QRadar#2

Question 1

Difference between Local and global rules

5 login failures by the same user in 10 minutes

Answer 1

local - all 5 login failures must appears on the same event processor
global - if 3 login fails were on an EP and 2 on second

Question 2

A QRadar user needs to enable/disable few of the rules. Which role permission is required for
enabling and disabling the rule?
A. Offenses > Maintain CRE Rules
B. Offenses > Maintain Use Cases
C. Offenses > Toggle Custom Rules
D. Offenses > Maintain Custom Rules

Answer 2

D. Offenses > Maintain Custom Rules

Question 3

Which mode provides an analyst with a real-time view of their current event activity by
displaying a continuously updating sample of the most recent events?
A. Live Events
B. Real Time (displaying)
C. Real Time (streaming)
D. Last Interval (auto refresh)

Answer 3

C. Real Time (streaming)

Question 4

How does an analyst determine which rules are most active in generating Offenses?
A. Assets -> Rules -> click Offense Count to reorder the column in ascending order
B. Admin -> Rules -> click Offense Count to reorder the column in descending order
C. Offenses -> Rules -> click Offense Count to reorder the column in ascending order
D. Offenses -> Rules -> click Offense Count to reorder the column in descending order

Answer 4

D. Offenses -> Rules -> click Offense Count to reorder the column in descending order

Question 5

What is the maximum length of the Notes field in the Offenses tab?
A. 1000
B. 1200
C. 1500
D. 2000

Answer 5

D. 2000

Question 6

How many active Offenses can be in the QRadar system? 
A. 2500
B. 3000
C. 3500
D. 4000

Answer 6

A. 2500

Question 7

The analyst needs to export an Offense outside QRadar to make a report of the incident.
Which export format is supported? (Choose two)
A. TSV (Tab Separated Values)
B. CSV (Comma Separated Values)
C. Fixed Field Text (Plain Text)
D. XML (Extensible Markup Language)
E. HTML (Hypertext Markup Language)

Answer 7

B. CSV (Comma Separated Values)

D. XML (Extensible Markup Language)

Question 8

What period of inactivity causes an offense to go into dormant state?
A. 5 days
B. 5 hours
C. 30 days
D. 30 minutes

Answer 8

D. 30 minutes

Question 9

A high number of Offenses are being generated for a specific event type.
What can the analyst do to investigate why Offenses are being created?
A. Review the health notification Offense rules.
B. Review the rules used in creating the Offense.
C. Review the Offense and enable the Offense high event rules.
D. Review the log sources and enable the anomaly Offense detection rules

Answer 9

B. Review the rules used in creating the Offense.

Question 10

Which time stamp is used to determine whether events are being queued in the event pipeline
for performance or licensing reasons?
A. Start Time
B. Device Time
C. Storage Time
D. Log Source Time

Answer 10

C. Storage Time

Question 11

When is the offense magnitude re-evaluated

Answer 11

when new events are added to the offense.

Question 12

What are the chart types in the dashboard.

Answer 12

Pie, Table, Bar, Time Series

Question 13

What are the chart types in the report

Answer 13

Bar, Pie, Table, Line, Stacked Line, Stacked Bar

Question 14

Super flow types:
Type A - network sweep
Type B - DDoS
Type C - port scan
Standard

Answer 14

Type B - DDos

Question 15

Where is the vulnerability information located?

Answer 15

Asset tab

Question 16

Base 64

Answer 16

Payload -> base 64

Question 17

Schedule report is every Monday and the first day of mount. When they want a report on Thursday.
MON - WED
MON - THU (THU - WED)
whole last week 
from last week to THU

Answer 17

whole last week

Question 18

DSSE (device stop sending events)

Answer 18

runs in the absence of events.

Question 19

Search for all viruses

Answer 19

Pause event/flow, double-click it, press Extract Property to extract virus (e.g. MD5),
Creating custom rule that use extracted property as an offense index field. Search by offense type.

Question 20

Analyst. Manually generation report

Answer 20

Does not restart the existing report schedule.

Question 21

Where are the Notes and Annotations located?

Answer 21

Bottom offense summary page

Question 22

For 10min 15 mails received and see only 1 offense

Answer 22

Coalescing

Question 23

What columns are defaultly displayed in offense log?

Answer 23

QID

Log source

Question 24

New log source was created and low level category is stored

Answer 24

Events are not correctly parsed

Admin tab > log sources > parsing order

Question 25

Where are offenses collected

• console
• node
• processor
• collector

Answer 25

console

Question 26

Where is the VPN log source

Answer 26

Advanced persistent threat, securing the cloud, insider threat, critical data protection.

Question 27

AQL - 2

Answer 27

/.pdf/or/.exe/

Question 28

How does a Device Support Module (DSM) function?
A DSM is a configuration file that combines received events from multiple log sources and displays them as offenses in QRadar.
A DSM is a background service running on the QRadar appliance that reaches out to devices deployed in a network for configuration data.
A DSM is a configuration file that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as outputs
A DSM is an installed appliance that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as outputs.

Answer 28

A DSM is a configuration file that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as outputs

Question 29

Share the offense summary information with another person by sending an email.
The body of the email message includes the following information, if available:

Answer 29

Total number of sources
Top five sources by magnitude
Total number of destinations
Top five categories

Question 30

See if Auth. are valid

Answer 30

Filter Username group by source IP, then validate the source IP

Question 31

How offense was created

Answer 31

Event: QID, payload, category, management

Question 32

How offense was created

Answer 32

Event: QID, payload, category, management

Question 33

Creating a new custom property

Answer 33

Event Based

Question 34

Events routed directly to storage by CRE

Answer 34

High loss

Question 35

Filter in LA tab to get list of log sources not reporting to QRadar

Answer 35

Log sources status =/ active

Question 36

Quick search saved

Answer 36

advanced query

Question 37

Offense naming mechanism

Answer 37

set of associated

Question 38

Default log activity page

Answer 38

Protocol, log S, QID, E name, Qmap

Question 39

Checkpoint

Answer 39

CP ResetAPI, syslog, OPsecilea, jobc, sftp.

Question 40

Repeated offenders and IPs that have many attacks

Answer 40

Ev. Cat. or Ev. Source, Source IP or D. IP, E or F, Log S. IP or Ev. source

Question 41

Assets tab

Answer 41

triggered off, events and flows, network devices and log sources

Question 42

Where in rules details can you find why the rules were triggered?

Answer 42

Rule: responses, actions, response limiters, list of test conditions.

Question 43

regex tests

Answer 43

position of rule tests that evaluate regular expressions

Question 44

regex test answers

Answer 44

the most expensive, stateful-last, building blocks, the most specific

Question 45

geo location

Answer 45

GPS and Map, longitude and latitude, log activity, and network activity, group and IP.