C1000-018 Online Practice Questions and Answers

Why would an analyst update host definition building blocks in QRadar?

A. To reduce false positives.

B. To narrow a search.

C. To stop receiving events from the host.

D. To close an Offense

When an analyst sees the system notification “The appliance exceeded the EPS or FPM allocation within the last hour”, how does the analyst resolve this issue? (Choose two.)

A. Delete the volume of events and flows received in the last hour.

B. Adjust the license pool allocations to increase the EPS and FPM capacity for the appliance.

C. Tune the system to reduce the volume of events and flows that enter the event pipeline.

D. Adjust the resource pool allocations to increase the EPS and FPM capacity for the appliance.

E. Tune the system to reduce the time window from 60 minutes to 30 minutes.

An analyst is encountering a large number of false positive results. Legitimate internal network traffic contains valid flows and events which are making it difficult to identify true security incidents.

What can the analyst do to reduce these false positive indicators?

A. Create X-Force rules to detect false positive events.

B. Create an anomaly rule to detect false positives and suppress the event.

C. Filter the network traffic to receive only security related events.

D. Modify rules and/or Building Block to suppress false positive activity.

How many normalized timestamp field(s) does an event contain?

A. 2

B. 3

C. 4

D. 1

An analyst needs to perform Offense management.

In QRadar SIEM, what is the significance of “Protecting” an offense?

A. Escalate the Offense to the QRadar administrator for investigation.

B. Hide the Offense in the Offense tab to prevent other analysts to see it.

C. Prevent the Offense from being automatically removed from QRadar.

D. Create an Action Incident response plan for a specific type of cyber attack.

An analyst needs to find all events that are creating offenses that are triggered by rules that contain the word suspicious in the rule name.

Which query can the analyst use as a working sample?

A. SELECT LOGSOURCETYPE(logsourceid), “from log_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

B. SELECT LOGSOURCERULES(logsourceid), “from rule_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

C. SELECT LOGGEDOFFENSE(logsourceid), *from offense_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

D. SELECT LOGSOURCENAME(logsourceid), * from events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

An analyst observed a port scan attack on an internal network asset from a remote network. Which filter would be useful to determine the compromised host?

A. Any IP

B. Destination IP [Indexed]

C. Source or Destination IP

D. Source IP [Indexed]

What is the difference between a Quick Search and an Advanced Search?

A. An Advanced Search uses a saved search, while a Quick Search uses a query language.

B. A Quick Search displays results by column, while an Advanced Search displays results by Category.

C. A Quick Search uses a saved search, while an Advanced Search requires a query language.

D. An Advanced Search displays results by Category, while a Quick Search displays results by column.

An analyst needs to map a geographic location on all the internal IP addresses.

Which option defines the functions where the analyst can-setup a geographic location of the network object in Network Hierarchy?

A. GPS location and Map

B. Group and IP address

C. Log Activity and Network Activity

D. Longitude and Latitude

An analyst has observed that for a particular user, authentication to an organization's critical server is different than the normal access pattern.

How can the analyst verify that all the authentications initiated from the user are valid?

A. Perform a search with filter Destination IP group by Username, then validate the Username

B. Perform a search with filter Source IP group by Username, then validate the Username

C. Perform a search with filter Username group by Source IP, then validate the Destination IP

D. Perform a search with filter Username group by Source IP, then validate the Source IP

How does an analyst view the base64 encoded string of an event's raw payload that contains unprintable characters?

A. Copy the raw payload and use an external tool to view base64 data

B. Right click on the event –andgt; view base64 data

C. Log Activity –andgt; Under Payload Information, click base64 tab

D. Admin –andgt; Under Payload Information, click base64 tab

Which QRadar component stored Offenses?

A. Console

B. Data Node

C. Event Processor

D. Event Collector

An analyst is investigating a series of events that triggered an Offense. The analyst wants to get more detailed information about the IP address from the reference set.

How can the analyst accomplish this?

A. Click on Searches tab then perform an Advanced Search

B. Click on Log Activity tab then perform a Quick Search

C. Click on Searches tab then perform a Quick Search

D. Click on Log Activity tab then perform an Advanced Search

An analyst needs to find events coming from unparsed log sources in the Log Activity tab. What is the log source type of unparsed events?

A. SIM Generic

B. SIM Unparsed

C. SIM Error

D. SIM Unknown

What are the different flow types in QRadar?

A. L2L, L2R, R2R, R2L

B. Standard, Type A, Type B, Type C

C. Standard, Type 1, Type2, Type 3

D. Type 1, Type 2, Type 3, Type 4