Add to collection(s) Add to saved
  1. No category
Uploaded by meta data

C1000-156 QRadar SIEM V7.5 Administrator Sample Test

advertisement 
Sample Questions for Exam
C1000-156 QRadar SIEM V7.5 Administrator
Please note: These questions were developed at the same time and by the
same QRadar SIEM V7.5 subject matter experts as the real exam
questions. While these sample questions will give you a good idea of the
nature of the questions on the real exam, this is not a thorough
representation of the material covered by the real exam, so success with
these sample questions should not be considered predictive of success on
the real exam.
For a realistic idea of your readiness for the real certification exam, we
suggest you take the full-length Assessment Test available from Pearson
VUE.
Section 1: System Configuration
Administer managed hosts
An administrator needs to decommission an App Host.
What is the proper order of events to ensure a successful removal?
A.
B.
C.
D.
Migrate applications to the Console.
Shut down the App Host.
Ensure that all applications are working on the Console.
Remove the App Host.
A QRadar administrator wants to add a managed host to increase flow
inspection.
Which managed host does the administrator add to the deployment?
A.
B.
C.
D.
QRadar Risk Manager
QRadar Network Insights
QRadar Incident Forensics
QRadar Vulnerability Manager Processor
Understand distributed architecture
In addition to data collection and data processing, what is the third
architectural design layer of the QRadar Security Intelligence
Platform?
A.
B.
C.
D.
Data nodes
Data forensics
Data searches
Data aggregation
In a QRadar distributed deployment, which product is used to retrace
the step-by-step actions of a potential attacker, and conduct an indepth investigation of suspected malicious network security
incidents?
A.
B.
C.
D.
QRadar Risk Manager
QRadar Network Insights
QRadar Incident Forensics
QRadar Vulnerability Manager
Manage configuration and data backups
Which is a valid statement about the default QRadar backup and
recovery process?
A. A backup priority of medium or high has little to no impact on system
performance.
B. If the backup process exceeds the configured time limit, the backup is
stored as incomplete.
C. Automatic backups run at midnight and include the configuration
information, data, or both, archived in the previous 24 hours.
D. The script automatically creates a daily archive capturing only event
and flow data at 3:00 AM, which must be restored on the QRadar Console.
Configure custom SNMP and email templates
Where are the email templates stored in QRadar?
A.
B.
C.
D.
Ariel database
PSQL database
reference map of sets
XML file on the file system
Manage network hierarchy
In a single domain QRadar deployment, which IP addresses are
considered remote?
A.
B.
C.
D.
Any public IP address
Any private IP address
Any IP address that is not defined in the network hierarchy
Any IP address that is defined in the network hierarchy as remote
Use and manage reference data
What is the default time period QRadar uses to periodically remove
expired elements from the reference set?
A.
B.
C.
D.
Every 1 minute
Every 5 minutes
Every 60 minutes
Every 1440 minutes
Manage automatic update
What does this QRadar command verify?
/opt/qradar/bin/UpdateConfs.pl -testConnect 1 0
A.
B.
C.
D.
License key
GUI https SSL certificate
Connection to the auto update server
Enablement status of SSL inspection
Demonstrate the use of the asset database
QRadar receives an event.
How does the asset profiler examine the event payload for identity
information?
A. If the only available identity information is an IP address, the system
reconciles the update to the existing asset that has the same IP address.
B. If the identity information matches an existing asset in the database,
then a new asset is created based on the information in the event payload.
C. If the identity information includes a port number, a NetBIOS
hostname, or a DNS hostname that is already associated with an asset in
the asset database, that asset is merged with previous entry.
D. If an asset update has an IP address that matches an existing asset,
but the other identity information does not match, the system uses other
information to rule out a false-positive match before a new asset is created.
Section 2: Performance Optimization
Construct identity exclusions
When does an edited identity exclusion search start excluding new
values?
A.
B.
C.
D.
Immediately
After 5 minutes
After 24 hours
After a soft clean of the asset database
Deal with resource restrictions
You are the QRadar administrator for a large Managed Security
Service Provider (MSSP). Many MSSP clients have limited access to
your deployment and can run searches that might occasionally cause
system performance degradation.
Which type of resource restriction would limit the searching
capabilities of one client?
A.
B.
C.
D.
Group-based restrictions
Tenant-based restrictions
Service-based restrictions
Resource-based restrictions
Configuring, tuning and understanding rules
An administrator wants to exclude many IP addresses that use the
CIDR format (for example, 192.168.10.0/24) from a set of multiple
rules. The administrator needs to be able to easily edit the rule
exclusion to add or remove more IP addresses in the future.
Which option can be used to accomplish this requirement?
A. Enter all the IP addresses into a reference set and exclude the
reference set from the rule itself.
B. Use a filter rule test and exclude all the IP addresses by using "source
IP" and "equals any of" filtering.
C. Create an offense rule that includes additional rule tests that help in IP
exclusion, which are found only in an offense-based rule.
D. Enter all the IP addresses into a building block that uses a source IP
rule test, and exclude that building block from the rule itself.
Which option creates an OR condition in the Custom Rules Engine?
A. When a property equals a property
B. When an event matches any of the following rules
C. When any event properties are contained in their reference set(s)
D. When the false positive signature matches one of the following
signatures
Index management
An administrator performs a routine review of index properties. When
opening the Index Management interface, the administrator notices
that a certain property has a value of 70% under the "% of Searches
Using Property" column, but the property is not indexed.
Which action does the administrator take in this situation?
A. Enable the index to improve performance.
B. Create more rules that use that property to improve property utilization.
C. Create more saved searches using the property to improve property
utilization.
D. Monitor the property further to check for abrupt changes in the "Data
Written" column.
Search management
Which two (2) options can be selected as a Timespan options when
you save a search?
A.
B.
C.
D.
E.
Default
GV interval
Since last deploy
Specific interval
Real time (streaming)
What is prerequisite for a custom property-based offense search?
A. The search must be saved before use.
B. The search must run with administrator privileges.
C. The custom property must be used as a rule index.
D. The custom property must be created by the user who performs the
search.
Manage routing rules and event forwarding
Which routing mode ensures that no data is lost?
A.
B.
C.
D.
Drop
Online
Offline
Log Only
Section 3: Data Source Configuration
Manage flow sources
What type of source is a flow source that connects over a SPAN or
TAP?
A.
B.
C.
D.
Internal flow source
External flow source
Asymmetrical flow source
Omnidirectional flow source
Vulnerability information source configuration
Which three (3) items are preconfigured scan policies distributed with
QRadar Vulnerability Manager?
A.
B.
C.
D.
E.
F.
PCI scan
Risk scan
Asset scan
Patch scan
Database scan
Vulnerability scan
Manage custom event and flow properties
Which option does the administrator need to select in the Custom
Event Properties window to parse and store the custom event
property?
A.
B.
C.
D.
Optimize parsing for rules, flows, and searches
Optimize parsing for rules, reports, and events
Optimize parsing for rules, reports, and searches
Optimize parsing for rules, scanners, and searches
Manage custom log source types
Which two fields are used by QRadar to map an event to a QID?
A.
B.
C.
D.
Event ID and Event Name
Event Category and Event ID
Event Category and High-level Category
High-level Category and Low-level Category
What column in Log Activity Preview of the DSM Editor indicates that
event properties successfully parsed and mapped to a QID record?
A.
B.
C.
D.
Status
Overlook
Parsing Status
Parsing Success Status
Section 4: Accuracy Tuning
Understand and implement ADE rules
Which type of rule tests event and flow traffic for changes in shortterm events compared against a longer timeframe?
A.
B.
C.
D.
Anomaly rules
Threshold rules
Behavioral rules
Current trend rules
Manage and use building blocks
Which framework can be visualized from the Use Case Manager
application?
A.
B.
C.
D.
NIST 800-53
MITRE ATT&CK
Lockheed Martin Cyber Kill Chain
Diamond Model of Intrusion Analysis
Manage content packs
A QRadar administrator recently installed a QRadar content pack that
comes shipped with a custom Pulse dashboard.
What does the administrator do to make the new dashboard available
in the Pulse application?
A. Use the Synchronize function of the Pulse app in the Admin tab
B. Use the interactive API to add the dashboard to the list of available
dashboards
C. Run the console script SynchronizePulseDashboards.sh after
every content pack installation
D. After the administrator installs the content pack, the new dashboard
automatically becomes available
Distinguish native information sources
What can Remote to Remote (R2R) events indicate?
A.
B.
C.
D.
Possible reference data misconfiguration
Possible remote networks misconfiguration
Possible building blocks misconfiguration
Possible network hierarchy misconfiguration
Configure integrations
What must you enable before you can use the enhanced content that
is installed with the IBM QRadar Security Threat Monitoring Content
Extension?
A.
B.
C.
D.
The MaxMind account
IBM Security GPG13 Content
The X-Force Threat Intelligence feed
The IBM X-Force Exchange plug-in for QRadar
Section 5: User Management
Manage users
Which data that is assigned to a user is maintained by QRadar after
you delete the user's account?
A.
B.
C.
D.
Saved searches
The security profile
The inactivity timeout
The username and password
Create and update security profiles
An admin needs to delete a security profile.
What activity must the admin first ensure is completed?
A. The admin user can delete any security profile.
B. The users assigned to that security profile must first be reassigned.
C. The users and log sources that belong to the profile must first be
reassigned.
D. The security profile must first be removed from the domain and all log
sources and users must belong to alternate profiles.
Create and update user roles
A QRadar Administrator needs to define a new user role with access
to only see events in QRadar.
Which permissions should be granted to the role?
A.
B.
C.
D.
Events
Networks
Log Activity
Network Activity
Manage user authentication and authorization
A QRadar Administrator needs to configure LDAP authentication with
TLS in QRadar.
What is the name of the folder where the TLS certificate of the LDAP
server should be imported?
A.
B.
C.
D.
valid_certificates
known_certificates
signed_certificates
trusted_certificates
Section 6: Reporting, Searching, and Offense Management
Manage reports
What is the default distribution channel in QRadar that sends the
generated report to the Reports Tab?
A.
B.
C.
D.
Email
Report Console
Included link to the Report Console
Included report as an attachment to the Dashboard
What option in QRadar allows you to run a weekly report before the
full week has elapsed since you created the report?
A.
B.
C.
D.
Run Report
Toggle Scheduling
Run Report on Raw Data
Run Report on Accumulated Data
Utilize different search types
The option to include the data from your saved search on the
Dashboard tab is not available when you save the search.
How can you make that option available when saving the search?
A.
B.
C.
D.
Set it as the default
Share it with Everyone
Include in my Quick Searches
Ensure that the search is grouped
How can you convert a saved search to an AQL string and modify it to
create your own searches in order to quickly find the data you want?
A. Select a previously saved search and click Show AQL > Save as JSON
B. Select a previously saved search and click Show AQL > Copy to
Clipboard
C. Select a previously saved search and click Export to AQL > Save as
JSON
D. Select a previously saved search and click Export to AQL > Copy to
Clipboard
Manage offenses
Which parameters can you use as a base for offense indexing?
A.
B.
C.
D.
Any event property
Indexed customer properties
Only predefined normalized properties
Only Username, Destination IP, and Source IP
What feature influences the offense chaining?
A.
B.
C.
D.
Severity
Indexing
Magnitude
Source or Destination IP
Sharing content among users
A QRadar administrator creates a new saved search in QRadar.
Which option does the administrator enable to show the data from the
search on the Dashboard tab?
A.
B.
C.
D.
Set as Default
Share with Everyone
Include in My Dashboard
Include in My Quick Searches
A QRadar administrator creates a new saved search in QRadar and
does not assign it to any search group.
To which group is the saved search assigned by default?
A.
B.
C.
D.
Other group
User Reports group
Admin Reports group
Usage Monitoring group
Section 7: Tenants and Domains
Differentiate network hierarchy and domain definition
What must you do to an interface before it will appear in the Domain
configuration window?
A.
B.
C.
D.
Associate the interface with a tenant
Configure the interface as a flow source
Add the interface to a domain reference set
Associate the interface with a security profile
Allocate licenses for multi-tenant
An administrator needs to view the events per second (EPS) rate for
an individual domain.
Which Ariel Query Language (AQL) query provides the information?
A. select domain, DOMAINNAME(domain) from events GROUP
BY domain last 1 HOURS
B. select domainid, DOMAINNAME(domainid) from events
GROUP BY domainid last 1 HOURS
C. select DOMAINNAME(domain) as LogDomain,
sum(eventcount) / 24*60*60 as EPS from events
where domain=checkpoint
group by domain
order by EPS desc
last 24 hours
D. select DOMAINNAME(domainid) as LogDomain,
sum(eventcount) / 24*60*60 as EPS from events
where domainid=1
group by domainid
order by EPS desc
last 24 hours
Assign users to tenants
Which permission option allows the user to view only events and
flows that are associated with both the log sources and networks that
are specified in this security profile?
A.
B.
C.
D.
Network Only
Log Sources Only
Networks OR Log Sources
Networks AND Log Sources
Section 8: Troubleshooting
Review and respond to system notifications
An administrator is reviewing the system notifications and discovers
this error:
MPC: Unable to create new offense. The maximum number
of active offenses has been reached.
What is the default number of active offenses that can be open on a
system?
A.
B.
C.
D.
2500
3000
5000
10,000
Troubleshoot common documented issues
You want to perform an upgrade and are getting fully prepared prior
to installation.
Which program assists with running health checks before major
events to determine whether there are any issues that need to be
addressed?
A.
B.
C.
D.
DrQ
get_logs
health_check
Validate_Deployment
You set up a new source that uses syslog to send events to an event
collector (EC). You note that no data is collected from this source, but
other syslog sources configured the same way work fine.
Which tool can you use to troubleshoot whether the syslog data has
reached the EC?
A.
B.
C.
D.
ssh
netstat
tcpdump
nslookup
You notice some intermittent issues in viewing offenses. Cleaning the
SIM data model ensures that offenses are based on the most current
rules, discovered servers, and network hierarchy.
Which method closes all offenses, but does not remove them from the
system?
A.
B.
C.
D.
Soft clean
Hard clean
Retention clean
Persistent clean
Configure, manage and troubleshoot applications
IBM QRadar Deployment Intelligence needs what level SEC token to
access REST API endpoints and for Ariel searches?
A.
B.
C.
D.
User level
root level
Admin level
Asset level
Perform healthchecks
What is the QRadar default setting for backups?
A.
B.
C.
D.
Data backups only
No nightly backups
Configuration backups only
Configuration and data backups
QRadar administrators can use a tool to identify a reported issue that
is associated to an APAR and work with IBM QRadar Support on a
resolution or workaround.
Which command allows administrators to review the logs for reported
issues in QRadar?
A.
B.
C.
D.
/opt/qradar/support/recon
/opt/qradar/support/cliniq
/opt/qradar/support/qappmanager
/opt/qradar/support/defect-inspector
Answer key
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
1=A,2=C,3=D,4=B
B
C
C
C
D
C
B
C
A
A
B
D
B
A
D,E
C
C
A
A,D,E
C
B
C
A
B
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
A
D
C
A
B
C
D
B
C
D
B
A
B
C
A
B
D
D
A
A
C
A
C
C
D
Related documents
Demo Script L1 CP4S DataBreach
Demo Script L1 CP4S DataBreach
Solution Brief for ObserveIT Enterprise
Solution Brief for ObserveIT Enterprise
Solution Brief for zScaler Nanolog Streaming Service
Solution Brief for zScaler Nanolog Streaming Service
Solution Brief for Damballa Failsafe
Solution Brief for Damballa Failsafe
SIEM Based Intrusion Detection
SIEM Based Intrusion Detection
Solution Brief for SourceFire Defense Center
Solution Brief for SourceFire Defense Center
IBM Security Intelligence Platform Integration with FireEye MPS
IBM Security Intelligence Platform Integration with FireEye MPS
Download
advertisement