IBM C1000-018 Exam Questions Instant Access

Question 1

An analyst is searching for a list of events that meet specific search criteria and wants to display only the source IP and destination IP information for the events.

To get the required information, the analyst can open the Log Activity tab and then:

Aselect the field names,
select the start and end time from the drop down fields in the filters section,
then click search.

Bclick add filter,
select the desired parameters, operators, values and field names,
then click search.

Cselect advanced search.
type the corresponding AQL query,
then click search.

Dselect search,
then new search,
scroll down and select time range, column definitions, the search parameters
then click search.

Answer : A

Question 2

How does an analyst view which rule triggered an Offense in the Offense summary page?

ADisplay -> Rules

BActions -> View Rules

CActions -> Display Rules

DDisplay -> Triggered Rules

Answer : A

Question 3

What is the maximum time period for 3 subsequent events to be coalesced?

A10 minutes

B10 seconds

C5 minutes

D60 seconds

Answer : B

Event coalescing starts after three events have been found with matching properties within a 10 second window.

Question 4

What could be a reason that an Event Rule is not triggering as expected?

AIt contains stateful tests but is configured to use a Processors CRE Instance instead of the Consoles CRE Instance.

BIt contains stateless tests but is configured to use the Console's CRE Instance instead of the Processor's CRE Instance.

CIt contains stateful and stateless tests but is configured to use a Console's CRE Instance instead of the Processor s CRE Instance.

DIt contains stateless tests but is configured to use the Processors CRE Instance instead of the Console's CRE Instance.

Answer : B

Question 5

An analyst has been asked to present a report of all the incidents that have been detected by QRadar in the last 24 hours.

How can the analyst achieve this?

ACreate an Event saved search from the last 24 hours and then using the Reports tab, create a report to make use of the existing saved search.

BCreate a Common saved search from the last 24 hours and then using the Reports tab, create a report to make use of the existing saved search.

CCreate an Event saved search from the last 24 hours and then using the Log Activity tab, create a report to make use of the existing saved search.

DCreate an Offense saved search from the last 24 hours and then using the Reports tab, create a report to make use of the existing saved search.

Answer : A

Question 6

How would an analyst Interpret this QRadar notification: "SAR Sentinel: threshold crossed?"

AThe system disk usage is above the threshold and must be reduced to avoid potential data loss.

BThe system load is above the threshold and can experience reduced performance.

CThe anomaly detection engine has detected volume of failed logins above the threshold.

DThe Custom Rule Engine is currently detecting a distributed denial of service attack.

Answer : A

Question 7

An analyst is reviewing a rule that is configured to create an Offense indexed by a uri domain name. But even after validating all the rule conditions, an Offense is not generated.

What could be the reason for this kind of behaviour?

ACustom property url domain name is empty in the events.

BCustom property Eventname is empty in the events.

CNormalized property url domain name is empty in the events.

DNormalized property Source IP is empty in the events.

Answer : B

IBM QRadar SIEM V7.3.2 Fundamental Analysis C1000-018 Exam Questions