Add to collection(s) Add to saved
  1. No category
Uploaded by M.HAKEEM KHAN

IBM 000 196 IBM Security QRadar SIEM V7

advertisement 
IBM 000-196
IBM Security QRadar SIEM V7.1 Implementation
Version: 7.0
IBM 000-196 Exam
QUESTION NO: 1
What is the result of modifying a saved search?
A. The original search criteria is not changed.
B. The user will be prompted to save the new search criteria as a new saved search.
C. The original search criteria is automatically saved and updated with the new criteria.
D. The user will be prompted to update the search criteria to that of the modified criteria.
Answer: A
Explanation:
QUESTION NO: 2
To overwrite an IBM Security QRadar SIEM V7.1 system, what must be typed in when prompted
during the re-imaging process?
A. OK
B. FLATTEN
C. REFRESH
D. REINSTALL
Answer: B
Explanation:
QUESTION NO: 3
Where does IBM Security QRadar SIEM V7.1 get the severity of an event?
A. from the QIDmap
B. fromtheeventpayload
C. from the Tomcat server
D. from the user’s definition
Answer: A
Explanation:
QUESTION NO: 4
"Pass Any Exam. Any Time." - www.actualtests.com
2
IBM 000-196 Exam
IBM Security QRadar SIEM V7.1 can be forced to run an instant backup by selecting which
option?
A. Backup Now
B. On Demand Backup
C. Launch On Demand Backup
D. Configure On Demand Backup
Answer: B
Explanation:
QUESTION NO: 5
An IBM Security QRadar SIEM V7.1 (QRadar) ALE agent should be installed on which system to
collect Windows logs?
A. the QRadar Console
B. a QRadar Event Processor
C. any Windows 2000 or newer server
D. any Linux server with SMB installed
Answer: C
Explanation:
QUESTION NO: 6
Which statement best describes the supported external storage options in IBM Security QRadar
SIEM V7.1 (QRadar)?
A. While QRadar supports NES for external storage, NES is recommended for backups, not for
storing active data
B. QRadar data is located in the /store file system. An off board storage solution can be used to
migrate the entire /store file system to an external system for faster performance.
C. The /store/ariel directory is the most commonly off boarded file system. Subsequently, collected
event logs and flow records data can be relocated to external storage using protocols such as
SMB.
D. Any subdirectory in the /store file system can be used as a mount point for external storage
device. By creating multiple volumes and mounting /store/ariel/logs and /store/ariel/qflow,storage
capabilities can be extended past the 64TB file system limit currently supported by QRadar
"Pass Any Exam. Any Time." - www.actualtests.com
3
IBM 000-196 Exam
Answer: A
Explanation:
QUESTION NO: 7
By default how often are events forwarded from an event collector to an event processor?
A. every hour
B. continuously
C. every 2 hours
D. it does not forward until the forwarding schedule is set
Answer: B
Explanation:
QUESTION NO: 8
What is required to configure users for successful external authentication?
A. Aconfigured External Authentication type
B. Users with no account on the IBM Security QRadar SIEM V7.1 (QRadar) appliance
C. Users with existing accounts on QRadar and a configured External Authentication type
D. Select which users require external authentication and select the correct authentication type
Answer: C
Explanation:
QUESTION NO: 9
What are the main functions of the Report wizard within IBM Security QRadar SIEM V7.1?
A. to enable branding of reports with a customer’s logo or local identification information
B. to specifythe schedule, layout, report content, output format, and distribution channels
C. to create new report groups which are placed in the existing hierarchy of reporting groups
D. to select from compliance, executive, log source, network management, and security¡¯ reports
Answer: B
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
4
IBM 000-196 Exam
QUESTION NO: 10
Where is the optimal location for IBM Security QRadar QFIow appliances to monitor Internet
traffic?
A. inthedatacenter
B. at the workstation switches
C. at the wireless access points
D. at an ingress/egress point in the network
Answer: D
Explanation:
QUESTION NO: 11
How is the WinCollect agent enabled to communicate with the IBM Security QRadar SIEM V7.1
(QRadar) console?
A. Configure the WinCollect agent to forward syslog events to the QRadar Event Collector.
B. Supply credentials to connect to the WinCollect agent when creating the Windows log source.
C. Apply the token created for the WinCollect agent during the WinCollect software installation on
the target.
D. WinCollect log sources collect using the QRadar console as host so the WinCollect agent
directly accesses the console.
Answer: C
Explanation:
QUESTION NO: 12
In which section can event or flow hashing be enabled/disabled in IBM Security QRadar SIEM V7
.1?
A. Console
B. Security
C. System Setbngs
D. Deployment Editor
"Pass Any Exam. Any Time." - www.actualtests.com
5
IBM 000-196 Exam
Answer: C
Explanation:
QUESTION NO: 13
What action(s) can be taken from the Log and Network Activity tab?
A. close an offense based on existing anomaly rules
B. create and edit rules and building blocks, and add log sources and flow sources
C. open offenses based on users in the organization performing unauthorized activity
D. create and edit searches, filter on specific details, sort, and right-click and filter on specific
details
Answer: D
Explanation:
QUESTION NO: 14
Which user account is used to log in when installing the activation key?
A. root
B. admin
C. qradar
D. default
Answer: A
Explanation:
QUESTION NO: 15
What are three types of rules that can be created using the Rule Wizard? (Choose three.)
A. Flow Rule
B. Event Rule
C. Offense Rule
D. Anomaly Rule
E. Threshold Rule
F. Behavioral Rule
"Pass Any Exam. Any Time." - www.actualtests.com
6
IBM 000-196 Exam
Answer: A,B,C
Explanation:
QUESTION NO: 16
What is an IBM Security QRadar network object?
A. An asset definition
B. A vulnerability scanner
C. A collection of CIDR addresses
D. A device sending logs to a QRadar
Answer: C
Explanation:
QUESTION NO: 17
Where is a LSX uploaded to IBM Security QRadar SIEM V7.1 to be used by a UDSM in the Admin
Section?
A. Log Source Extensions> Add
B. Log Sources> Add > Extensions
C. System Settings> Extensions > Add
D. Systems and License Management> Add > Extensions
Answer: A
Explanation:
QUESTION NO: 18
When creating a behavioral rule in Automated Anomaly Analysis, which three components are
weighted to determine the rule?
A. autoregressive pattern, fit to underlying curve, and moving average
B. seasonal or cyclical behavior, underlying trend, and random fluctuation
C. previous period value, current observation, and average of residuals for future observations
D. length of the seasonal component, date range for the trend, and time window during the day
"Pass Any Exam. Any Time." - www.actualtests.com
7
IBM 000-196 Exam
Answer: B
Explanation:
QUESTION NO: 19
Which statement best describes the advantages of implementing NetFlow monitoring?
A. If antivirus software signatures fail to detect malware infection, NetFlow monitoring can help
identify malware propagation by using its own signatures.
B. NetFlow provides the ability to detect suspicious log activity. Each log contains the number of
bytes and packets transferred by both the SRC and DST allowing for volume-based reporting of
network traffic.
C. NetFlow provides deep packet inspection, from layers three to seven of the OSI model,
increasing visibility into applications; whereas, traditional flow monitoring only provides visibility at
layers three and four.
D. NetFlow provides the ability to detect suspicious network activity, e.g. identify a potential botnet
when Local to Remote traffic is matched to an IP address configured in a corresponding Remote
Network group.
Answer: D
Explanation:
QUESTION NO: 20
How are user permissions applied using Log Source groups?
A. using user roles
B. applied to individual users
C. applied to network objects
D. applied to authorized services
Answer: A
Explanation:
QUESTION NO: 21
This command provides what information when run from an IBM Security QRadar QFlow 1202
appliance: grep ‘Sent.\ + flows’ /var/log/qradar.log?
"Pass Any Exam. Any Time." - www.actualtests.com
8
IBM 000-196 Exam
A. total number of flows per minute sent to the Event Collector
B. total number of flows per minute sent to the Event Processor
C. total number of flows being sent since the system was restarted
D. total number of flows per second sent to the Plow Collector or console
Answer: A
Explanation:
QUESTION NO: 22
Which IBM Security QRadar SIEM V7.1 appliance types are designed to collect, process, and
store log event messages?
A. 12XX
B. 13XX
C. 15XX
D. 16XX
Answer: D
Explanation:
QUESTION NO: 23
How does the order of rule tests affect the ORE performance?
A. Itdoesnotaffecttheperformance.
B. All tests in a rule are evaluated individually. Tests that have counters affect the ORE
performance and not the order of tests.
C. When analyzing the rules in pairs from top to bottom, the test at the top should always be the
one most likely to fail because if it fails then ORE will not evaluate the following tests.
D. When analyzing the rules in pairs going from top to bottom, the test at the bottom should
always be the test that is most likely to fail. This ensures that the rule evaluation is optimized.
Answer: C
Explanation:
QUESTION NO: 24
What step must be completed before searching restored data on a newly installed console?
"Pass Any Exam. Any Time." - www.actualtests.com
9
IBM 000-196 Exam
A. Tomcat must be shut down.
B. All DSMs and RPMs should be restored.
C. The hostcontext service should be restarted.
D. The configuration backup must be restored to the new console.
Answer: D
Explanation:
QUESTION NO: 25
Given that ICMP pings from all hosts are dropped, which rule(s) allows ICMP pings and responses
only from and to host 10.35.100.23?
A. iptables -A INPUT-p icmp -j ACCEPT
B. i ptables -A OUTPUT-s 10.35.100.23-p i cmp -j ACCEPT
C. iptables -A OUTPUT-p icmp --icmp-type echo-reply-j ACCEPT
D. iptables -A INPUT-s 10.35.100.23 -p icmp --icmp-type echo-request-i ACCEPT
Answer: D
Explanation:
QUESTION NO: 26
What must be provided when utilizing kickstart disks to install IBM Security QRadar SIEM V7.1
software on customer supplied hardware?
A. access using the serial port
B. support for a kickstart file is not supported
C. access to the file share where the kickstart file is located
D. a USB hard drive with enough room to support the kickstart file
Answer: B
Explanation:
QUESTION NO: 27
When scheduling a vulnerability scan which factor would be controlled by the Concurrency Mask?
"Pass Any Exam. Any Time." - www.actualtests.com
10
IBM 000-196 Exam
A. The level of detail of the scan data based on the number of hosts involved in a particular run.
B. The load placed on each host that is being scanned during the time that the scan is underway.
C. The potential risk to the subnet being scanned due to the number and frequency of operations
performed during the scan.
D. The load placed on the network, scanner, and/or IBM Security QRadar SIEM V7.1 due to the
number of scans being performed during a scanner run.
Answer: D
Explanation:
QUESTION NO: 28
Where is WinCollect configured as an Authorized Service?
A. the WinCollect icon under the Admin tab
B. the Authorized Services icon under the Admin tab
C. the WinCollect drop-down under Authorized Services > Add
D. the Authorized Services drop-down under WinCollect> Add Authorized Service
Answer: B
Explanation:
QUESTION NO: 29
Which search option is mandatory before producing a time series graph?
A. The time range must include a definition of a specific interval.
B. Search parameters must include at least one filter definition clause.
C. The column definition must have a variable selected in the Order By chooser.
D. The column definition must include at least one column in the Group By window.
Answer: D
Explanation:
QUESTION NO: 30
The ip_context_menu.xml file was edited in order to access additional details for selected IP
addresses. Which service must be restarted for the changes to take effect?
"Pass Any Exam. Any Time." - www.actualtests.com
11
IBM 000-196 Exam
A. tomcat
B. webmin
C. syslog-ng
D. hostcontext
Answer: A
Explanation:
QUESTION NO: 31
What is the default download path directory where DSM, minor, and major updates are stored
before being deployed?
A. /store/backup/autoupdates
B. /store/configservices/staging/updates
C. /store/configservices/staging/globalconfig
D. /store/configservices/staging/autoupdates
Answer: B
Explanation:
QUESTION NO: 32
Which IBM Security QRadar SIEM V7.1 DSM protocol supports the collection of Microsoft SMTPI
OWA, and message tracking logs?
A. Microsoft IS
B. Microsoft DHCP
C. Microsoft Exchange
D. Microsoft Security Event Log
Answer: C
Explanation:
QUESTION NO: 33
How are values mapped in a LSXto parse data from a payload for a UDSM?
"Pass Any Exam. Any Time." - www.actualtests.com
12
IBM 000-196 Exam
A. quotes (‘’)
B. backtics(‘)
C. regular expressions
D. comma separated (,)
Answer: C
Explanation:
QUESTION NO: 34
After clicking on the Backup and Recovery button in the Admin tab, which three options are found
in the Backup Archives page? (Choose three.)
A. Revert
B. Restore
C. Remove
D. Configure
E. Backup Now
F. On Demand Backup
Answer: B,D,F
Explanation:
QUESTION NO: 35
What must be done in order to use the data present on the Log Activity screen for a report?
A. save search criteria
B. save search results
C. save reporting criteria
D. save search for reporting
Answer: A
Explanation:
QUESTION NO: 36
Which two items must be provided prior to the initial installation and configuration of IBM Security
QRadar SIEM V7.1 appliance? (Choose two.)
"Pass Any Exam. Any Time." - www.actualtests.com
13
IBM 000-196 Exam
A. mouse
B. monitor
C. keyboard
D. serial console
E. IBM Security QRadar SIFM license key
Answer: B,C
Explanation:
QUESTION NO: 37
What must be done to enable High Availability (HA) disk synchronization?
A. Admin> HA Setting> Enable Disk Synchronization
B. synchronization can only be set up while initializing the HA cluster
C. edit the HA cluster and select the Disk Synchronization check box
D. synchronization can only be set up while installing the HA activation key for the secondary
appliance
Answer: B
Explanation:
QUESTION NO: 38
Which Admin function enables system performance alerts?
A. System Settings
B. Network Hierarchy
C. Forwarding Destinations
D. Global System Notifications
Answer: D
Explanation:
QUESTION NO: 39
How does a rule generate a new Correlation Rule Engine (CRE) event?
"Pass Any Exam. Any Time." - www.actualtests.com
14
IBM 000-196 Exam
A. CRE cannot create events, only log sources can.
B. By letting it create an offense. Offenses are the same as CRE events.
C. By creating a rule response. In the rule response, check the box Generate a New CRE Event.
D. By forwarding the event as a syslog message to the local event collector using the rule
response section.
Answer: C
Explanation:
QUESTION NO: 40
How is a new high level or low level event category added to IBM Security QRadar SIEM V7.1?
A. usetheAdmintab
B. usetheMapEventscreen
C. use the qidmap_cli.sh utility
D. a new event category cannot be added
Answer: D
Explanation:
QUESTION NO: 41
By default the Server Discovery function inserts discovered servers into building blocks in which
category?
A. Host Definitions
B. Device Definitions
C. System Definitions
D. Compliance Definitions
Answer: A
Explanation:
QUESTION NO: 42
What is the allowable range for Object Weight when defining a network hierarchy object?
"Pass Any Exam. Any Time." - www.actualtests.com
15
IBM 000-196 Exam
A. 0-9
B. 1-5
C. 1-10
D. 0-99
Answer: D
Explanation:
QUESTION NO: 43
What type of host name does IBM Security QRadar SIEM V7.1 require in the network settings
Hostname field?
A. Internet Hostname
B. NetBIOS Hostname
C. Fully Qualified Host Name
D. Fully Qualified Domain Name
Answer: D
Explanation:
QUESTION NO: 44
The Retention Properties screen provides many configuration items to allow for managing the
contents of the retention bucket. Which two items are available for bucket management? (Choose
two.)
A. offsite storage
B. date of deletion
C. retention encryption
D. conditions of deletion
E. criteria for compression
Answer: D,E
Explanation:
QUESTION NO: 45
When adding a managed host using encryption, which network port must be open bi-directionally
"Pass Any Exam. Any Time." - www.actualtests.com
16
IBM 000-196 Exam
between the console and new host?
A. 22
B. 115
C. 443
D. 445
Answer: A
Explanation:
QUESTION NO: 46
Which script is issued to make changes to the template?
A. /opt/qradar/conf/appconfig
B. /optlqradar/conf/capabilities.conf
C. /optiqradar/bin/template_setup.pI
D. /optlqradar/bin/qchange_netsetup
Answer: C
Explanation:
QUESTION NO: 47
Which two fields are available for indexing in the Index Management page? (Choose two.)
A. Asset properties
B. Flows properties
C. Events properties
D. Offenses properties
E. Vulnerability properties
Answer: B,C
Explanation:
QUESTION NO: 48
Which two flow sources provide layer 7 payload? (Choose two.)
"Pass Any Exam. Any Time." - www.actualtests.com
17
IBM 000-196 Exam
A. JFlow
B. SFlow
C. NetFlow
D. Packeteer
E. Network Interface
Answer: B,E
Explanation:
QUESTION NO: 49
What is a defining characteristic of an asymmetric flow?
A. It is evidenced by receiving varying length NetElow records.
B. It describes network traffic that is configured to take alternate paths for inbound and outbound
traffic.
C. It describes where traffic volumes are significantly skewed towards either inbound or outbound
communication.
D. It describes network traffic that commonly resolves to a Superflow in the IBM Security QRadar
QElow appliance.
Answer: B
Explanation:
QUESTION NO: 50
When creating a new IBM Security QRadar SIEM V7.1 user account, the administrator did not give
access to the log source group (called MS Domain Security Logs) that contains Microsoft Security
Event logs. What happens if the user attempts to run a shared saved search for failed login
attempts to a domain?
A. The user is not able to see any results from that search.
B. Since the user is part of the domain, they are able to see the data in the search results.
C. The user is notified that they do not have the proper permissions to run that search and are
requested to contact their administrator.
D. The search will run but since the userwas not given access to the MS Domain Security Logs
group, the user cannot see results from those log sources contained in that group.
Answer: D
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
18
IBM 000-196 Exam
QUESTION NO: 51
Which statement best describes the available options when configuring a new routing rule?
A. A routing rule is defined to associate network configuration with the options for storing the data
in the database as well processing events through the rules engine.
B. A routing rule is used to define to IBM Security QRadar SIEM V7.1 the possible path through
the internal network, and how to associate these paths with vulnerability data in the Asset Profiles.
C. Associate each rule with an event collector, determine placement of the data within the Ariel
database, choose the protocol, host, and port number used to store the event, and then determine
which alerts are generated.
D. Scope the rule to a particular event collector, set up a filter, and then choose any combination
of forward, drop, or bypassed correlation. Itis not necessary to define destinations in advance as
that can be done when routing rules are defined.
Answer: D
Explanation:
QUESTION NO: 52
Which statement applies to IBM Security QRadar SIEM V7.1 virtual appliances?
A. QRadarXX90appliances maybe installed into a Hyper-V environment.
B. QRadarXX90appliances maybe installed into a VMware ESXi environment.
C. QRadarXX90appliances may not be mixed with QRadar software licenses in a virtual server
environment.
D. QRadarXX90appliances may be installed as a native Os on appropriately configured customer
premise hardware.
Answer: B
Explanation:
QUESTION NO: 53
How can asset profiles be searched?
A. From the Assets tab
B. From the Offenses tab
"Pass Any Exam. Any Time." - www.actualtests.com
19
IBM 000-196 Exam
C. Right-click on any
D. Address from the Actions pull-down menu
Answer: A
Explanation:
QUESTION NO: 54
What must be done when creating a user’s password on an IBM Security QRadar SIEM V7.1
(QRadar) system that is utilizing Active Directory authentication?
A. ensure the password has a minimum of 8 characters
B. create the user’s initial password and have them change it immediately
C. ensure the user’s QRadar password matches their Active Directory password
D. a password does not need to be set on QRadar when using Active Directory authentication
Answer: D
Explanation:
QUESTION NO: 55
What notation is used to enter a class A network 10.0.0.0 into an IBM Security QRadar SIEM V7.1
network hierarchy?
A. 10.*.*.*
B. 10 .0 .0 .0/8
C. 10.0.0.0/255.0.0.0
D. 10.0.0.0-10.255.255.255
Answer: B
Explanation:
QUESTION NO: 56
What must be done first when changing the network settings on a console in a multi-system
deployment?
A. installnewpatches
"Pass Any Exam. Any Time." - www.actualtests.com
20
IBM 000-196 Exam
B. reset the SIM model
C. remove all managed hosts
D. install a new license for the new IP address
Answer: C
Explanation:
QUESTION NO: 57
What must be done to put licenses into effect after applying a license file using the Managed
License action of the System and License Management dialog?
A. click on Deploy License
B. select Restart System to activate the license key
C. open the Deployment Editor, right-click on each host, and select Deploy
D. select System and License Manage System and then select Deploy License Key
Answer: A
Explanation:
QUESTION NO: 58
What is the default password to access the Integrated Management Module remote access
controller for an IBM Security QRadar appliance?
A. calvin
B. default
C. passw0rd
D. PASSWORD
Answer: C
Explanation:
QUESTION NO: 59
Which option is available for sharing offenses with non-IBM Security QRadar users?
A. provide URLt0 offense
"Pass Any Exam. Any Time." - www.actualtests.com
21
IBM 000-196 Exam
B. invoke script for third-party¡¯ service desk
C. selectthe option to e-mail offense details
D. select the option to export the offense data as a PDE
Answer: C
Explanation:
QUESTION NO: 60
How are new reference sets created in IBM Security QRadar (QRadar)?
A. use the out-of-the-box tables
B. use the ReferenceSetMod.pI script
C. select New in the Rules Response Wizard
D. log into the QRadar Console and the PostgreSQL database
Answer: C
Explanation:
QUESTION NO: 61
What must be done prior to clicking on False Positive if flows or events are being viewed in
streaming mode?
A. clickonthePause button
B. clickonthe Refresh button
C. right-click on the event and click Filter
D. right-click on the event and click Additional Plug-ins
Answer: A
Explanation:
QUESTION NO: 62
What is the last step to add a protocol based log source?
A. on the Admin tab click Deploy Changes
B. from Log Sources, select Log Source Type, and click Save
"Pass Any Exam. Any Time." - www.actualtests.com
22
IBM 000-196 Exam
C. from Log Sources, select Log Source Identifier, and click Save
D. on the Admin tab, select Actions and click Deploy Pull Configuration
Answer: A
Explanation:
QUESTION NO: 63
After gathering all required files from the IBM Security QRadar SIEM V7.1 appliance using SSH
connectivity which protocol can be used to retrieve the tar.bz2 file or any other files to send to
support?
A. FTP
B. TFTP
C. HTTP
D. SFTP
Answer: D
Explanation:
QUESTION NO: 64
Prom the Dashboard view, the Compliance Overview dashboard > Login Failures by User (realtime) workspace is being reviewed. Which link provides more details about these events?
A. ViewinAssets
B. View in Offenses
C. ViewinLogActivity
D. ViewinNetworkActivity
Answer: C
Explanation:
QUESTION NO: 65
What happens to previously collected events when an event is mapped?
A. They are re-mapped to the new mapping.
"Pass Any Exam. Any Time." - www.actualtests.com
23
IBM 000-196 Exam
B. They are not mapped to the new mapping.
C. The user is prompted for the action to take.
D. The new mapping is added to the old mapping
Answer: D
Explanation:
QUESTION NO: 66
How is a High Availability (HA) cluster installed from the Admin tab?
A. HA Management > Install HA Cluster
B. Systems and License Management > Actions > Add HA Host
C. High Availability > Systems and License Management > Add HA Host
D. Deployment Editor, add both the Primary and Secondary hosts to the deployment
Answer: B
Explanation:
QUESTION NO: 67
What are two ways an asset can be added to asset profiles? (Choose two.)
A. by flow data
B. by offense data
C. by anomaly rule
D. by search queries
E. by a vulnerability assessment or active network scan
Answer: A,E
Explanation:
QUESTION NO: 68
Which two actions allow modification of the current displayed search result set? (Choose two.)
A. click on the Actions button
B. click on the Add Filter button
"Pass Any Exam. Any Time." - www.actualtests.com
24
IBM 000-196 Exam
C. click on Quick Filter then select Show All
D. right-click on an item then select a filter option
E. click Search then select Manage Search Results
Answer: B,D
Explanation:
QUESTION NO: 69
Which function can be used to tune out Events/Flows with a specific QID and a specific destination
IP address from contributing to an offense?
A. False Positive
B. Tuning Window
C. Asset Discovery
D. Network Hierarchy
Answer: A
Explanation:
QUESTION NO: 70
After editing the IPTables configuration file, which command reloads the IPTables?
A. service iptables save
B. /etc/sysconfig/iptables restart
C. /opt/qradar/bin/iptables restart
D. /opt/qradar/bin/iptables_update.pl
Answer: D
Explanation:
QUESTION NO: 71
How can ALE be used to collect Windows 2008 events?
A. Use WinCollect because Windows 2008 is not supported by ALE.
B. Install ALE on the Windows 2008 and start collecting from the local event log.
"Pass Any Exam. Any Time." - www.actualtests.com
25
IBM 000-196 Exam
C. Configure the ALE agent to receive forwarded events from the Windows 2008 systems.
D. Configure Windows 2008 to forward its logs directly to the IBM Security QRadar SIEM system.
Answer: B
Explanation:
QUESTION NO: 72
What would be considerations for defining a Threshold Rule in the Automated Anomaly Analysis?
A. a change value and a length of time for accumulation
B. a time window during the day and a moving average smoothing value
C. a time interval for accumulation and a relative weight for the current observation
D. a seasonal component, a trend component, and a delta or incremental change value
Answer: A
Explanation:
QUESTION NO: 73
Where is the activation key located?
A. on the documentation CD
B. on the appliance start screen
C. in the End User License Agreement
D. in the documentation package shipped with the server
Answer: D
Explanation:
QUESTION NO: 74
Where in the IBM Security QRadar SIEM V7.1 GUI can information be added about a network
hierarchy?
A. Admin Tab
B. Assets Tab
C. Network Activity Tab
"Pass Any Exam. Any Time." - www.actualtests.com
26
IBM 000-196 Exam
D. Network Hierarchy Tab
Answer: A
Explanation:
QUESTION NO: 75
Which appliance can be used to throttle bandwidth of event collection?
A. 1501 Event Collector
B. 1705 Flow Processor
C. 1605 Event Processor
D. 1805 EventfFlow Processor
Answer: A
Explanation:
QUESTION NO: 76
When a routing rule is configured, why might the Drop option be selected?
A. The Drop option allows alerting without storage in the database and can still be forwarded.
B. The Drop option is used to control disk storage usage on the event processor and to reduce
overall network traffic.
C. The Drop option is used when IBM Security QRadar SIEM V7.1 is used as the log source of
record for deleting of events.
D. The Drop option is convenient for preventing noisy sensors (such PIX firewalls or default
SNORTs) from overwhelming the Custom Rule Engine.
Answer: A
Explanation:
QUESTION NO: 77
A network hierarchy consists of these objects:
- DMZ 192.168.0.0/16
- Webservers 192.168.1.0/24
- MailServers 192.168.2.0/24
"Pass Any Exam. Any Time." - www.actualtests.com
27
IBM 000-196 Exam
- UserNetwork 10.0.0.0/8
Which object(s) does 192.168.1.5 fall into?
A. DMZ
B. Webservers
C. UserNetwork
D. DMZ and Webservers
Answer: B
Explanation:
QUESTION NO: 78
What is event and flow hashing used for in IBM Security QRadar SIEM V7.1?
A. to permit security flagging
B. so events and flows can be indexed for quicker searching
C. to determine if tampering has occurred on the events and flows records
D. to add encryption to the events and flows so they cannot be tampered with
Answer: C
Explanation:
QUESTION NO: 79
Which file should be sent to IBM Support if contacting them for system problems?
A. systemerr.outfile produced from /opt/ibm/esc/get_logs.pl
B. sysoutput.log file produced from /opt/ibm/support/getjogs.sh
C. logs_<hostname>.tar.zip file produced from /opt/ibm/electronicsupport.sh
D. logs_<hostname>.tar.bz2 file produced from /opt/qradar/support/get_logs.sh
Answer: D
Explanation:
QUESTION NO: 80
"Pass Any Exam. Any Time." - www.actualtests.com
28
IBM 000-196 Exam
Which three pieces of information must be supplied to properly set up a system user? (Choose
three.)
A. user role
B. full name
C. room number
D. e-mail address
E. valid user name
F. contact phone number
Answer: A,D,E
Explanation:
QUESTION NO: 81
What does using the Integrated Management Module of the IBM Security QRadar SEM V7.1
(QRadar) appliance allow a user to do?
A. remotely manage the QRadar appliance to run reports
B. remotely manage the QRadar custom rule configuration
C. remotely manage the QRadar Web interface used to perform administrative functions
D. remotely manage the QRadar appliance as if the user was sitting directly at the console
Answer: D
Explanation:
QUESTION NO: 82
Which family of analysis methods are commonly used with a time series?
A. deep packet intrusion detection
B. packet content protocol detection
C. network behavior anomaly detection
D. N-gram based behavior attack detection
Answer: C
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
29
IBM 000-196 Exam
QUESTION NO: 83
What must be done to capture a new name/value pair for a rule that is not parsed as part of a
regular Device Support Module?
A. open the event > Extract Property > assign a new property > Add RegEx for finding the value >
Submit
B. open the event > Actions > Add Custom Property > assign a name > highlight value in the
payload > Submit
C. highlight the event > Actions > Add Custom Property > assign a name> highlight value in the
payload > Submit
D. highlight the event > Actions > Extract Properly > assign a new property > Add RegEx for
finding the value > Submit
Answer: A
Explanation:
QUESTION NO: 84
Which two network setting parameters are optional? (Choose two.)
A. Gateway
B. Public IP
C. Primary DNS
D. E-mail Server
E. Secondary DNS
Answer: B,E
Explanation:
QUESTION NO: 85
Prior to installing IBM Security QRadar SIEM V7.1 on customer provided hardware, Red Hat
Enterprise Linux must be installed. SELinux must be set to which option?
A. Enforce
B. Enabled
C. Disabled
D. Permissive
Answer: C
"Pass Any Exam. Any Time." - www.actualtests.com
30
IBM 000-196 Exam
Explanation:
QUESTION NO: 86
What are three default charting options available within the Report wizard? (Choose three.)
A. Delta
B. Flows
C. Identity
D. Anomaly
E. Events/Logs
F. Asset Vulnerabilities
Answer: B,E,F
Explanation:
QUESTION NO: 87
What is the purpose of the offense index?
A. When the offense is created it will create indexes for other offenses.
B. It helps find the offenses faster when searching for offenses by a specific properly.
C. When the offense is created it will be added to any existing similar open offense with the same
indexed value. If none exist, a new offense will be opened.
D. When the offense is created the magistrate will search for offenses with the same indexed
value and add the offense to a list of offenses for the indexed value.
Answer: C
Explanation:
QUESTION NO: 88
Which statement is true about the IBM Security QRadar SIEM (QRadar) Network Hierarchy?
A. It is used by QRadar to detect botnets.
B. It is used by QRadar to detect applications.
C. It is used by QRadar only to track network activity.
D. It is used by QRadar to determine which IP addresses are local and remote.
"Pass Any Exam. Any Time." - www.actualtests.com
31
IBM 000-196 Exam
Answer: D
Explanation:
QUESTION NO: 89
From the Admin tab > System and License Management icon, what must be done to install and
deploy an IBM Security QRadar SIEM V7.1 license for a set of newly installed hosts?
A. click each new hostname and select Actions menu > Manage License
B. right-click each new hostname and select Manage License from the menu
C. select all newly added hostnames using the Shift key + mouse click and then select the Actions
drop-down menu > Manage License
D. click each new hostname, select Actions drop-down menu > Manage Systems, and select
Deploy License from the Managed Host Config list
Answer: A
Explanation:
QUESTION NO: 90
What does the command qchange_netsetup do?
A. It is used to upgrade the appliance's network settings after the initial setup.
B. It is used to define the MAC address of the interfaces during the initial setup.
C. It is used to change the appliance's networking settings after the initial setup.
D. It is used to define the appliance's networking settings during the initial setup.
Answer: C
Explanation:
QUESTION NO: 91
Which tuning template is available in IBM Security QRadar SIEM V7.1?
A. Custom
B. Common
C. Enterprise
D. Small Business Edition
"Pass Any Exam. Any Time." - www.actualtests.com
32
IBM 000-196 Exam
Answer: C
Explanation:
QUESTION NO: 92
What must be done to calculate EPS from the IBM Security QRadar SIEM V7.1 Web interface?
A. EPS rates are only viewable from the command line
B. load the default built in report labeled EPS Over Time
C. from the Log Activity tab, select New Search and load the EPS search
D. from the Network Activity tab, select New Search and load the EPS search
Answer: C
Explanation:
QUESTION NO: 93
Which statement best describe the data migration process available in IBM Security QRadar SIEM
V7.1 (QRadar)?
A. Launch the data_ariel_migrate.pl utility under the /opt/qradar/support directory.
B. Move /store/ariel to /store/ariel_old, mount /store/ariel to external storage, and move the
contents of ariel_old to ariel.
C. Move the existing mount points under the Admin > System Settings Configuration option in the
QRadar user interface.
D. Mount to the external storage solution and allow the local content to auto-merge. Moving or
copying any content ahead of mounting will likely lead to data loss and/or data corruption.
Answer: B
Explanation:
QUESTION NO: 94
If an IBM Security QRadar 1790 virtual appliance is added to a configuration, which capability
becomes available?
A. additional storage capacity for event data
Badditional Web interface for user browsing
"Pass Any Exam. Any Time." - www.actualtests.com
33
IBM 000-196 Exam
B. additional storage capacity for OFlow data
C. internal storage capacity for event and QFlow data
Answer: C
Explanation:
QUESTION NO: 95
How is a new UDSM device created?
A. Admin > Log Sources Extensions > Add > Universal DSM
B. Admin > Log Source > Add > select Universal DSM as log source type
C. Log Activity Tab > highlight unknown event > Actions > Create UDSM from this Event
D. Log Activity Tab > highlight unknown event > right-click and select Create UDSM from this
Event
Answer: B
Explanation:
QUESTION NO: 96
What is a purpose of a rule action?
A. to add an event or flow property to a reference set
B. to send out the event or flow information by e-mail or SNMP
C. to rename the offense description based on user entered text
D. to change the current event or flow's magnitude, trigger an offense, or annotate the offense
Answer: D
Explanation:
QUESTION NO: 97
Which method does WinCollect use to collect Windows 2008 events?
A. It uses Windows file sharing to pull the Windows 2008 event logs.
B. It uses the syslog forwarding facility of Windows 2008 Event Logger.
C. It uses the native Windows 2008 event log API to access the log records.
"Pass Any Exam. Any Time." - www.actualtests.com
34
IBM 000-196 Exam
D. It uses SNARE to convert the Windows 2008 events to syslog messages.
Answer: C
Explanation:
QUESTION NO: 98
Which statement best describes the expected increase in forensic capabilities when IBM Security
QRadar QFlow (QRadar QFlow) is implemented?
A. IBM Security QRadar VFlow allows for QRadar QFlow collection on hypervisors such as
Microsoft Hyper-V.
B. QRadar QFlow provides visibility only at layers three and four, providing header information
containing only the number of bytes and packets transferred by the SRC and DST.
C. NetFlow provides deep packet inspection, up to layer seven of the OSI model, giving visibility
on application information; whereas. QRadar QFlow only provides visibility at layers three and
four.
D. QRadar QFlow tracks the history of stateful connections and monitors for unique characteristics
or properties through deep payload examination of packets, further qualifying the identity of
applications.
Answer: D
Explanation:
QUESTION NO: 99
After configuring external authentication, which user can still log in to the Web interface if this
external resource is not available?
A. root
B. admin
C. any user
D. all users added before switching to external authentication
Answer: B
Explanation:
QUESTION NO: 100
"Pass Any Exam. Any Time." - www.actualtests.com
35
IBM 000-196 Exam
Which action can IBM Security QRadar SIEM V7.1 automatically perform on reference sets?
A. purge list
B. delete elements
C. create a new list
D. add new elements
Answer: D
Explanation:
QUESTION NO: 101
What can IBM Security QRadar SIEM V7.1 be configured to back up in the Backup and Recovery
Wizard?
A. data backups only
B. configuration and data backups
C. individual managed hosts configuration
D. individual items such as users and/or database
Answer: B
Explanation:
QUESTION NO: 102
A QID can belong to how many categories?
A. 1
B. 2
C. 3
D. unlimited
Answer: A
Explanation:
QUESTION NO: 103
What is required to connect a WinCollect agent to IBM Security QRadar SIEM V7.1?
"Pass Any Exam. Any Time." - www.actualtests.com
36
IBM 000-196 Exam
A. SSH Keys
B. domain credentials
C. user name and password
D. an authorized services token
Answer: D
Explanation:
QUESTION NO: 104
What does the IP Right Click Menu Extensions plug-in do in IBM Security QRadar SIEM V7.1?
A. It allows the selected IP address to be deleted.
B. It allows the selected IP address to be tuned as a false positive.
C. It allows the selected IP address to be added to a reference set.
D. It allows additional details to be accessed for the selected IP address.
Answer: D
Explanation:
QUESTION NO: 105
How is a Universal DSM configured to collect different data types from various log sources?
A. UDSM Data Type
B. Log Source Identifier
C. Protocol Configuration
D. Log Source Extension
Answer: C
Explanation:
QUESTION NO: 106
Where are firewall event details located using the IBM Security QRadar SIEM V7.1 interface?
A. Admin
B. Assets
"Pass Any Exam. Any Time." - www.actualtests.com
37
IBM 000-196 Exam
C. Log Activity
D. Network Activity
Answer: C
Explanation:
QUESTION NO: 107
Which group of tests is used to test the sequence of rules that have been triggered by events or
flows?
A. DateyTime tests
B. Behavioral tests
C. Common Property tests
D. Function Sequence tests
Answer: D
Explanation:
QUESTION NO: 108
What are two ways asymmetric flow support can be enabled? (Choose two.)
A. use the Flow Source configuration
B. use the right-click menu option for an affected flow
C. use the auto-discover capabilities of the log source
D. use a Custom Rule Engine test for asymmetric flows
E. use the QFlow Collector Configuration in the deployment editor
Answer: A,E
Explanation:
QUESTION NO: 109
Categorizing log sources into groups allows clients to efficiently view and track log sources. Which
statement best characterize Log Source groups?
A. By default log sources go into the Temp folder.
"Pass Any Exam. Any Time." - www.actualtests.com
38
IBM 000-196 Exam
B. User access is required to create, edit, or delete log source groups.
C. Each log source group can display a maximum of 10,000 log sources.
D. The default log source group for auto discovered log sources is Other.
Answer: D
Explanation:
QUESTION NO: 110
Which component processes events against defined custom rules?
A. Magistrate
B. Flow Collector
C. Event Collector
D. Event Processor
Answer: D
Explanation:
QUESTION NO: 111
Which scenario best describes the actions that take place during a restore?
A. Existing files and database are backed up, archived files and database are restored, the event
collection service is restarted.
B. Tomcat and all system processes are shut down, files and data records are extracted from the
backup archive and restored to disk and the database, Tomcat and system processes are
restarted.
C. Tomcat and database processes are shut down, existing files and database are backed up,
archive contents are restored to disk and the database, Tomcat and the system processes are
restarted.
D. Existing files and database records are merged with the archived files and database records,
Tomcat and system services shut down, the merged records are inserted into their respective file
locations and database tables, Tomcat and system services restart.
Answer: B
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
39
IBM 000-196 Exam
QUESTION NO: 112
What is the default setting for Major Updates in Auto Updates > Change Settings > Update Types?
A. Disable
B. Auto Install
C. Auto Update
D. Auto Integrate
Answer: A
Explanation:
QUESTION NO: 113
What does the % of Searches Using Property column in the Index Management Page indicate?
A. The percentage of saved searches created by users that reference the index.
B. The total percentage of saved searches in the system that reference the index.
C. The percentage of executed searches in the selected time range that used the index.
D. The percentage of executed searches in the selected time range that successfully used the
index.
Answer: C
Explanation:
QUESTION NO: 114
When adding a new IBM Security QRadar SIEM managed host, the password is required for
which user?
A. root on the new appliance
B. root on the console appliance
C. webmin on the console appliance
D. configservices on the new appliance
Answer: A
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
40
IBM 000-196 Exam
QUESTION NO: 115
What is the benefit of using server discovery?
A. Adding log sources is faster.
B. Constructing a network hierarchy is easier.
C. The system is tuned to minimize false positives.
D. Assets are automatically added to asset profiles
Answer: C
Explanation:
QUESTION NO: 116
A user can be assigned which two permissions? (Choose two.)
A. DSM Updates
B. Network Activity
C. Remote Server Administration
D. Ariel Database Administration
E. IP right-click Menu Extensions
Answer: B,E
Explanation:
QUESTION NO: 117
Which Admin setting allows the monitoring of system load over 15 minutes?
A. System Configuration
B. System Activity Report
C. Forwarding Destinations
D. Global System Notifications
Answer: D
Explanation:
QUESTION NO: 118
"Pass Any Exam. Any Time." - www.actualtests.com
41
IBM 000-196 Exam
Which SNMP protocol should be used when confidentiality, integrity, and authentication are
required?
A. SNMPv1
B. SNMPv2
C. SNMPv3
D. SNMPv4
Answer: C
Explanation:
QUESTION NO: 119
What two types of retention buckets are available in IBM Security QRadarSEM V7.1? (Choose
two.)
A. Flow
B. Event
C. Assets
D. Offense
E. Log Source
Answer: A,B
Explanation:
QUESTION NO: 120
The last two digits of an appliances type can be used to determine which capability?
A. Installed OS
B. Chassis Size
C. Storage Capacity
D. IBM Server Model Number
Answer: C
Explanation:
QUESTION NO: 121
"Pass Any Exam. Any Time." - www.actualtests.com
42
IBM 000-196 Exam
A customer has indicated that Windows events must be collected without the use of agents. Which
protocol should be selected in the Protocol Configuration when adding a Microsoft Windows
Security Event Log Source?
A. WinCollect
B. SNARE for Windows
C. Adaptive Log Exporter
D. Microsoft Security Event Log
Answer: D
Explanation:
QUESTION NO: 122
Given a multi-host deployment, where are data backups for managed hosts stored?
A. On the console
B. In the off-site configured backup location
C. On machines in the deployment that have the most storage capability
D. Locally on the managed hosts in their respectively configured backup directory
Answer: D
"Pass Any Exam. Any Time." - www.actualtests.com
43
Related documents
IBM Certified Deployment Professional - IBM QRadar SIEM V7.3.2 -Ashraful
IBM Certified Deployment Professional - IBM QRadar SIEM V7.3.2 -Ashraful
SIEM Based Intrusion Detection
SIEM Based Intrusion Detection
Solution Brief for zScaler Nanolog Streaming Service
Solution Brief for zScaler Nanolog Streaming Service
Solution Brief for ObserveIT Enterprise
Solution Brief for ObserveIT Enterprise
Network Appliance is the name of a company as well... distributed systems. Go to the following websites to get an...
Network Appliance is the name of a company as well... distributed systems. Go to the following websites to get an...
Download
advertisement