IBM C1000-018 Exam Questions Instant Access

Question 1

A new analyst is tasked to identify potential false positive Offenses, then send details of those Offenses to the Security Operations Center (SOC) manager for review by using the send email notification feature.

ATotal number of sources, top five categories, total number of destinations. Contributing CRE rules total number of packets.

BTotal number of sources, top five sources by magnitude, total number of destinations, destination networks, total number of packets.

CTotal number of sources, top five sources by magnitude, total number of destinations, destination networks, total number of events.

DTotal number of sources, top five number of categories, total number of destinations, destination networks, total number of packets.

Answer : D

Question 2

When ordering these tests in an event rule, which of them is the best test to place at the top of the list for rule performance?

AWhen the source is [local or remote]

BWhen the destination is [local or remote]

CWhen the event(s) were detected by one or more of [these log sources]

DWhen an event matches all of the following [Rules or Building Blocks]

Answer : A

Question 3

Which QRadar timestamp specifies when the event was received from the log source?

ACollect time

BStart time

CStorage time

DLog Source time

Answer : B

Question 4

Which consideration should be given to the position of rule tests that evaluate regular expressions (Regex tests)?

AThey can only be used in Building Blocks to ensure they are evaluated as infrequently as possible.

BThey are usually the most specific. As such, they should appear first in the order.

CThey are usually the most expensive. As such, they should appear last in the order.

DThey are stateful tests. As such QRadar automatically evaluates them last.

Answer : A

Question 5

How can an analyst search for all events that include the keyword 'vims'?

ABy going to the Network Activity tab and run a quick search with the 'virus' keyword.

BBy going to the Log Activity tab and run a quick search with the 'virus' keyword.

CBy going to the Offenses tab and run a quick search with the 'virus' keyword.

DBy going to the Log Activity tab and run this AQL: select * from events where eventname like 'virus'

Answer : D

Question 6

An analyst needs to investigate why an Offense was created.

How can the analyst investigate?

AReview the Offense summary to investigate the flow and event details.

BReview the X-Force rules to investigate the Offense flow and event details.

CReview pages of the Asset tab to investigate Offense details.

DReview the Vulnerability Assessment tab to investigate Offense details.

Answer : A

Question 7

An analyst needs to find all events that are creating offenses that are triggered by rules that contain the word suspicious in the rule name.

Which query can the analyst use as a working sample?

ASELECT LOGSOURCENAME(logsourceid), * from events where RULENAME(creeventlist) ILIKE '%suspicious%'

BSELECT LOGGEDOFFENSE(logsourceid), * from offense_events where RULENAME(creeventlist) ILIKE ,%suspicious%'

CSELECT LOGSOURCETYPE(logsourceid), - from log_events where RULENAME(creeventlist) ILIKE '%suspicious%'

DSELECT LOGSOURCERULES(logsourceid), ' from rule_events where RULENAME(creeventlist) ILIKE '%suspicious%'

Answer : A

IBM QRadar SIEM V7.3.2 Fundamental Analysis C1000-018 Exam Questions