IBM C1000-018 Exam Practice Test Instant Access

Question 1

How can an analyst search for all events that include the keyword 'vims'?

ABy going to the Network Activity tab and run a quick search with the 'virus' keyword.

BBy going to the Log Activity tab and run a quick search with the 'virus' keyword.

CBy going to the Offenses tab and run a quick search with the 'virus' keyword.

DBy going to the Log Activity tab and run this AQL: select * from events where eventname like 'virus'

Answer : D

Question 2

An analyst has been asked to present a report of all the incidents that have been detected by QRadar in the last 24 hours.

How can the analyst achieve this?

ACreate an Event saved search from the last 24 hours and then using the Reports tab, create a report to make use of the existing saved search.

BCreate a Common saved search from the last 24 hours and then using the Reports tab, create a report to make use of the existing saved search.

CCreate an Event saved search from the last 24 hours and then using the Log Activity tab, create a report to make use of the existing saved search.

DCreate an Offense saved search from the last 24 hours and then using the Reports tab, create a report to make use of the existing saved search.

Answer : A

Question 3

An analyst needs to create a rule that includes a building block definition that identifies a communication to a local SMTP server that then connects to an unapproved remote peer.

In which group will the analyst find this specified building block?

ACategory Definitions

BHost Definitions

CNetwork Definitions

DPolicy

Answer : A

Question 4

An analyst needs to review additional information about the Offense top contributors, including notes and annotations that are collected about the Offense.

Where can the analyst review this information?

AIn the top portion of the Offense main view

BIn the bottom portion of the Offense main view

CIn the top portion of the Offense Summary window

DIn the bottom portion of the Offense Summary window

Answer : D

In the bottom portion of the Offense Summary window, review additional information about the offense top contributors, including notes and annotations that are collected about the offense.

https://www.ibm.com/docs/en/SS42VS_7.3.3/com.ibm.qradar.doc/b_qradar_users_guide.pdf

Question 5

How would an analyst Interpret this QRadar notification: "SAR Sentinel: threshold crossed?"

AThe system disk usage is above the threshold and must be reduced to avoid potential data loss.

BThe system load is above the threshold and can experience reduced performance.

CThe anomaly detection engine has detected volume of failed logins above the threshold.

DThe Custom Rule Engine is currently detecting a distributed denial of service attack.

Answer : A

Question 6

An analyst has manually created a new log source in QRadar.

What is the Low Level Category that will be applied to all events sent from this log log source type is applied?

AUnavailable

BNot Found

CUnknown

DStored

Answer : B

Question 7

An analyst is encountering a large number of false positive results. Legitimate internal network traffic contains valid flows and events which are making it difficult to identify true security incidents.

What can the analyst do to reduce these false positive indicators?

ACreate X-Force rules to detect false positive events.

BCreate an anomaly rule to detect false positives and suppress the event.

CFilter the network traffic to receive only security related events.

DModify rules and/or Building Block to suppress false positive activity.

Answer : C

IBM C1000-018 IBM QRadar SIEM V7.3.2 Fundamental Analysis Exam Practice Test