c2150-196

Exam A

QUESTION 1

What is the result of modifying a saved search?

A. The original search criteria is not changed.B. The user will be prompted to save the new search criteria as a new saved search.C. The original search criteria is automatically saved and updated with the new criteria.D. The user will be prompted to update the search criteria to that of the modified criteria.

Answer: AExplanation/Reference:Explanation:

QUESTION 2

To overwrite an IBM Security QRadar SIEM V7.1 system, what must be typed in when prompted during the re-imaging process?

A. OKB. FLATTENC. REFRESHD. REINSTALL

Answer: BExplanation/Reference:Explanation:

QUESTION 3

Where does IBM Security QRadar SIEM V7.1 get the severity of an event?

A. from the QIDmapB. fromtheeventpayloadC. from the Tomcat serverD. from the user's definition


QUESTION 4

IBM Security QRadar SIEM V7.1 can be forced to run an instant backup by selecting which option?

A. Backup NowB. On Demand BackupC. Launch On Demand BackupD. Configure On Demand Backup


QUESTION 5

An IBM Security QRadar SIEM V7.1 (QRadar) ALE agent should be installed on which system to collect Windows logs?

A. the QRadar ConsoleB. a QRadar Event ProcessorC. any Windows 2000 or newer serverD. any Linux server with SMB installed

Answer: CExplanation/Reference:Explanation:

QUESTION 6

Which statement best describes the supported external storage options in IBM Security QRadar SIEM V7.1 (QRadar)?

A. While QRadar supports NES for external storage, NES is recommended for backups, not for storing active data

B. QRadar data is located in the /store file system. An off board storage solution can be used to migrate the entire /store file system to an externalsystem for faster performance.

C. The /store/ariel directory is the most commonly off boarded file system. Subsequently, collected event logs and flow records data can be relocatedto external storage using protocols such as SMB.

D. Any subdirectory in the /store file system can be used as a mount point for external storage device. By creating multiple volumes and mounting /store/ariel/logs and /store/ariel/qflow,storage capabilities can be extended past the 64TB file system limit currently supported by QRadar


QUESTION 7

By default how often are events forwarded from an event collector to an event processor?

A. every hourB. continuouslyC. every 2 hoursD. it does not forward until the forwarding schedule is set


QUESTION 8

What is required to configure users for successful external authentication?

A. Aconfigured External Authentication typeB. Users with no account on the IBM Security QRadar SIEM V7.1 (QRadar) applianceC. Users with existing accounts on QRadar and a configured External Authentication typeD. Select which users require external authentication and select the correct authentication type


QUESTION 9

What are the main functions of the Report wizard within IBM Security QRadar SIEM V7.1?

A. to enable branding of reports with a customer's logo or local identification informationB. to specifythe schedule, layout, report content, output format, and distribution channelsC. to create new report groups which are placed in the existing hierarchy of reporting groupsD. to select from compliance, executive, log source, network management, and security reports


QUESTION 10

Where is the optimal location for IBM Security QRadar QFIow appliances to monitor Internet traffic?

A. inthedatacenterB. at the workstation switchesC. at the wireless access pointsD. at an ingress/egress point in the network

Answer: DExplanation/Reference:Explanation:

QUESTION 11

How is the WinCollect agent enabled to communicate with the IBM Security QRadar SIEM V7.1 (QRadar) console?

A. Configure the WinCollect agent to forward syslog events to the QRadar Event Collector.B. Supply credentials to connect to the WinCollect agent when creating the Windows log source.C. Apply the token created for the WinCollect agent during the WinCollect software installation on the target.D. WinCollect log sources collect using the QRadar console as host so the WinCollect agent directly accesses the console.

Answer: C

Explanation/Reference:Explanation:

QUESTION 12

In which section can event or flow hashing be enabled/disabled in IBM Security QRadar SIEM V7 .1?

A. ConsoleB. SecurityC. System SetbngsD. Deployment Editor


QUESTION 13

What action(s) can be taken from the Log and Network Activity tab?

A. close an offense based on existing anomaly rulesB. create and edit rules and building blocks, and add log sources and flow sourcesC. open offenses based on users in the organization performing unauthorized activityD. create and edit searches, filter on specific details, sort, and right-click and filter on specific details


QUESTION 14

Which user account is used to log in when installing the activation key?

A. rootB. adminC. qradar

D. default


QUESTION 15

What are three types of rules that can be created using the Rule Wizard? (Choose three.)

A. Flow RuleB. Event RuleC. Offense RuleD. Anomaly RuleE. Threshold RuleF. Behavioral Rule

Answer: ABCExplanation/Reference:Explanation:

QUESTION 16

What is an IBM Security QRadar network object?

A. An asset definitionB. A vulnerability scannerC. A collection of CIDR addressesD. A device sending logs to a QRadar


QUESTION 17

Where is a LSX uploaded to IBM Security QRadar SIEM V7.1 to be used by a UDSM in the Admin Section?

A. Log Source Extensions> AddB. Log Sources> Add > ExtensionsC. System Settings> Extensions > AddD. Systems and License Management> Add > Extensions


QUESTION 18

When creating a behavioral rule in Automated Anomaly Analysis, which three components are weighted to determine the rule?

A. autoregressive pattern, fit to underlying curve, and moving averageB. seasonal or cyclical behavior, underlying trend, and random fluctuationC. previous period value, current observation, and average of residuals for future observationsD. length of the seasonal component, date range for the trend, and time window during the day


QUESTION 19

Which statement best describes the advantages of implementing NetFlow monitoring?

A. If antivirus software signatures fail to detect malware infection, NetFlow monitoring can help identify malware propagation by using its ownsignatures.

B. NetFlow provides the ability to detect suspicious log activity. Each log contains the number of bytes and packets transferred by both the SRC andDST allowing for volume-based reporting of network traffic.

C. NetFlow provides deep packet inspection, from layers three to seven of the OSI model, increasing visibility into applications; whereas, traditionalflow monitoring only provides visibility at layers three and four.

D. NetFlow provides the ability to detect suspicious network activity, e.g. identify a potential botnet when Local to Remote traffic is matched to an IPaddress configured in a corresponding Remote Network group.


QUESTION 20

How are user permissions applied using Log Source groups?

A. using user rolesB. applied to individual usersC. applied to network objectsD. applied to authorized services


QUESTION 21

This command provides what information when run from an IBM Security QRadar QFlow 1202 appliance: grep `Sent.\ + flows' /var/log/qradar.log?

A. total number of flows per minute sent to the Event CollectorB. total number of flows per minute sent to the Event ProcessorC. total number of flows being sent since the system was restartedD. total number of flows per second sent to the Plow Collector or console


QUESTION 22

Which IBM Security QRadar SIEM V7.1 appliance types are designed to collect, process, and store log event messages?

A. 12XXB. 13XX

C. 15XXD. 16XX


QUESTION 23

How does the order of rule tests affect the ORE performance?

A. Itdoesnotaffecttheperformance.B. All tests in a rule are evaluated individually. Tests that have counters affect the ORE performance and not the order of tests.C. When analyzing the rules in pairs from top to bottom, the test at the top should always be the one most likely to fail because if it fails then ORE will

not evaluate the following tests.D. When analyzing the rules in pairs going from top to bottom, the test at the bottom should always be the test that is most likely to fail. This ensures

that the rule evaluation is optimized.


QUESTION 24

What step must be completed before searching restored data on a newly installed console?

A. Tomcat must be shut down.B. All DSMs and RPMs should be restored.C. The hostcontext service should be restarted.D. The configuration backup must be restored to the new console.


QUESTION 25

Given that ICMP pings from all hosts are dropped, which rule(s) allows ICMP pings and responses only from and to host 10.35.100.23?

A. iptables -A INPUT-p icmp -j ACCEPTB. i ptables -A OUTPUT-s 10.35.100.23-p i cmp -j ACCEPTC. iptables -A OUTPUT-p icmp --icmp-type echo-reply-j ACCEPTD. iptables -A INPUT-s 10.35.100.23 -p icmp --icmp-type echo-request-i ACCEPT


QUESTION 26

What must be provided when utilizing kickstart disks to install IBM Security QRadar SIEM V7.1 software on customer supplied hardware?

A. access using the serial portB. support for a kickstart file is not supportedC. access to the file share where the kickstart file is locatedD. a USB hard drive with enough room to support the kickstart file


QUESTION 27

When scheduling a vulnerability scan which factor would be controlled by the Concurrency Mask?

A. The level of detail of the scan data based on the number of hosts involved in a particular run.B. The load placed on each host that is being scanned during the time that the scan is underway.C. The potential risk to the subnet being scanned due to the number and frequency of operations performed during the scan.D. The load placed on the network, scanner, and/or IBM Security QRadar SIEM V7.1 due to the number of scans being performed during a scanner

run.

Answer: DExplanation/Reference:

Explanation:

QUESTION 28

Where is WinCollect configured as an Authorized Service?

A. the WinCollect icon under the Admin tabB. the Authorized Services icon under the Admin tabC. the WinCollect drop-down under Authorized Services > AddD. the Authorized Services drop-down under WinCollect> Add Authorized Service


QUESTION 29

Which search option is mandatory before producing a time series graph?

A. The time range must include a definition of a specific interval.B. Search parameters must include at least one filter definition clause.C. The column definition must have a variable selected in the Order By chooser.D. The column definition must include at least one column in the Group By window.


QUESTION 30

The ip_context_menu.xml file was edited in order to access additional details for selected IP addresses. Which service must be restarted for thechanges to take effect?

A. tomcatB. webminC. syslog-ng

D. hostcontext


QUESTION 31

What is the default download path directory where DSM, minor, and major updates are stored before being deployed?

A. /store/backup/autoupdatesB. /store/configservices/staging/updatesC. /store/configservices/staging/globalconfigD. /store/configservices/staging/autoupdates


QUESTION 32

Which IBM Security QRadar SIEM V7.1 DSM protocol supports the collection of Microsoft SMTPI OWA, and message tracking logs?

A. Microsoft ISB. Microsoft DHCPC. Microsoft ExchangeD. Microsoft Security Event Log


QUESTION 33

How are values mapped in a LSXto parse data from a payload for a UDSM?

A. quotes (`')B. backtics(`)C. regular expressionsD. comma separated (,)


QUESTION 34

After clicking on the Backup and Recovery button in the Admin tab, which three options are found in the Backup Archives page? (Choose three.)

A. RevertB. RestoreC. RemoveD. ConfigureE. Backup NowF. On Demand Backup

Answer: BDFExplanation/Reference:Explanation:

QUESTION 35

What must be done in order to use the data present on the Log Activity screen for a report?

A. save search criteriaB. save search resultsC. save reporting criteriaD. save search for reporting


QUESTION 36

Which two items must be provided prior to the initial installation and configuration of IBM Security QRadar SIEM V7.1 appliance? (Choose two.)

A. mouseB. monitorC. keyboardD. serial consoleE. IBM Security QRadar SIFM license key

Answer: BCExplanation/Reference:Explanation:

QUESTION 37

What must be done to enable High Availability (HA) disk synchronization?

A. Admin> HA Setting> Enable Disk SynchronizationB. synchronization can only be set up while initializing the HA clusterC. edit the HA cluster and select the Disk Synchronization check boxD. synchronization can only be set up while installing the HA activation key for the secondary appliance


QUESTION 38

Which Admin function enables system performance alerts?

A. System SettingsB. Network HierarchyC. Forwarding DestinationsD. Global System Notifications


QUESTION 39

How does a rule generate a new Correlation Rule Engine (CRE) event?

A. CRE cannot create events, only log sources can.B. By letting it create an offense. Offenses are the same as CRE events.C. By creating a rule response. In the rule response, check the box Generate a New CRE Event.D. By forwarding the event as a syslog message to the local event collector using the rule response section.


QUESTION 40

How is a new high level or low level event category added to IBM Security QRadar SIEM V7.1?

A. usetheAdmintabB. usetheMapEventscreenC. use the qidmap_cli.sh utilityD. a new event category cannot be added


QUESTION 41

By default the Server Discovery function inserts discovered servers into building blocks in which category?

A. Host Definitions

B. Device DefinitionsC. System DefinitionsD. Compliance Definitions


QUESTION 42

What is the allowable range for Object Weight when defining a network hierarchy object?

A. 0-9B. 1-5C. 1-10D. 0-99


QUESTION 43

What type of host name does IBM Security QRadar SIEM V7.1 require in the network settings Hostname field?

A. Internet HostnameB. NetBIOS HostnameC. Fully Qualified Host NameD. Fully Qualified Domain Name


QUESTION 44

The Retention Properties screen provides many configuration items to allow for managing the contents of the retention bucket. Which two items areavailable for bucket management? (Choose two.)

A. offsite storageB. date of deletionC. retention encryptionD. conditions of deletionE. criteria for compression

Answer: DEExplanation/Reference:Explanation:

QUESTION 45

When adding a managed host using encryption, which network port must be open bi-directionally between the console and new host?

A. 22B. 115C. 443D. 445


QUESTION 46

Which script is issued to make changes to the template?

A. /opt/qradar/conf/appconfigB. /optlqradar/conf/capabilities.confC. /optiqradar/bin/template_setup.pID. /optlqradar/bin/qchange_netsetup

Answer: CExplanation/Reference:

Explanation:

QUESTION 47

Which two fields are available for indexing in the Index Management page? (Choose two.)

A. Asset propertiesB. Flows propertiesC. Events propertiesD. Offenses propertiesE. Vulnerability properties

Answer: BCExplanation/Reference:Explanation:

QUESTION 48

Which two flow sources provide layer 7 payload? (Choose two.)

A. JFlowB. SFlowC. NetFlowD. PacketeerE. Network Interface

Answer: BEExplanation/Reference:Explanation:

QUESTION 49

What is a defining characteristic of an asymmetric flow?

A. It is evidenced by receiving varying length NetElow records.B. It describes network traffic that is configured to take alternate paths for inbound and outbound traffic.

C. It describes where traffic volumes are significantly skewed towards either inbound or outbound communication.D. It describes network traffic that commonly resolves to a Superflow in the IBM Security QRadar QElow appliance.


QUESTION 50

When creating a new IBM Security QRadar SIEM V7.1 user account, the administrator did not give access to the log source group (called MS DomainSecurity Logs) that contains Microsoft Security Event logs. What happens if the user attempts to run a shared saved search for failed login attempts toa domain?

A. The user is not able to see any results from that search.B. Since the user is part of the domain, they are able to see the data in the search results.C. The user is notified that they do not have the proper permissions to run that search and are requested to contact their administrator.D. The search will run but since the userwas not given access to the MS Domain Security Logs group, the user cannot see results from those log

sources contained in that group.


QUESTION 51

Which statement best describes the available options when configuring a new routing rule?

A. A routing rule is defined to associate network configuration with the options for storing the data in the database as well processing events throughthe rules engine.

B. A routing rule is used to define to IBM Security QRadar SIEM V7.1 the possible path through the internal network, and how to associate these pathswith vulnerability data in the Asset Profiles.

C. Associate each rule with an event collector, determine placement of the data within the Ariel database, choose the protocol, host, and port numberused to store the event, and then determine which alerts are generated.

D. Scope the rule to a particular event collector, set up a filter, and then choose any combination of forward, drop, or bypassed correlation. Itis notnecessary to define destinations in advance as that can be done when routing rules are defined.

Answer: D


QUESTION 52

Which statement applies to IBM Security QRadar SIEM V7.1 virtual appliances?

A. QRadarXX90appliances maybe installed into a Hyper-V environment.B. QRadarXX90appliances maybe installed into a VMware ESXi environment.C. QRadarXX90appliances may not be mixed with QRadar software licenses in a virtual server environment.D. QRadarXX90appliances may be installed as a native Os on appropriately configured customer premise hardware.


QUESTION 53

How can asset profiles be searched?

A. From the Assets tabB. From the Offenses tabC. Right-click on anyD. Address from the Actions pull-down menu


QUESTION 54

What must be done when creating a user's password on an IBM Security QRadar SIEM V7.1 (QRadar) system that is utilizing Active Directoryauthentication?

A. ensure the password has a minimum of 8 charactersB. create the user's initial password and have them change it immediately

C. ensure the user's QRadar password matches their Active Directory passwordD. a password does not need to be set on QRadar when using Active Directory authentication


QUESTION 55

What notation is used to enter a class A network 10.0.0.0 into an IBM Security QRadar SIEM V7.1 network hierarchy?

A. 10.*.*.*B. 10 .0 .0 .0/8C. 10.0.0.0/255.0.0.0D. 10.0.0.0-10.255.255.255


QUESTION 56

What must be done first when changing the network settings on a console in a multi-system deployment?

A. installnewpatchesB. reset the SIM modelC. remove all managed hostsD. install a new license for the new IP address


QUESTION 57

What must be done to put licenses into effect after applying a license file using the Managed License action of the System and License Management

dialog?

A. click on Deploy LicenseB. select Restart System to activate the license keyC. open the Deployment Editor, right-click on each host, and select DeployD. select System and License Manage System and then select Deploy License Key


QUESTION 58

What is the default password to access the Integrated Management Module remote access controller for an IBM Security QRadar appliance?

A. calvinB. defaultC. passw0rdD. PASSWORD


QUESTION 59

Which option is available for sharing offenses with non-IBM Security QRadar users?

A. provide URLt0 offenseB. invoke script for third-party service deskC. selectthe option to e-mail offense detailsD. select the option to export the offense data as a PDE


QUESTION 60

How are new reference sets created in IBM Security QRadar (QRadar)?

A. use the out-of-the-box tablesB. use the ReferenceSetMod.pI scriptC. select New in the Rules Response WizardD. log into the QRadar Console and the PostgreSQL database


QUESTION 61

What must be done prior to clicking on False Positive if flows or events are being viewed in streaming mode?

A. clickonthePause buttonB. clickonthe Refresh buttonC. right-click on the event and click FilterD. right-click on the event and click Additional Plug-ins


QUESTION 62

What is the last step to add a protocol based log source?

A. on the Admin tab click Deploy ChangesB. from Log Sources, select Log Source Type, and click SaveC. from Log Sources, select Log Source Identifier, and click SaveD. on the Admin tab, select Actions and click Deploy Pull Configuration

Answer: A


QUESTION 63

After gathering all required files from the IBM Security QRadar SIEM V7.1 appliance using SSH connectivity which protocol can be used to retrieve thetar.bz2 file or any other files to send to support?

A. FTPB. TFTPC. HTTPD. SFTP


QUESTION 64

Prom the Dashboard view, the Compliance Overview dashboard > Login Failures by User (real- time) workspace is being reviewed. Which linkprovides more details about these events?

A. ViewinAssetsB. View in OffensesC. ViewinLogActivityD. ViewinNetworkActivity


QUESTION 65

What happens to previously collected events when an event is mapped?

A. They are re-mapped to the new mapping.

B. They are not mapped to the new mapping.C. The user is prompted for the action to take.D. The new mapping is added to the old mapping


QUESTION 66

How is a High Availability (HA) cluster installed from the Admin tab?

A. HA Management > Install HA ClusterB. Systems and License Management > Actions > Add HA HostC. High Availability > Systems and License Management > Add HA HostD. Deployment Editor, add both the Primary and Secondary hosts to the deployment


QUESTION 67

What are two ways an asset can be added to asset profiles? (Choose two.)

A. by flow dataB. by offense dataC. by anomaly ruleD. by search queriesE. by a vulnerability assessment or active network scan

Answer: AEExplanation/Reference:Explanation:

QUESTION 68

Which two actions allow modification of the current displayed search result set? (Choose two.)

A. click on the Actions buttonB. click on the Add Filter buttonC. click on Quick Filter then select Show AllD. right-click on an item then select a filter optionE. click Search then select Manage Search Results

Answer: BDExplanation/Reference:Explanation:

QUESTION 69

Which function can be used to tune out Events/Flows with a specific QID and a specific destination IP address from contributing to an offense?

A. False PositiveB. Tuning WindowC. Asset DiscoveryD. Network Hierarchy


QUESTION 70

After editing the IPTables configuration file, which command reloads the IPTables?

A. service iptables saveB. /etc/sysconfig/iptables restartC. /opt/qradar/bin/iptables restartD. /opt/qradar/bin/iptables_update.pl


Explanation:

QUESTION 71

How can ALE be used to collect Windows 2008 events?

A. Use WinCollect because Windows 2008 is not supported by ALE.B. Install ALE on the Windows 2008 and start collecting from the local event log.C. Configure the ALE agent to receive forwarded events from the Windows 2008 systems.D. Configure Windows 2008 to forward its logs directly to the IBM Security QRadar SIEM system.


QUESTION 72

What would be considerations for defining a Threshold Rule in the Automated Anomaly Analysis?

A. a change value and a length of time for accumulationB. a time window during the day and a moving average smoothing valueC. a time interval for accumulation and a relative weight for the current observationD. a seasonal component, a trend component, and a delta or incremental change value


QUESTION 73

Where is the activation key located?

A. on the documentation CDB. on the appliance start screenC. in the End User License AgreementD. in the documentation package shipped with the server


QUESTION 74

Where in the IBM Security QRadar SIEM V7.1 GUI can information be added about a network hierarchy?

A. Admin TabB. Assets TabC. Network Activity TabD. Network Hierarchy Tab


QUESTION 75

Which appliance can be used to throttle bandwidth of event collection?

A. 1501 Event CollectorB. 1705 Flow ProcessorC. 1605 Event ProcessorD. 1805 EventfFlow Processor


QUESTION 76

When a routing rule is configured, why might the Drop option be selected?

A. The Drop option allows alerting without storage in the database and can still be forwarded.

B. The Drop option is used to control disk storage usage on the event processor and to reduce overall network traffic.C. The Drop option is used when IBM Security QRadar SIEM V7.1 is used as the log source of record for deleting of events.D. The Drop option is convenient for preventing noisy sensors (such PIX firewalls or default SNORTs) from overwhelming the Custom Rule Engine.


QUESTION 77

A network hierarchy consists of these objects:

- DMZ 192.168.0.0/16- Webservers 192.168.1.0/24- MailServers 192.168.2.0/24- UserNetwork 10.0.0.0/8

Which object(s) does 192.168.1.5 fall into?

A. DMZB. WebserversC. UserNetworkD. DMZ and Webservers


QUESTION 78

What is event and flow hashing used for in IBM Security QRadar SIEM V7.1?

A. to permit security flaggingB. so events and flows can be indexed for quicker searchingC. to determine if tampering has occurred on the events and flows recordsD. to add encryption to the events and flows so they cannot be tampered with


QUESTION 79

Which file should be sent to IBM Support if contacting them for system problems?

A. systemerr.outfile produced from /opt/ibm/esc/get_logs.plB. sysoutput.log file produced from /opt/ibm/support/getjogs.shC. logs_.tar.zip file produced from /opt/ibm/electronicsupport.shD. logs_.tar.bz2 file produced from /opt/qradar/support/get_logs.sh


QUESTION 80

Which three pieces of information must be supplied to properly set up a system user? (Choose three.)

A. user roleB. full nameC. room numberD. e-mail addressE. valid user nameF. contact phone number

Answer: ADEExplanation/Reference:Explanation:

QUESTION 81

What does using the Integrated Management Module of the IBM Security QRadar SEM V7.1 (QRadar) appliance allow a user to do?

A. remotely manage the QRadar appliance to run reportsB. remotely manage the QRadar custom rule configurationC. remotely manage the QRadar Web interface used to perform administrative functionsD. remotely manage the QRadar appliance as if the user was sitting directly at the console


QUESTION 82

Which family of analysis methods are commonly used with a time series?

A. deep packet intrusion detectionB. packet content protocol detectionC. network behavior anomaly detectionD. N-gram based behavior attack detection


QUESTION 83

What must be done to capture a new name/value pair for a rule that is not parsed as part of a regular Device Support Module?

A. open the event > Extract Property > assign a new property > Add RegEx for finding the value > SubmitB. open the event > Actions > Add Custom Property > assign a name > highlight value in the payload > SubmitC. highlight the event > Actions > Add Custom Property > assign a name> highlight value in the payload > SubmitD. highlight the event > Actions > Extract Properly > assign a new property > Add RegEx for finding the value > Submit


QUESTION 84

Which two network setting parameters are optional? (Choose two.)

A. GatewayB. Public IPC. Primary DNSD. E-mail ServerE. Secondary DNS


QUESTION 85

Prior to installing IBM Security QRadar SIEM V7.1 on customer provided hardware, Red Hat Enterprise Linux must be installed. SELinux must be set towhich option?

A. EnforceB. EnabledC. DisabledD. Permissive


QUESTION 86

What are three default charting options available within the Report wizard? (Choose three.)

A. DeltaB. FlowsC. IdentityD. AnomalyE. Events/Logs

F. Asset Vulnerabilities

Answer: BEFExplanation/Reference:Explanation:

QUESTION 87

What is the purpose of the offense index?

A. When the offense is created it will create indexes for other offenses.B. It helps find the offenses faster when searching for offenses by a specific properly.C. When the offense is created it will be added to any existing similar open offense with the same indexed value. If none exist, a new offense will be

opened.D. When the offense is created the magistrate will search for offenses with the same indexed value and add the offense to a list of offenses for the

indexed value.


QUESTION 88

Which statement is true about the IBM Security QRadar SIEM (QRadar) Network Hierarchy?

A. It is used by QRadar to detect botnets.B. It is used by QRadar to detect applications.C. It is used by QRadar only to track network activity.D. It is used by QRadar to determine which IP addresses are local and remote.


QUESTION 89

From the Admin tab > System and License Management icon, what must be done to install and deploy an IBM Security QRadar SIEM V7.1 license for

a set of newly installed hosts?

A. click each new hostname and select Actions menu > Manage LicenseB. right-click each new hostname and select Manage License from the menuC. select all newly added hostnames using the Shift key + mouse click and then select the Actions drop-down menu > Manage LicenseD. click each new hostname, select Actions drop-down menu > Manage Systems, and select Deploy License from the Managed Host Config list


QUESTION 90

What does the command qchange_netsetup do?

A. It is used to upgrade the appliance's network settings after the initial setup.B. It is used to define the MAC address of the interfaces during the initial setup.C. It is used to change the appliance's networking settings after the initial setup.D. It is used to define the appliance's networking settings during the initial setup.


QUESTION 91

Which tuning template is available in IBM Security QRadar SIEM V7.1?

A. CustomB. CommonC. EnterpriseD. Small Business Edition


QUESTION 92

What must be done to calculate EPS from the IBM Security QRadar SIEM V7.1 Web interface?

A. EPS rates are only viewable from the command lineB. load the default built in report labeled EPS Over TimeC. from the Log Activity tab, select New Search and load the EPS searchD. from the Network Activity tab, select New Search and load the EPS search


QUESTION 93

Which statement best describe the data migration process available in IBM Security QRadar SIEM V7.1 (QRadar)?

A. Launch the data_ariel_migrate.pl utility under the /opt/qradar/support directory.B. Move /store/ariel to /store/ariel_old, mount /store/ariel to external storage, and move the contents of ariel_old to ariel.C. Move the existing mount points under the Admin > System Settings Configuration option in the QRadar user interface.D. Mount to the external storage solution and allow the local content to auto-merge. Moving or copying any content ahead of mounting will likely lead to

data loss and/or data corruption.


QUESTION 94

If an IBM Security QRadar 1790 virtual appliance is added to a configuration, which capability becomes available?

A. additional storage capacity for event dataBadditional Web interface for user browsing

B. additional storage capacity for OFlow dataC. internal storage capacity for event and QFlow data


QUESTION 95

How is a new UDSM device created?

A. Admin > Log Sources Extensions > Add > Universal DSMB. Admin > Log Source > Add > select Universal DSM as log source typeC. Log Activity Tab > highlight unknown event > Actions > Create UDSM from this EventD. Log Activity Tab > highlight unknown event > right-click and select Create UDSM from this Event


QUESTION 96

What is a purpose of a rule action?

A. to add an event or flow property to a reference setB. to send out the event or flow information by e-mail or SNMPC. to rename the offense description based on user entered textD. to change the current event or flow's magnitude, trigger an offense, or annotate the offense


QUESTION 97

Which method does WinCollect use to collect Windows 2008 events?

A. It uses Windows file sharing to pull the Windows 2008 event logs.B. It uses the syslog forwarding facility of Windows 2008 Event Logger.

C. It uses the native Windows 2008 event log API to access the log records.D. It uses SNARE to convert the Windows 2008 events to syslog messages.


QUESTION 98

Which statement best describes the expected increase in forensic capabilities when IBM Security QRadar QFlow (QRadar QFlow) is implemented?

A. IBM Security QRadar VFlow allows for QRadar QFlow collection on hypervisors such as Microsoft Hyper-V.B. QRadar QFlow provides visibility only at layers three and four, providing header information containing only the number of bytes and packets

transferred by the SRC and DST.C. NetFlow provides deep packet inspection, up to layer seven of the OSI model, giving visibility on application information; whereas. QRadar QFlow

only provides visibility at layers three and four.D. QRadar QFlow tracks the history of stateful connections and monitors for unique characteristics or properties through deep payload examination of

packets, further qualifying the identity of applications.


QUESTION 99

After configuring external authentication, which user can still log in to the Web interface if this external resource is not available?

A. rootB. adminC. any userD. all users added before switching to external authentication


QUESTION 100

Which action can IBM Security QRadar SIEM V7.1 automatically perform on reference sets?

A. purge listB. delete elementsC. create a new listD. add new elements


QUESTION 101

What can IBM Security QRadar SIEM V7.1 be configured to back up in the Backup and Recovery Wizard?

A. data backups onlyB. configuration and data backupsC. individual managed hosts configurationD. individual items such as users and/or database


QUESTION 102

A QID can belong to how many categories?

A. 1B. 2C. 3D. unlimited

Answer: AExplanation/Reference:

Explanation:

QUESTION 103

What is required to connect a WinCollect agent to IBM Security QRadar SIEM V7.1?

A. SSH KeysB. domain credentialsC. user name and passwordD. an authorized services token


QUESTION 104

What does the IP Right Click Menu Extensions plug-in do in IBM Security QRadar SIEM V7.1?

A. It allows the selected IP address to be deleted.B. It allows the selected IP address to be tuned as a false positive.C. It allows the selected IP address to be added to a reference set.D. It allows additional details to be accessed for the selected IP address.


QUESTION 105

How is a Universal DSM configured to collect different data types from various log sources?

A. UDSM Data TypeB. Log Source IdentifierC. Protocol ConfigurationD. Log Source Extension


QUESTION 106

Where are firewall event details located using the IBM Security QRadar SIEM V7.1 interface?

A. AdminB. AssetsC. Log ActivityD. Network Activity


QUESTION 107

Which group of tests is used to test the sequence of rules that have been triggered by events or flows?

A. DateyTime testsB. Behavioral testsC. Common Property testsD. Function Sequence tests


QUESTION 108

What are two ways asymmetric flow support can be enabled? (Choose two.)

A. use the Flow Source configuration

B. use the right-click menu option for an affected flowC. use the auto-discover capabilities of the log sourceD. use a Custom Rule Engine test for asymmetric flowsE. use the QFlow Collector Configuration in the deployment editor

Answer: AEExplanation/Reference:Explanation:

QUESTION 109

Categorizing log sources into groups allows clients to efficiently view and track log sources. Which statement best characterize Log Source groups?

A. By default log sources go into the Temp folder.B. User access is required to create, edit, or delete log source groups.C. Each log source group can display a maximum of 10,000 log sources.D. The default log source group for auto discovered log sources is Other.


QUESTION 110

Which component processes events against defined custom rules?

A. MagistrateB. Flow CollectorC. Event CollectorD. Event Processor


QUESTION 111

Which scenario best describes the actions that take place during a restore?

A. Existing files and database are backed up, archived files and database are restored, the event collection service is restarted.B. Tomcat and all system processes are shut down, files and data records are extracted from the backup archive and restored to disk and the

database, Tomcat and system processes are restarted.C. Tomcat and database processes are shut down, existing files and database are backed up, archive contents are restored to disk and the database,

Tomcat and the system processes are restarted.D. Existing files and database records are merged with the archived files and database records, Tomcat and system services shut down, the merged

records are inserted into their respective file locations and database tables, Tomcat and system services restart.


QUESTION 112

What is the default setting for Major Updates in Auto Updates > Change Settings > Update Types?

A. DisableB. Auto InstallC. Auto UpdateD. Auto Integrate


QUESTION 113

What does the % of Searches Using Property column in the Index Management Page indicate?

A. The percentage of saved searches created by users that reference the index.B. The total percentage of saved searches in the system that reference the index.C. The percentage of executed searches in the selected time range that used the index.D. The percentage of executed searches in the selected time range that successfully used the index.


QUESTION 114

When adding a new IBM Security QRadar SIEM managed host, the password is required for which user?

A. root on the new applianceB. root on the console applianceC. webmin on the console applianceD. configservices on the new appliance


QUESTION 115

What is the benefit of using server discovery?

A. Adding log sources is faster.B. Constructing a network hierarchy is easier.C. The system is tuned to minimize false positives.D. Assets are automatically added to asset profiles


QUESTION 116

A user can be assigned which two permissions? (Choose two.)

A. DSM UpdatesB. Network Activity

C. Remote Server AdministrationD. Ariel Database AdministrationE. IP right-click Menu Extensions


QUESTION 117

Which Admin setting allows the monitoring of system load over 15 minutes?

A. System ConfigurationB. System Activity ReportC. Forwarding DestinationsD. Global System Notifications


QUESTION 118

Which SNMP protocol should be used when confidentiality, integrity, and authentication are required?

A. SNMPv1B. SNMPv2C. SNMPv3D. SNMPv4


QUESTION 119

What two types of retention buckets are available in IBM Security QRadarSEM V7.1? (Choose two.)

A. FlowB. EventC. AssetsD. OffenseE. Log Source

Answer: ABExplanation/Reference:Explanation:

QUESTION 120

The last two digits of an appliances type can be used to determine which capability?

A. Installed OSB. Chassis SizeC. Storage CapacityD. IBM Server Model Number


QUESTION 121

A customer has indicated that Windows events must be collected without the use of agents. Which protocol should be selected in the ProtocolConfiguration when adding a Microsoft Windows Security Event Log Source?

A. WinCollectB. SNARE for WindowsC. Adaptive Log ExporterD. Microsoft Security Event Log


Explanation:

QUESTION 122

Given a multi-host deployment, where are data backups for managed hosts stored?

A. On the consoleB. In the off-site configured backup locationC. On machines in the deployment that have the most storage capabilityD. Locally on the managed hosts in their respectively configured backup directory


c2150-196

Documents

ibm security qradar

qradar data

qradar appliancec

qradar consoleb

qradar event processorc

qradar ale agent

relocatedto external

external storage device