IBM C1000-018 Exam Questions Instant Access

Question 1

The SOC team complained that they have can only see one Offense in the Offenses tab.

space of 10 minutes, but the analyst How can the analyst ensure only one email is sent in this circumstance?

AConfigure the postfix mail server on the Console to suppress duplicate items

BEnsure that the Rule Action Limiter is configured the same way as the Rule Response Limiter.

CAdd a Response Limiter to the Rule, configured to execute only once every 30 minutes.

DDisable Automated Offense Notification - by email, in Advanced System Settings.

Answer : A

Question 2

An analyst notices that there are a number of invalid Offenses being created from a network node. This node has been determined to be in Domain 2 and has the following log sources sending it events: (3Com 8800 Series Switch from 172.18.1.1, Cisco ACE Firewall from 172.18.1.2, FireEye from 172.18.1.3, and Palo Alto PA Series from 172.18.1.8).

The analyst should create a False Positive Building Block that has a filter:

A'when the destination IP is in 172.18.0.0/16'

B'when the local network is Domain 2 and when the source IP is in 172.18.0.0/16'

C'when the remote IP is one of the following 172.18.1.1, 172.18.1.2. 1.3 172. 18.18.1.8

D'when the local network is Domain 2 and when the source IP is in 172.18.0.0/16'

Answer : D

Question 3

What information is included in flow details but is not in event details?

ANetwork summary information

BMagnitude information

CNumber of bytes and packets transferred

DLog source information

Answer : A

Flows represent network activity by normalizing IP addresses, ports, byte and packet counts, and other data, into flow records, which effectively are records of network sessions between two hosts.

Question 4

While creating a new custom property, which is a valid property types selection?

AAQL Based

BRegular Expressions Based

CFlow Based

DEvent Based

Answer : B

https://www.ibm.com/docs/en/qsip/7.4?topic=qradar-custom-property-definitions-in-dsm-editor

Question 5

Which consideration should be given to the position of rule tests that evaluate regular expressions (Regex tests)?

AThey can only be used in Building Blocks to ensure they are evaluated as infrequently as possible.

BThey are usually the most specific. As such, they should appear first in the order.

CThey are usually the most expensive. As such, they should appear last in the order.

DThey are stateful tests. As such QRadar automatically evaluates them last.

Answer : A

Question 6

An analyst for a particular offense needs to investigate to understand the breakdown of the offense details.

How can the analyst do this?

ALook at the magnitude information and its breakdown.

BView the attack path of the offense.

CLook at all the event QIDs attached to the offense.

DLook at the list of categories, event low level categories and the events attached.

Answer : A

Question 7

What is displayed in the status bar of the Log Activity tab when streaming events?

AAverage number of results that are received per second.

BAverage number of results that are received per minute.

CAccumulated number of results that are received per second.

DAccumulated number of results that are received per minute.

Answer : A

Status bar

When streaming events, the status bar displays the average number of results that are received per second.

IBM QRadar SIEM V7.3.2 Fundamental Analysis C1000-018 Exam Questions