From which tabs can a QRadar custom rule be created?

Offenses, Log Activity or Network Activity tabs

Log Activity or Network Activity tabs

What are the types of reference data collections in QRadar?

Reference set, Reference map and Reference map of maps

Reference set, Reference data and Reference rule

Reference data, Reference table and Reference event

Reference event, Reference map of sets and Reference data

Which two options does a QRadar analyst need to configure in the False Positive window of the QRadar Console to mark an event or flow as False Positive?

Event or flow property and traffic direction

Event or flow property and username

Event or flow property and port number

Which three (3) statements are capabilities of the Network Hierarchy in QRadar?

Determine and identify local and remote hosts.

Monitor specific logical groups or services in the network, such as marketing, DMZ, or VoIP.

Monitor traffic and profile the behavior of each group and host within the group.

Move users from local to remote network segments.

Generate offenses based on different network zones.

A security analyst using Use Case Manager > Active Rules detected which TOP Rule generating offenses were triggered due to Inbound traffic that was dropped by the Firewall. The company decides that the Rule should only trigger when there are Firewall Permit Events. Which of these should the analyst implement to meet the above requirement?

Open Rule Wizard add a test condition > and when an event matches any of the following BB:CategoryDefinition: Firewall or ACL Accept

Open Rule Wizard add a test condition > and when the context is Local to Local, Local to Remote

Open Rule Wizard add a test condition > and NOT when an event matches any of the following BB:CategoryDefinition: Firewall or ACL Accept

Open Rule Wizard add a test condition > and when the event category for the event is one of the following Access.Misc Application Action Denied

How are Events that are associated with an offense listed?

Offense Summary window > click Events from Event/Flow count column

Offense Summary window > Destination IPs

Offense Summary window > click Source IPs

Offense Summary window > click Display > Destination IPs

Which are the time criteria in AQL queries?

START, STOP, LAST, NOW, PARSEDATETIME

START, BETWEEN, LAST, NOW, PARSEDATETIME

What can an analyst use in QRadar to quickly find information about IP addresses and URLs while analyzing an offense or event?

Use the X-Force Exchange lookup plugin.

Export the Event to CSV and upload it to reputation sites.

Verify if the IP address of URL is in any of your reference sets.

Copy the IP address or URL and paste it in any external reputation site.

What does it mean when a custom rule is partially matched in QRadar?

Not all the the tests in the rule were fully matched

All the tests in the rule were fully matched

The AND NOT operator is set incorrectly in the first test.

An analyst reviewed an active offense that was many attackers, generating many events in the same category, targeting many systems. Upon further analysis, the analyst determined that the traffic from the attackers is legitimate and should not contribute to the offenses. Which tuning methodology guideline can the analyst use to tune out this traffic?

Edit building blocks by using the Custom Rules Editor to tune the category.

Use the False Positive Wizard to tune the specific event.

Use the Log Source Management app to tune the category.

Edit the building blocks by using the Custom Rules Editor to tune the specific event.

Which regex statement extracts the DNS host from the cs-host value from the payload?

cs-host=(?:www\.)?([^\|]*)\|(?:http|ftp|tcp|https)\s+(?:www\.)?([^\s]+)

cs-host=(?:www\.)?([^\|]*)\|(?:add|get|query|delete)\s+(?:www\.)?([^\s]+)

How can an analyst search for all events that include the keyword 'access'?

Go to the Log Activity tab and run a quick search with the 'access' keyword.

Go to the Offenses tab and run a quick search with the 'access' keyword.

Go to the Network Activity tab and run a quick search with the 'access' keyword.

Go to the Log Activity tab and run this AQL: select * from events where eventname like 'access'.

What are the search options available for searching offense data on the By Networks page?

Source IP, Destination IP, Events/Flows, and Magnitude

Source IP, Magnitude, VA Risk, and Domain

Network, Magnitude, VA Risk, and Events/Flows

Domain, Destination IP, Magnitude, and Events/Flows

Which of these procedures duplicates a report from the Reports tab?

Select the report to duplicate. From the Actions list, click Duplicate and type a new name for the report.

Right-click the report to duplicate. Click Duplicate and type a new name for the report.

Click Action > Duplicate Report. Select the report to duplicate and click Finish.

Click Actions, then select the report to duplicate from the pop-up window. Click Duplicate and type a new name for the report.

A QRadar analyst was asked to provide a selection of events for further investigation by somebody who does not have access to the QRadar system. Which of these approaches provides an accurate copy of the required data in a readable format?

By using the Log Activity tab, filter the events until only those that you require are shown. Then, from the Actions list, select Export to CSV > Full Export (All Columns) to download a ZIP file.

By using the Advanced Search option in the Log Activity tab, run an AQL command: COPY(SELECT * FROM events LAST 2 HOURS) TO 'output_events.csv' WITH CSV.

Log in to the Command Line Interface and use the ACP tool (/opt/qradar/bin/ runjava.sh com.q1labs.ariel.io .ACP) with the necessary AQL filters and destination directory.

By using the "Event Export (with AQL)" option in the Log Activity tab, test your query with the Test button. Then, to run the export, click Export to CSV.

Reports can be organized into groups for efficient utilization. What report groups are available by default in QRadar?

Compliance, Executive, Log Sources, Network Management, Security, VoIP, Other

Compliance, Content, Log Sources, Network Management, Security, VoIP, Other

Compliance, Container, Log Sources, Network Management, Security, VoIP, Other

Compliance, Chart type, Log Sources, Network Management, Security, VoIP, Other

One of the active offenses that was reviewed by an analyst was one attacker, generating one unique event, targeting one system. Upon further analysis, it was determined that the traffic from this attacker is legitimate and should not contribute to offenses. Which tuning methodology guideline can be used to tune out this traffic?

Edit the building blocks by using the Custom Rules Editor to tune the categories for the host IP address

Use the False Positive Wizard to tune the specific event.

Use the False Positive Wizard to tune the category.

Edit the building blocks by using the Custom Rules Editor to tune the event.

The Report Wizard provides a step-by-step guide on how to design, schedule, and generate custom reports. Which key elements does the wizard use to generate a report?

Layout, Chart type, and Event type

Exam C1000-139 IBM Security QRadar SIEM

Authored by Number One

Business

Professional Development

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

37 questions

Show all answers

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

For a Source IP based offense, which field helps determine relative importance of the targets to the business?

Last Event/Flow

Total number of Events

Duration of the offense

Relative importance of Destination IP(s)

MULTIPLE CHOICE QUESTION

45 sec • 1 pt

What is a difference between a flow and an event?

A flow occurs at a moment in time while events have a duration from a log source.

An event occur at a moment in time while flows have a duration from the flow source.

An event is a record from a log source, such as a firewall or router device, that describes an action on a network. A flow record provides visibility into layer 7 for applications such as web browsers, NFS, SNMP, Telnet, and FTP.

A flow is a record from a log source, such as a firewall or router device, that describes an action on a network. An event analysis provides visibility into layer 7 for applications such as web browsers, NFS, SNMP, Telnet, and FTP.

MULTIPLE CHOICE QUESTION

1 min • 1 pt

At the Offense Summary window, the first row of data shows the level of importance that QRadar assigned to the offense. Which statement is the correct description for Magnitude?

QRadar determines it by the weight that the administrator assigned to the networks and assets.

It indicates the threat that an attack poses in relation to how prepared the destination is for the attack

It indicates the relative importance of the offense, calculated based on the relevance, severity, and credibility ratings

It indicates the integrity of the offense as determined by the credibility rating that is configured in the log source. It increases as multiple sources report the same event.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

What information is provided by using the Sharing MITRE-mapping files in Use Case Manager?

Mapping directly to rules

Mapping directly to dependencies

Mapping to the customize template

Mapping to the Use Case Explorer page

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which parameter determines the impact of the offense on the network?

Impact

Severity

Relevance

Credibility

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

When prioritizing offenses to investigate, what metric is provided on the Offenses tab specifically to help influence which offenses to investigate first?

Severity

Magnitude

Relevance

Credibility

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Several counts of the system notification message 38750088 - Performance degradation that were detected in the Event pipeline showed in a report.
In this case, what does the Event collection system do?

Queues events in RAM

Routes data to storage

Bypasses EPS Licensing

Drops events from the pipeline

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

40 questions

CSEC Accounting Quiz 1

Quiz

•

7th Grade - Professio...

32 questions

Final Practice

Quiz

•

Professional Development

40 questions

การจัดการขาย

Quiz

•

Professional Development

40 questions

Facilities Management Quiz

Quiz

•

Professional Development

33 questions

LOG101 MN Logistics GĐ2

Quiz

•

Professional Development

35 questions

Day 3 Quiz

Quiz

•

Professional Development

37 questions

AF Star Intern (Batch - 6)

Quiz

•

Professional Development

35 questions

Interpersonal Communication Skills

Quiz

•

University - Professi...

Popular Resources on Wayground

10 questions

5.P.1.3 Distance/Time Graphs

Quiz

•

5th Grade

10 questions

Fire Drill

Quiz

•

2nd - 5th Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

22 questions

School Wide Vocab Group 1 Master

Quiz

•

6th - 8th Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

20 questions

Inferences

Quiz

•

4th Grade

12 questions

What makes Nebraska's government unique?

Quiz

•

4th - 5th Grade

Discover more resources for Business

16 questions

Parallel, Perpendicular, and Intersecting Lines

Quiz

•

KG - Professional Dev...

20 questions

NCAA Logo Quiz

Quiz

•

Professional Development

20 questions

Easter trivia

Quiz

•

12th Grade - Professi...

Exam C1000-139 IBM Security QRadar SIEM

For a Source IP based offense, which field helps determine relative importance of the targets to the business?

What is a difference between a flow and an event?

At the Offense Summary window, the first row of data shows the level of importance that QRadar assigned to the offense. Which statement is the correct description for Magnitude?

What information is provided by using the Sharing MITRE-mapping files in Use Case Manager?

Which parameter determines the impact of the offense on the network?

When prioritizing offenses to investigate, what metric is provided on the Offenses tab specifically to help influence which offenses to investigate first?

Several counts of the system notification message 38750088 - Performance degradation that were detected in the Event pipeline showed in a report. In this case, what does the Event collection system do?

From which tabs can a QRadar custom rule be created?

An analyst needs to preserve the data from a search to view later. Which option should they select?

Access all questions and much more by creating a free account

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Business

Several counts of the system notification message 38750088 - Performance degradation that were detected in the Event pipeline showed in a report.
In this case, what does the Event collection system do?