IBM
C1000-156
IBM Security QRadar SIEM V7.5 Administration
QUESTION & ANSWERS
https://www.prepare4exams.com/C1000-156-exam-questions.html
QUESTION 1
If it is not tuned properly, custom rules can cause performance issues. Which tool allows you to
troubleshoot if a rule causes performance issues?
A.
B.
C.
D.
findExpensiveCustomRules.sh
validate_ecs_service.sh
threadTop.sh
collectGvStats.sh
Correct Answer: A
Explanation/Reference:
findExpensiveCustomRules.sh allows you to troubleshoot if a rule causes performance issues.
/opt/qradar/support/findExpensiveCustomRules.sh -d /root
QUESTION 2
A QRadar administrator wants to add a managed host to increase flow inspection. Which managed
host does the administrator add to the deployment?
A.
B.
C.
D.
QRadar Incident Forensics
QRadar Network Insights
QRadar Vulnerability Manager Processor
QRadar Risk Manager
Correct Answer: B
Explanation/Reference:
IBM QRadar Network Insights provides in-depth visibility into network communications on a real-time
basis to extend the capabilities of your IBM QRadar deployment. QRadar Network Insights empowers
QRadar Sense Analytics to detect threat activity that would otherwise go unnoticed. QRadar Network
Insights provides visibility across a range of use cases, including: Malware detection and analysis
Phishing email and campaign detection Insider threats Lateral movement attack detection Data
exfiltration protection Identify compliance gaps
QUESTION 3
On a QRadar appliance, you might see a warning that you cannot connect to port 32006. Which
command you will use for determining port information?
A. netstat
https://www.prepare4exams.com/C1000-156-exam-questions.html
B. nc
C. nmap
D. psexec
Correct Answer: A
Explanation/Reference:
Use the netstat command to test whether the port is open or blocked by a firewall rule, and is
listening. 1.Use an SSH session to log in to the appliance you need to test. 2. Type the command:
netstat -nap | grep :< port 3.Verify the port displays LISTEN, ESTABLISHED, or TIME_WAIT.
QUESTION 4
When does an edited identity exclusion search start excluding new values?
A.
B.
C.
D.
After 5 minutes
After 24 hours
Immediately
After a soft clean of the asset database
Correct Answer: C
Explanation/Reference:
Identity exclusion searches can be used to manage single assets that accumulate large volumes of
similar identity information for known, valid reasons.
QUESTION 5
Which option creates an OR condition in the Custom Rules Engine?
A.
B.
C.
D.
When any event properties are contained in their reference set(s)
When the false positive signature matches one of the following signatures
When a property equals a property
When an event matches any of the following rules
Correct Answer: B
https://www.prepare4exams.com/C1000-156-exam-questions.html
Explanation/Reference:
When an event matches any of the following rules
QUESTION 6
Which is a valid statement about the default QRadar backup and recovery process?
A. Automatic backups run at midnight and include the configuration information, data, or both,
archived in the previous 24 hours.
B. If the backup process exceeds the configured time limit, the backup is stored as incomplete.
C. A backup priority of medium or high has little to no impact on system performance.
D. The script automatically creates a daily archive capturing only event and flow data at 3:00 AM,
which must be restored on the QRadar Console.
Correct Answer: A
Explanation/Reference:
By default, IBM QRadar creates a backup archive of your configuration information daily at midnight.
The backup archive includes your configuration information, data, or both from the previous day.
QUESTION 7
In addition to data collection and data processing, what is the third architectural design layer of the
QRadar Security Intelligence Platform?
A.
B.
C.
D.
Data forensics
Data aggregation
Data searches
Data nodes
Correct Answer: C
Explanation/Reference:
The operation of the QRadar security intelligence platform consists of three layers, and applies to any
QRadar deployment structure, regardless of its size and complexity. Below are the three layers that
represent the core functionality of any QRadar system: Data collection Data processing Data searches
QUESTION 8
If you face problems with HA, what folder do you look in to figure out?
https://www.prepare4exams.com/C1000-156-exam-questions.html
A.
B.
C.
D.
/opt/qradar/ha
/opt/qradar/config/ha
/opt/qradar/bin
/opt/qradar/bin/ha
Correct Answer: A
Explanation/Reference:
To display the HA cluster configuration, type the following command: /opt/qradar/ha/bin/ha cstate
QUESTION 9
A QRadar Administrator needs to define a new user role with access to only see events in QRadar.
Which permissions should be granted to the role?
A.
B.
C.
D.
Network Activity
Log Activity
Events
Networks
Correct Answer: B
Explanation/Reference:
Security profiles define which networks, log sources, and domains that a user can access.
QUESTION 10
An administrator has been asked to configure a new QRadar console high availability (HA)
deployment. Both the primary and secondary consoles have been installed with the QRadar software.
What should the administrator do to complete the HA configuration?
A.
B.
C.
D.
Reinstall the QRadar software on the secondary console using an ‫ג‬€HA Recovery Setup‫ג‬€.
Add the secondary console to the deployment, and then create the HA host.
Create the HA host to add the secondary console to the deployment.
Select ‫ג‬€Secondary Host‫ג‬€ on the wizard when adding the secondary host to the deployment.
Correct Answer: B
https://www.prepare4exams.com/C1000-156-exam-questions.html
Explanation/Reference:
If your hardware or network fails, IBM® QRadar® can continue to collect, store, and process event
and flow data by using high-availability (HA) appliances. To enable HA, QRadar connects a primary HA
host with a secondary HA host to create an HA cluster. If a primary HA host fails, then the secondary
HA host maintains access to the same data as the primary by using data synchronization or shared
external storage.
https://www.prepare4exams.com/C1000-156-exam-questions.html