  An sw er: C Explanation/Reference: Explanation:

QUESTION 119

What two types of retention buckets are available in IBM Security QRadarSEM V7.1? (Choose two.)  A. Flow B. Event C. Assets D. Offense E. Log Source  An sw er:  AB Explanation/Reference: Explanation:

QUESTION 120

The last two digits of an appliances type can be used to determine which capability?  A. Installed OS B. Chassis Size C. Storage Capacity D. IBM Server Model Number   An sw er: C Explanation/Reference: Explanation:

QUESTION 121

 A customer has indicated that Windows events must be collected without the use of agents. Which protocol should be selected in the Protocol Configuration when adding a Microsoft Windows Security Event Log Source?  A. WinCollect B. SNARE for Windows C. Adaptive Log Exporter  D. Microsoft Security Event Log  An sw er: D Explanation/Reference: