Winter Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

Certensure Logo
  1. Home
  2. IBM
  3. IBM Certified Associate Analyst - IBM QRadar SIEM V7.3.2
  4. C1000-018 - IBM QRadar SIEM V7.3.2 Fundamental Analysis

IBM C1000-018 IBM QRadar SIEM V7.3.2 Fundamental Analysis Exam Practice Test

Demo: 15 questions
Total 103 questions
Get C1000-018 Full Access Download C1000-018 PDF

IBM QRadar SIEM V7.3.2 Fundamental Analysis Questions and Answers

Question 1

How would an analyst efficiently include all the Antivirus logs integrated with QRadar for the last 24 hours?

Options:

A.

Log Activity -> Use Log Source parameter with Equals Operator

B.

Log Activity -> Use Log Source Type parameter with Member of Operator

C.

Log Activity -> Use Log Source parameter with Equals any of Operator

D.

Log Activity -> Use Log Source Type parameter with Equals any of Operator

Question 2

An analyst has been asked to search for a firewall device that was assigned to a specific address range in the past week.

What method can the analyst use to perform the search that uses simple words or phrases?

Options:

A.

Utilize the Natural Language Query module for searching event data.

B.

Export the event data and import it to the spreadsheet for searching.

C.

Write a search query using the Ariel Query Language and regex.

D.

Use Quick Filter to perform the search for event data.

Question 3

How many normalized timestamp field(s) does an event contain?

Options:

A.

2

B.

3

C.

4

D.

1

Question 4

Where can an analyst investigate a security incident to determine the root cause of an issue, and then work to resolve it?

Options:

A.

Risk tab

B.

Network Activity tab

C.

Offense tab

D.

Vulnerabilities tab

Question 5

After working with an Offense, an analyst set the Offense as hidden. What does the analyst need to do to view the Offense at a later time?

Options:

A.

Click Clear Filter next to the "Exclude Hidden Offenses".

B.

In the all Offenses view, at the top of the view, select ‘’Show hidden‘’ from the ‘’Select an option‘’ drop- down.

C.

In the al Offenses view, select Actions, then select show hidden Offenses.

D.

Search for all Offenses owned by the analyst

Question 6

An analyst observed a port scan attack on an internal network asset from a remote network.

Which filter would be useful to determine the compromised host?

Options:

A.

Any IP

B.

Destination IP [Indexed]

C.

Source or Destination IP

D.

Source IP [Indexed]

Question 7

A new analyst is tasked to identify potential false positive Offenses, then send details of those Offenses to the Security Operations Center (SOC) manager for review by using the send email notification feature.

Options:

A.

Total number of sources, top five categories, total number of destinations. Contributing CRE rules total number of packets.

B.

Total number of sources, top five sources by magnitude, total number of destinations, destination networks, total number of packets.

C.

Total number of sources, top five sources by magnitude, total number of destinations, destination networks, total number of events.

D.

Total number of sources, top five number of categories, total number of destinations, destination networks, total number of packets.

Question 8

An analyst is performing an investigation regarding an Offense. The analyst is uncertain to whom some of the external destination IP addresses in List of Events are registered.

How can the analyst verify to whom the IP addresses are registered?

Options:

A.

Right-click on the destination address, More Options, then Information, and then DNS Lookup

B.

Right-click on the destination address, More Options, then IP Owner

C.

Right-click on the destination address, More Options, then Information, and then WHOIS Lookup

D.

Right-click on the destination address, More Options, then Navigate, and then Destination Summary

Question 9

How does the Custom Rule Engine (CRE) evaluates rules?

Options:

A.

It runs stateless tests first, then runs stateful tests and evaluates the result.

B.

It runs tests based on the criticality of the test, running the critical ones first.

C.

It runs rule tests line-by-line in order, and continues while tests are true.

D.

It runs all rule tests at the same time, and evaluates the result after all tests are complete

Question 10

What are anomaly detection rules used for?

Options:

A.

Detecting volume changes that occur in regular patterns.

B.

Detecting event traffic.

C.

Detecting an activity that is greater or less than a specified range.

D.

Detecting when unusual traffic patterns occur in the network.

Question 11

An analyst has been assigned a number of Offenses to review and a new event occurs, review and manage. While reviewing an inactive offense, a new event occurs.

Which statement applies to the Offense?

Options:

A.

The event is added in a new Offense that is created.

B.

The event is added to the Offense and the status is changed to Dormant.

C.

The rule that created the Offense is temporarily halted.

D.

The event is added to the Offense and the status is changed to Active.

Question 12

An analyst needs to perform Offense management.

In QRadar SIEM, what is the significance of “Protecting” an offense?

Options:

A.

Escalate the Offense to the QRadar administrator for investigation.

B.

Hide the Offense in the Offense tab to prevent other analysts to see it.

C.

Prevent the Offense from being automatically removed from QRadar.

D.

Create an Action Incident response plan for a specific type of cyber attack.

Question 13

Which graph types are available for QRadar SIEM reports? (Choose two)

Options:

A.

Histogram

B.

Pie

C.

Trivial curve

D.

Frequency curve

E.

Stacked Bar

Question 14

An analyst is investigating access to sensitive data on a Linux system. Data is accessible from

the /secret directory and can be viewed using the 'sudo oaf command. The specific file /secret/file_08-txt was known to be accessed in this way. After searching in the Log Activity Tab, the following results are shown.

When interpreting this, the analyst is having trouble locating events which show when the file was accessed. Why could this be?

Options:

A.

The 'LinuxServer @ cantos' log source has boon configured as a Faise Positive and the specific event for that file has been dropped.

B.

The 'LinuxServer @ centos' log source has not been configured to send the relevant events to QRadar.

C.

The 'LinuxServer @ centos' log source has coalescing configured and the specific event for that file can only be accessed by clicking on the 'Event Count' value.

D.

The ;LinuxServer @ centos; log source has coalesscing conigured and the specific event for that file has been discardedd.

Question 15

An auditor has requested a report for all Offenses that have happened in the past month. This report generates at the end of every month but the auditor needs to have it for a meeting that is in the middle of the month.

What will happen to the scheduled report if the analyst manually generates this report?

Options:

A.

The scheduled report needs to be reconfigured.

B.

The analyst needs to delete the scheduled report and create a new one.

C.

The report will get duplicated so the analyst can then run one manually.

D.

The report still generates on the schedule initially configured.

Load More C1000-018 Questions
Demo: 15 questions
Total 103 questions
Get C1000-018 Full Access Download C1000-018 PDF