QRadar

Question 1

Where can a user add a note to an offense in the user interface?
A. Dashboard and Offenses tab
B. Offenses tab and Offenses detail window
C. Offenses detail window, dashboard, and Admin tabs
D. Dashboard, Offenses tab, and offenses detail window

Answer 1

B. Offenses tab and Offenses detail window

Question 2

When might a Security Analyst want to review the payload of an event?
A. When immediately after login, the dashboard notifies the analyst of payloads that must be investigated
B. When “Review Payload” is added to the offense description automatically by the “System: Notification” rule
C. When the event is associated with an active offense, the payload may contain information that is not normalized or extracted fields.
D. When the event is associated with an active offense with magnitude greater than 5, the payload should be reviewed, otherwise it is not necessary

Answer 2

C. When the event is associated with an active offense, the payload may contain information that is not normalized or extracted fields.

Question 3

Which of the following is property of flows but not events

A. magnitude
B. network
C. bytes
D. log source

Answer 3

C. bytes

Question 4

Which browser is officially supported for QRadar?

A. Safari version 9.0.3
B. Chromium version 33
C. 32-bit Internet Explorer 9
D. Firefox version 38.0 ESR

Answer 4

D. Firefox version 38.0 ESR

Question 5

A Security Analyst has noticed that an offense has been marked inactive.
How long had the offense been open since it had last been updated with new events or flows?

A. 1 day + 30 minutes
B. 5 days + 30 minutes
C. 10 days + 30 minutes
D. 30 days + 30 minutes

Answer 5

B. 5 days + 30 minutes

Question 6

What is a primary benefit of building blocks?

A. They can notify users of strange behavior.
B. They allow the execution of its test within all rules.
C. They generate new events into the pipeline before rules fire.
D. They allow for report results to be used in custom rules tests.

Answer 6

C. They generate new events into the pipeline before rules fire.

Question 7

What is the difference between Rule Actions and Rule Responses?

A. Rule Actions are executed when the Rule is Disabled; Rule Responses require the Rule to be Enabled.
B. Rule Actions are only available for Event and Flow Rules; Rule Responses are available for all Rules.
C. Rule Actions only directly affect the SIEM internals; Rule Responses may send information to external systems.
D. Rule Responses are always processed; Rule Actions may be throttled to ensure they are not executed too frequently.

Answer 7

C. Rule Actions only directly affect the SIEM internals; Rule Responses may send information to external systems.

Question 8

What are two benefits of using a netflow flow source? (Choose two.)

A. They can include data payload.
B. They can include router interface information.
C. They can include usernames involved in the flow.
D. They can include ASN numbers of remote addresses.
E. They can include authentication methods used to access the network

Answer 8

B. They can include router interface information.

D. They can include ASN numbers of remote addresses.

Question 9

Which capability is common to both Rules and Building Blocks?

A. Rules and Building Blocks both set the Magnitude of an Event.
B. Rules and Building Blocks both have the same selection of sets. -
C. Rules and Building Blocks can both be Enabled/Disabled through the GUI.
D. Rules and Building Blocks both have Actions; Building Blocks do not have Responses.

Answer 9

B. Rules and Building Blocks both have the same selection of sets.

Question 10

Which two actions can be performed on the Offense tab? (Choose two.)

A. Adding notes  
B. Deleting notes
C. Hiding offenses  
D. Deleting offenses
E. Creating offenses

Answer 10

A. Adding notes

C. Hiding offenses

Question 11

What ability does marking a custom property as “optimized” provide?

A. Allows you to use the custom property in a rule test
B. Allows you to process events above your license rating
C. Allows offenses to merge both events & flows into the same offense
D. Allows for offenses, events & flows to be compared directly in real time

Answer 11

A. Allows you to use the custom property in a rule test

Question 12

Given the following window:

What are the steps to get this window within an offense?

A. Right click on the IP > Information > DNS Lookup
B. Right click on the IP > Information > Reverse DNS
C. Right click on the IP > Information > WHOIS Lookup
D. Right click on the IP > Information > Asset Profile

Answer 12

A. Right click on the IP > Information > DNS Lookup

Question 13

A Security Analyst is looking on the Assets Tab at an asset with offenses associated to it.
With a “Right Click” on the IP address, where could the Security Analyst go to obtain all offenses associated with it?

A. Information > Asset Profile
B. Navigate > View by Network
C. Run Vulnerability Scan > Source offenses
D. Navigate > View Source Summary or Destination Summary

Answer 13

B. Navigate > View by Network

Question 14

Which column shows information as icons on the Reports tab?

A. Owner
B. Formats
C. Schedule
D. Report Name

Answer 14

B. Formats

Question 15

Events and Flows both have multiple different timestamps available to them.
Which timestamp is available to both events and flows?

A. End Time
B. Storage Time
C. First Activity Time
D. Last Activity Time

Answer 15

B. Storage Time

Question 16

Which three could be considered a log source type? (Choose three.)

A. Red Hat Network
B. IBM ISS Proventia 
C. QRadar Event Processor
D. Check Point Firewall-1 
E. Sourcefire Flow Injector
F. McAfee ePolicy Orchestrator

Answer 16

B. IBM ISS Proventia
D. Check Point Firewall-1
F. McAfee ePolicy Orchestrator

Question 17

What are two common uses for a SIEM? (Choose two.)

A. Managing and normalizing log source data
B. Identifying viruses based on payload MD5s
C. Blocking network traffic based on rules matched
D. Enforcing governmental compliance auditing and remediation
E. Performing near real-time analysis and observation of a network and its devices

Answer 17

A. Managing and normalizing log source data

B. Identifying viruses based on payload MD5s

Question 18

Which of the following is property of flows but not events

A. magnitude
B. network
C. bytes
D. log source

Answer 18

C. bytes

Question 19

At what speed do events appear on the status bar.

Answer 19

Average per second

Question 20

What is maximum time interval of which QRadar coalesces identical events

Answer 20

10 seconds

Question 21

How many timestamps does an event have,

Answer 21

3 timestamps (Start time, Storage Time, Log Source Time)

Question 22

As a security analyst you noticed that the event processor stores unparsed events in the data nodes. Why is this happening?

Answer 22

parsing errorthe system is under high load

Question 23

You select to follow up an offense from the offense list. What happens to this offense?

A. All analysts receive mail
B. ONly you can close this offense
C. A flag appears next to the offense
D. This offense is now flagged for further investigation

Answer 23

C. A flag appears next to the offense

D. This offense is now flagged for further investigation

Question 24

From where do you send mail.

Answer 24

Offense tab, Action > Mail

Question 25

What does it mean when an event is classified as Unknown (unparsed, sim audi, sim generic)

Answer 25

Event was parsed but not mapped

Question 26

When new offenses arrives, what is the first action the security team must do

Answer 26

View the attack port of the offense

Question 27

Where are offenses collected
A. console 
B. node
C. processor
D. collector

Answer 27

A. console

Question 28

Check point

Answer 28

OPSEC LEA/Syslog

Question 29

New log source was created and low level category is stored

Answer 29

Events are not correctly parsed

Admin tab > log sources > parsing order