IBM Qradar SIEM Foundation Quiz
What is the QRadar local file path where QRadar stores files that it pulls from a log repository or appliance by using log file protocol? /store/tmp /var/log/dsm /storetmp/log /opt/qradar/log
/opt/qradar/log
What is the CIDR range used by the QRadar Network Hierarchy that catches all addresses that are not defined in your network hierarchy? 1. 0.0.0.0/0 2. 0.0.0.0/32 3. 255.255.255.255/0 4. 255.255.255.255/32
0.0.0.0/32
What is the minimum value for the Payload Index Retention setting? 1. 1 day 2. 3 days 3. 7 days 4. 15 days
1
Delegated <blank> can manage their own <blank> in a <blank> environment 1. administrators 2. network hierarchy 3. multi-tenant 4. analysts 5. global
1 2 3
Match the action to the QRadar component. Event Collector Event Processor Magistrate * Coalesce the events * trigger the rules * track the offense
1,2,3
Retention buckets are used to segregate data for storing important data longer and getting rid of unnecessary data if needed. How many retention buckets can a tenant have? 1. 5 2. 10 3. 50 4. 100
10
What is the maximum number of retention buckets that can be configured for shared data or for each tenant? 1 10 100 Infinite
10
How many bytes is an average Microsoft Windows log source event? 100 500 1000 5000
1000
What is the default size in bytes of the UDP syslog payload? 1. 256 2. 512 3. 1024 4. 4096
1024
What is the default asset data retention period? 1. 60 days 2. 90 days 3. 120 days 4. 180 days
120
For the OverFlow record type, the IP address that is used as the Source IP is
127.0.0.4
What is the default data retention period for payload index? 1. 15 days 2. 30 days 3. 60 days 4. 90 days
2
What is the maximum value for the Payload Index Retention setting? 1. 90 days 2. 6 months 3. 1 year 4. 2 years
2 years
What two conditions should be met to tag an event with Domain A? 1. The event is received by the log source "Linux @ Scada" 2. No domain criteria based on custom event properties can be applied to this event 3. The event is received by the flow source associated wit the log source "Linux @ Scada" 4. The event is received by any log source under the same log source group as "Linux @ Scada" 5. The event is received by the event collector to which the log source "Linux @ Scada" sends its logs
3 4
Permission precedence determines the security profile components to consider when the system displays which of the following? Select three. 1. User IDs in the Offenses tab 2. Events in the Log Activity tab 3. Offense data in the Offenses tab 4. Flows in the Network Activity tab 5. Flows in the Network Activity tab 6. Scan results in the Vulnerability tab 7. Asset IP addresses in the Assets tab
3 4 5
What is the default time interval of the QRadar flow record? 10 seconds 30 seconds 60 seconds 300 seconds
300 seconds
Select the order used by the asset profiler to perform asset reconciliation. Prioritize the asset identity types from most determinite to least determinite. use the numbers separated by commas and no spaces. 1. DNS Host Name 2. IP address 3. NetBIOS name 4. Mac Address
4,3,1,2
What is the default size in bytes of the TCP syslog payload? 1. 256 2. 512 3. 1024 4. 4096
4096
What is the default syslog port that QRadar listens on? 22 514 636 6514
514
<blank> is the process that combines two sides of each flow when data is provided asymmetrically.
Asymmetric recombination
What type of the rule detects a mail server that has an open relay and suddenly begins to communicate with a large number of hosts? Anomaly rule Threshold rule Behavioral rule Flow-based rule
Behavioral rule
Which component processes QRadar flow related rules? Magistrate Flow Processor Service Event Processor Service Event Collector Service Clear my choice
Flow Processor Service
A process that removes duplicate flows when multiple QFlow collectors provide data to the flow processor appliances is called <blank>
Flow deduplication
How do you hide the Admin tab from being displayed in the QRadar Console? 1. Right-click the tab and select "Hide" 2. You cannot hide the tab from the console 3. From the menu on the upper-left corner of the page, click the star icon in front of the Admin tab 4. On the Admin tab, System Settings, go to "Display," and clear the Admin tab from the list
From the menu on the upper-left corner of the page, click the star icon in front of the Admin tab
What is the benefit of indexing the event properties in QRadar? 1. It organizes events in alphabetical order 2. It classifies events into high-level categories 3. It increases the speed of searches in the Qradar Console 4. It saves disk space when storing logs in the Qradar database
It increases the speed of searches in the Qradar Console
For each type of flow, select the matching visibility layer of the network protocol stack. QNI QFlow NetFlow JFlow SFlow Packeteer
L4 L7 L4 L4 L4 L7
What can non-admin users edit from their personal accounts in the User Preferences menu? 1. User role 2. User Name 3. Locale (Langauge) 4. Authentication Method
Locale
Deploying a QRadar Risk Manager appliance allows you to perform which task? 1. Reconstruct network sessions 2. Capture layer 7 application data 3. Monitor network security configuration 4. Implement sophisticated asset profiling
Monitor network security configuration
What is the name of the default object in the QRadar Network Hierarchy that catches all private IP addresses? 1. IP-private 2. Net-private 3. IP-10-172-192 4. Net-10-172-192
Net-10-172-192
The Event Processor can store accumulated data in the Ariel database. What is this data used for? Select two. 1. reports 2. Offenses 3. Searches 4. CRE optimization 5. License management
Offenses Reports
QRadar SIEM records a number of data fields by analyzing basic network flows. Which of these fields are contained within the network flows? Select three. 1. Port 2. Protocol 3. Asset name 4. User identity 5. DNS information 6. Destination IP address
Port Protocol Destination IP address
In what type of search in QRadar can you input individual terms in combination with regular expressions? 1. Quick Filter 2. New Search 3. Saved Search 4. Advanced Filter
Quick Filter
The Qradar events and flows with <blank> traffic direction indicate that the network hierarchy does not have a well-defined network subnet.
R2R
If you deploy QRadar on an All-in-One Appliance, you can run all of these functions except which one? 1. Risk Manager 2. Flow Collector 3. Event Processor 4. Vulnerability Manager
Risk Manager
On the Admin Console, move the marker to the icon that you can use to configure TCP Syslog payload length.
System Settings
Where do you configure the Payload Index Retention setting?
System Settings
To unhide data, what type of key does an administrator need to upload into QRadar? System-generated PIN Manually-entered password System-generated public key System-generated private key
System-generated private key
What technologies does the QFlow Collector use to capture raw network packets? Select two. 1. OSI 2. TAP 3. QNI 4. Span 5. Layer 7
TAP Layer 7
What is the log source protocol type that has Event Start Pattern and Event End Pattern fields? Log File HTTP Receiver TCP Multiline Syslog Amazon AWS S3 REST API
TCP Multiline Syslog
In the QRadar Report wizard, each <blank> element defines the position and size of containers with charts and data. layout group graph rule
layout
a reference <blank> is a collection of key-value pairs where every key is unique. map set map of sets map of maps
map
a <blank> is a collection in which every key is unique and maps to one reference map. map of maps set map map of sets
map of maps
Asset <blank> is the process where the information for one asset is combined with the information for another asset under the premise that they are the same physical asset.
merging
a reference <blank> is similar to a reference map of maps, but it allows secondary keys of different table set map map of sets
table
QRadar SIEM provides default report <blank> , which you can customize, rebrand, and distribute to QRadar SIEM users. templates wizards groups schedules
templates
Match a type of the superflow to the network activity. Type A Type B Type C Network Scan DDoS Attack Port Scan
Type A Network Scan Type B DDoS Attack Type C Port Scan
How many rule combinations does QRadar have to test against event data, flow data, or offenses? Unlimited Less then 5 Less then 10 Less then 100
Unlimited
Which type of Rules can test against both log and flow data? Flow Rules Event Rules Offense Rules Common Rules
Common Rules
QRadar Applications, available via the IBM Security App Exchange, can be run on which of the following components?Select two. 1. Console 2. App Host 3. Data Node 4. Event Collector 5. Event Processor
Console App Host
In the Rule Action section of the QRadar Rule Wizard, the <blank> parameter indicates the integrity of the offense as determined by the credibility rating that is configured in the log source.
Credibility
If you want to improve speed for your searches in QRadar, what compenent must you add into your deployment? 1. app Host 2. Data Node 3. Data Gateway 4. Load Balancer for your EPs
Data Node
Which Rule response should you enable to be able to rename the offense? Notify Dispatch New Event Send to Local SysLog Ensure the detected event is part of an offense
Dispatch New Event
What is the responsibility of the Overflow Filter in the Event Collector? 1. Parsing of incoming events 2. Auto discovery of log sources 3. Correlation of incoming events 4. Enforcement of the EPS license limit
Enforcement of the EPS license limit
Log source data must be normalized before it can be processed in QRadar. Which component is responsible for normalizing log source data? 1. Console 2. Magistrate 3. Event Collector 4. Event Processor
Event Collector
What component is responsible for log source autodetection? 1. DSM 2. Traffic Analysis 3. Protocol Analyzer 4. Log Source auto-identifier
Traffic Analysis
What does a security profile define? Select two. 1. Which assets a user can access 2. Which networks a user can access 3. Which log sources a user can access 4. Which offense rules a user can access 5. Which vulnerability scanning profiles a user can access
Which networks a user can access Which log sources a user can access
What method do you use in QRadar to define how long event and flow data is being retained? You define retention buckets. You define retention schedules in the Ariel database. You define retention enforcement in rules. You set retention dates per log source using the Log Source Management app.
You define retention buckets.
A <blank> is a collection of tests that don't result in a response or an action.
building block
Which component stores asset data? mySQL CCMDB Ariel database postgreSQL database
postgreSQL database
In the Rule Action section of the QRadar Rule Wizard, the <blank> parameter determines the impact of the offense on your network.
relevance
You must create a new data obfuscation <blank> to hide the Qradar data by domain
rule
<blank> allows QRadar administrators to segment their network into logical groups.
segmentation
In the Rule Action section of the QRadar Rule Wizard the <blank> parameter indicates the level of threat that a source poses in relation to how prepared the destination is for the attack.
severity
