CertsTopics Logo

Labour Day Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

IBM C1000-018 Dumps

Page: 1 / 4
Total 103 questions
Get C1000-018 Full Access Download C1000-018 PDF

IBM QRadar SIEM V7.3.2 Fundamental Analysis Questions and Answers

Question 1

What information is included in flow details but is not in event details?

Options:

A.

Network summary information

B.

Magnitude information

C.

Number of bytes and packets transferred

D.

Log source information

Question 2

How would an analyst efficiently include all the Antivirus logs integrated with QRadar for the last 24 hours?

Options:

A.

Log Activity -> Use Log Source parameter with Equals Operator

B.

Log Activity -> Use Log Source Type parameter with Member of Operator

C.

Log Activity -> Use Log Source parameter with Equals any of Operator

D.

Log Activity -> Use Log Source Type parameter with Equals any of Operator

Question 3

An analyst needs to investigate an Offense and navigates to the attached rule(s).

Where in the rule details would the analyst investigate the reason for why the rule was triggered?

Options:

A.

Rule actions

B.

List of test conditions

C.

Rule responses

D.

Rules response limiter

Question 4

When an analyst sees the system notification “The appliance exceeded the EPS or FPM allocation within the last hour”, how does the analyst resolve this issue? (Choose two.)

Options:

A.

Delete the volume of events and flows received in the last hour.

B.

Adjust the license pool allocations to increase the EPS and FPM capacity for the appliance.

C.

Tune the system to reduce the volume of events and flows that enter the event pipeline.

D.

Adjust the resource pool allocations to increase the EPS and FPM capacity for the appliance.

E.

Tune the system to reduce the time window from 60 minutes to 30 minutes.

Question 5

What is the reason for this system notification?

"Time synchronization to primary or Console has failed"

Options:

A.

Deny ntpdate communication on port 423.

B.

Deny ntpdate communication on port 223.

C.

Deny ntpdate communication on port 323.

D.

Deny ntpdate communication on port 123

Question 6

An analyst is investigating access to sensitive data on a Linux system. Data is accessible from

the /secret directory and can be viewed using the 'sudo oaf command. The specific file /secret/file_08-txt was known to be accessed in this way. After searching in the Log Activity Tab, the following results are shown.

When interpreting this, the analyst is having trouble locating events which show when the file was accessed. Why could this be?

Options:

A.

The 'LinuxServer @ cantos' log source has boon configured as a Faise Positive and the specific event for that file has been dropped.

B.

The 'LinuxServer @ centos' log source has not been configured to send the relevant events to QRadar.

C.

The 'LinuxServer @ centos' log source has coalescing configured and the specific event for that file can only be accessed by clicking on the 'Event Count' value.

D.

The ;LinuxServer @ centos; log source has coalesscing conigured and the specific event for that file has been discardedd.

Question 7

What is a valid offense naming mechanism?

This information should:

Options:

A.

set the naming of the associated offense(s).

B.

set or replace the naming of the associated offense(s).

C.

replace the naming of the associated offense(s).

D.

be included in the naming of the associated offense(s).

Question 8

An analyst wants to create a report using the report wizard.

What are key elements used by the wizard to create the report?

Options:

A.

Report templates, layout, content.

B.

Report templates, layout, saved searches

C.

Layout, container, content

D.

Report templates, user groups, permissions.

Question 9

When is the rating of an Offense magnitude re-evaluated?

Options:

A.

when a port is opened

B.

when the threat assessment changes

C.

when new events are added to the Offens

D.

when the number of vulnerabilities increases

Question 10

After working with an Offense, an analyst set the Offense as hidden. What does the analyst need to do to view the Offense at a later time?

Options:

A.

Click Clear Filter next to the "Exclude Hidden Offenses".

B.

In the all Offenses view, at the top of the view, select ‘’Show hidden‘’ from the ‘’Select an option‘’ drop- down.

C.

In the al Offenses view, select Actions, then select show hidden Offenses.

D.

Search for all Offenses owned by the analyst

Question 11

What is the maximum time period for 3 subsequent events to be coalesced?

Options:

A.

10 minutes

B.

10 seconds

C.

5 minutes

D.

60 seconds

Question 12

The SOC team complained that they have can only see one Offense in the Offenses tab.

space of 10 minutes, but the analyst How can the analyst ensure only one email is sent in this circumstance?

Options:

A.

Configure the postfix mail server on the Console to suppress duplicate items

B.

Ensure that the Rule Action Limiter is configured the same way as the Rule Response Limiter.

C.

Add a Response Limiter to the Rule, configured to execute only once every 30 minutes.

D.

Disable Automated Offense Notification - by email, in Advanced System Settings.

Question 13

An analyst has created a custom property from the events for searching for critical information. The analyst also needs to reduce the number of event logs and data volume that is searched when looking for the critical information to maintain the efficiency and performance of QRadar.

Which feature should the analyst use?

Options:

A.

Index Management

B.

Log Management

C.

Database Management

D.

Event Management

Question 14

An analyst is encountering a large number of false positive results. Legitimate internal network traffic contains valid flows and events which are making it difficult to identify true security incidents.

What can the analyst do to reduce these false positive indicators?

Options:

A.

Create X-Force rules to detect false positive events.

B.

Create an anomaly rule to detect false positives and suppress the event.

C.

Filter the network traffic to receive only security related events.

D.

Modify rules and/or Building Block to suppress false positive activity.

Question 15

An analyst needs to find events coming from unparsed log sources in the Log Activity tab.

What is the log source type of unparsed events?

Options:

A.

SIM Generic

B.

SIM Unparsed

C.

SIM Error

D.

SIM Unknown

Page: 1 / 4
Total 103 questions
Get C1000-018 Full Access Download C1000-018 PDF