IBM.Testking.C2150-614.v2016-12-29.by.Sara...2016/12/29 · A: The IBM Security QRadar QFlow Collector 1202 (MTM 4380-Q3C) appliance provides high capacity and scalable Layer 7 application

http://www.gratisexam.com/

C2150-614.exam

Number: C2150-614Passing Score: 800Time Limit: 120 minFile Version: 1.0


IBM C2150-614

IBM Security QRadar SIEM V7.2.7 Deployment

Version 1.0


Exam A

QUESTION 1A Deployment Professional has been asked to create a new dashboard which consists of utilizing a saved search.

Which box should be checked when creating this search?


A. Add to my DashboardB. Include in my DashboardC. Add to my Dashboard itemsD. Include in my Quick Searches

Correct Answer: BSection: (none)Explanation

Explanation/Reference:When you create a Search therre is a parameter Include in my Dashboard, which must be selected to include the data from your saved search on the Dashboardtab.

References: http://www-01.ibm.com/support/docview.wss?uid=swg21679314#create

QUESTION 2A Deployment Professional is alerted that flows between two assets within a local network are communicating at a higher rate than normal between midnight and 2a.m. The Deployment Professional is asked to determine why this is occurring and decides to create an alert that will send a notification when the communicationhappens again.

Which action could be used?

A. Run an AQL queryB. Perform Quick searchC. Perform Custom searchD. Create rule to test for events/flows


Correct Answer: DSection: (none)Explanation

Explanation/Reference:IBM Security QRadar includes rules that detect a wide range of activities, including excessive firewall denies, multiple failed login attempts, and potential botnetactivity. You can also create your own rules to detect unusual activity.

QUESTION 3A custom with IBM Security QRadar SIEM V7.2.7 is using Active Directory to authenticate users. After a crash, the authentication servers are down and some userstried to log in before the authentication servers came back up.

What will happen to these users?

A. Local users are able to log in with their local password.B. Active Directory users are able to log in with their password.C. Administrative and non-administrative users are unable to log in with their password until authentication servers come back online.D. Logging on is restricted to administrative users and non-administrative will needed to wait until the authentication server comes back online.


Explanation/Reference:QRadar provides authentication options for both local and external authentication methods, such as Active Directory or LDAP.The QRadar Administrative roles have both the external and local authentication methods available in case the external authentication method fails. If the remoteauthentication fails, the Administrative users can login using the local password.

References: http://www-01.ibm.com/support/docview.wss?uid=swg21959344

QUESTION 4Which CLI command should be used to change the default password from PASSWORD to S3cure for the username USERID?


A. /opt/ibm/toolscenter/asu/asu set IMM. Password S3cure --ksu


B. /opt/ibm/toolscenter/asu/asu set IMM. Password.1 S3cure --ksuC. /opt/ibm/toolscenter/asu/asu64 set IMM. Password S3cure -- ksuD. /opt/ibm/toolscenter/asu/asu64 set IMM.Password.1 S3cure -- ksu


Explanation/Reference:To reset the IMM password use the following command:/opt/ibm/toolscenter/asu64 set IMM.Password.1 NewPassword --kcs


QUESTION 5A Deployment Professional is performing a new deployment, and the customer wants to monitor network traffic by sending raw data packets from a network deviceto IBM Security QRadar SEAM V7.2.7.

Which method should be used?

A. AGP cardB. Napatech cardC. SFlow protocolD. NetFlow protocol


Explanation/Reference:You can monitor network traffic by sending raw data packets to a IBM QRadar QFlow Collector 1310 appliance. The QRadar QFlow Collector uses a dedicatedNapatech monitoring card to copy incoming packets from one port on the card to a second port that connects to a IBM Security QRadar Packet Capture appliance.

References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qflow_forward_pcap.html

QUESTION 6A Deployment Professional was asked to investigate the following error:

Custom Rule Engine has detected a total of 20487 dropped event(s). 20487 event(s) were dropped in the last 62 seconds. Queue is at 99 percent capacity


The Deployment Professional needs to run the command“/opt/qradar/bin/findExpensiveCustomRules.sh” to gather the necessary troubleshooting logs.

When should this command be run?

A. Right after a rebootB. Run “service hostcontext restart” firstC. While the system is dropping eventsD. Restart ECS, then run command

Correct Answer: CSection: (none)Explanation

Explanation/Reference:The script "findExpensiveCustomRules.sh" script is designed to query the QRadar data pipeline and report on the processing statistics from the Custom RulesEngine (CRE). The script monitors metrics and collecting statistics on how many events hit each rule, how long it takes to process a rule, total execution time andaverage execution time. When the script completes it turns off these performance metrics. The findExpensiveCustomRules script is a useful tool for creating ondemand reports for rule performance, it is not a tool for tracking historical rule data in QRadar. The core functionality of this script is often run when users begin tosee drops in events or events routed to storage between components in QRadar.

References: http://www-01.ibm.com/support/docview.wss?uid=swg21985252&myns=swgother&mynp=OCSSBQAC&mync=R&cm_sp=swgother-_-OCSSBQAC-_-R

QUESTION 7A current banking customer has just expanded by purchasing a small rural bank with a low bandwidth WAN connection.

The customer wants to expand its current QRadar SIEM 3105 all-in-one deployment to capture log events from the newly acquired branch and to forward them on aschedule, after hours during the trough of activity to the main branch. There is plenty of room for this additional EPS growth.

Which device will meet the requirements?

A. 1202 QFlow CollectorB. 1400 Data NodeC. 1501 Event CollectorD. 1605 Event Processor



Explanation/Reference:The IBM Security QRadar Event Processor 1605 (MTM 4380-Q1E) appliance is a dedicated event processor that you can scale your QRadar deployment tomanage higher EPS rates. The QRadar Event Processor 1605 appliance includes an on-board event collector, event processor, and internal storage for events.With the Basic License the capacity is 2500 EPS, and with an upgrade license it is 20000 EPS.

Incorrect Answers:A: The IBM Security QRadar QFlow Collector 1202 (MTM 4380-Q3C) appliance provides high capacity and scalable Layer 7 application data collection fordistributed deployments.B: The IBM Security QRadar 1400 Data Node (MTM 4380-Q1E) appliance provides scalable data storage solution for QRadar deployments. The QRadar 1400 DataNode enhances data retention capabilities of a deployment as well as augment overall query performance.C: The IBM Security QRadar Event Collector 1501 (MTM 4380-Q2C) appliance is a dedicated event collector. By default, a dedicated event collector collects andparses event from various log sources and continuously forwards these events to an event processor. The capacity is 15000 Events per Second.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.doc/c_hwg_evt_prcssr1605.html

QUESTION 8What is the impact on network bandwidth when selecting 'Global' on a rule instead of 'Local' in a distributed environment?

A. All events are sent to the QRadar Console for processing and therefore, the QRadar Console uses more bandwidth.B. All matching events are sent to the QRadar Console for processing and therefore, the QRadar Console uses more bandwidth.C. All events are sent to each QRadar Event Processor for processing and therefore, all Events Processors use more bandwidth.D. All matching events are sent to each QRadar Event Processor for processing and therefore, all Event Processor use more bandwidth.


Explanation/Reference:If you select Local, all rules are processed on the Event Processor on which they were received and offenses are created only for the events that are processedlocally.If you select Global, all matching events are sent to the QRadar Console for processing and therefore, the QRadar Console uses more bandwidth and processingresources.

References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_create_cust_rul.html

QUESTION 9A Deployment Professional using IBM Security QRadar SIEM V7.2.7 needs to discover all mail servers, but some of the mail servers are listening on TCP port10025.

Which server type and port could be configured in server discovery to accomplish this goal?



A. Mail Servers predefined server type should be used.B. Application predefined server type with destination port 10025 only should be used.C. Mail Servers predefined server type with destination port 10025 added to BB:PortDefinition: Mail Ports should be used.D. Application Servers predefined server type with destination port 10025 added to BB:PortDefinition: Mail Ports should be used.


Explanation/Reference:Use the BB:PortDefinition: Mail Ports building block to include all common ports used by mail servers.

References: Juniper Security Threat Response Manager STRM Log Manager Users Guide Release 2012.0, page 159

QUESTION 10A Deployment Professional is looking over event and flow data for a new customer and sees that the customer is hitting 4,000 EPS/300,000 FPM, with bursts of upto 5,000 EPS/400,000 FPM. The customer is asking for the least amount of appliances to be installed to handle this traffic without any throttling.

Which combination should be installed?

A. Install the IBM Security QRadar 3105 (Console) and add a QRadar 1805B. Install the IBM Security QRadar 3105 (Console) and add a QRadar Flow Processor 1705C. Install the IBM Security QRadar 3105 (Console) and add a QRadar Flow Processor 1828D. Install the IBM Security QRadar 3105 (Console) and add a QRadar Event Processor 1605


Explanation/Reference:The QRadar 3105 (All-in-One) appliance requires external QRadar QFlow Collectors for layer 7 network activity monitoring.

With an upgraded licence the QRadar Flow Processor 1705 supports 600,000 FPM, depending on traffic types.


Note: The IBM Security QRadar 3105 (All-in-One) (MTM 4380-Q1E) appliance is an all-in-one QRadar system that can profile network behavior and identify networksecurity threats.With a basic license it supports 25,000 FPM and 1000 EPS.With an upgraded license it supports 200,000 FPM and 5000 EPS.

Incorrect Answers:A: With an upgraded licence the QRadar 1805supports 200,000 FPM and 5,000 EPS.C: With an upgraded licence the QRadar Flow Processor 1828 supports 300,000 FPM.D: QRadar Event Processor 1605 is not a Flow Collector.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_hwg_3105_allone_base.htmlhttp://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.doc/c_hwg_flow_prcssr1705.html

QUESTION 11A Deployment Professional has received complaints from a customer stating that events from a satellite Location in Hong Kong are being delayed, which is affectingrecords processing. The Deployment Professional wants to improve event transfer from that location to the IBM Security QRadar SIEM V7.2.7

Which appliance could be installed in the satellite location to accomplish this goal?

A. Data NodeB. Flow CollectorC. Event CollectorD. Event Processor


Explanation/Reference:An Event Collector is an appliance for collecting events in remote locations for periodic forwarding to an Event Processor or an all-in-one appliance.

An example is the IBM Security QRadar Event Collector 1501 (MTM 4380-Q2C) appliance, which is a dedicated event collector. By default, a dedicated eventcollector collects and parses event from various log sources and continuously forwards these events to an event processor.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_hwg_eventcllctr1501.html

QUESTION 12A Deployment Professional needs to create and share a saved search with other users.


What are the requirements for this action?

A. The user must be in the Admin role, and the saved search must have at least one “Grouped By” field.B. Any user can share a saved search that must have exactly one “Grouped by” field.C. The user must be in the Admin role, and the saved search must have at least one “[indexed]” field.D. Any user can share a saved search that must contain at least one “Grouped By” + and one “[indexed] fields.

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Create and share the Search Criteria, that the Dashboard Item will use.The user account initiating this process must be in the Admin User Role. Only users in the Admin User Role have the ability to share saved Search Criteria.

Assign Search to Group(s): Select the check box for the group you want to assign this saved search. If you do not select a group, this saved search is assigned tothe Other group by default.


QUESTION 13Which set of rules should be adhered to in order to create valid expression for creating custom properties?


A. SQLB. JavaC. PerlD. Python


Explanation/Reference:You can create a custom property type.


When you create a custom property, you can choose to create a Regex or a calculated property type.Regex defines the field that you want to become the custom property. After you enter a regex statement, you can validate it against the payload. When you definecustom regex patterns, adhere to regex rules as defined by the Java programming language.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.doc/c_qradar_cus_prop_typ.html

QUESTION 14Which task can be completed by using the Historical Correlation feature?

A. Generating weekly reports on a new offense ruleB. Using a new custom rule to create a quick searchC. Investigating previously closed offenses generated a custom ruleD. Testing a new offense rule against data that was previously captured


Explanation/Reference:Use historical correlation to run past events and flows through the custom rules engine (CRE) to identify threats or security incidents that already occurred.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_historical_correlation.html

QUESTION 15Which IBM Security QRadar function, if misconfigured, could cause rules that are only supposed to be applied to local hosts to be applied to external hosts?

A. VA ScannerB. Log CollectorC. Flow CollectorD. Network Hierarchy


Explanation/Reference:IBM Security QRadar uses the network hierarchy to understand your network traffic and provide you with the ability to view activity for your entire deployment.IBM Security QRadar considers all networks in the network hierarchy as local.

References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_netwk_hierarchy.html


QUESTION 16A Deployment Professional needs to handle event logs from Point-of-Sale (POS) devices on cruise ships which have sporadic connectivity to the rest of thedeployment.

Which appliance can be used to store and forward these events?

A. QRadar Flow Collector 1201B. QRadar Flow Processor 1705C. QRadar Event Processor 1628D. QRadar Event Collector 1501


Explanation/Reference:The IBM Security QRadar Event Collector 1501 (MTM 4380-Q2C) appliance is a dedicated event collector. By default, a dedicated event collector collects andparses event from various log sources and continuously forwards these events to an event processor. You can configure the QRadar Event Collector 1501appliance to temporarily store events and only forward the stored events on a schedule.

Incorrect Answers:A: The IBM QRadar QFlow Collector 1201 (MTM 4380-Q2C) appliance provides high capacity and scalable Layer 7 application data collection for distributeddeployments. The QRadar QFlow Collector 1201 also supports external flow-based data sources.B: QRadar Flow Processor 1705 handles flows not events.C: The QRadar Event Processor 1628 is a distributed event processor appliance and requires a connection to a QRadar 3128 (Console) appliance.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_hwg_eventcllctr1501.html

QUESTION 17A software install is being performed on a client's hardware. The Deployment Professional is about to install the QRadar software on a host which will become anHA primary.

Which command is mandatory?



A. /opt/qradar/ha_setup.shB. tail-f/var/bin/ha.logsC. /opt/qradar/bin/prepare_ha.shD. /media/cdrom/post/prepare_ha.sh


Explanation/Reference:To enable HA, QRadar connects a primary HA host with a secondary HA host to create an HA cluster.

For a software installation of IBM Security QRadar, you must run the following script before the installation to enable HA:/media/cdrom/post/prepare_ha.sh

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_ha_overview.html

QUESTION 18A Deployment Professional needs to change the folder where automatic updates are downloaded.

Which Auto Update settings should be configured under Change Settings?

A. Basic Tab > DirectoryB. Advanced Tab > DirectoryC. Basic Tab > Download PathD. Advanced Tab > Download Path


Explanation/Reference:Configuring QRadar to install a local autoupdate file,

Procedure1. Log in to the QRadar user interface.2. Click the Admin tab.3. Click the Auto Update icon.4. Click Change Settings.5. Select the Advanced tab.


6. In the Webserver field, type https://Console_IP_address/ Note: The trailing forward slash (/) is required. For example: https://10.10.10.10/7. In the Directory field, leave the autoupdates/ configuration as the default value.Etc.

References: https://www.ibm.com/developerworks/community/forums/html/topic?id=6ebb0c41-55cd-4994-9946-ceaff9375e52

QUESTION 19A Deployment Professional is asked to check on an anomaly that is based off of aggregated data collected for the rule “Spike in Data Outbound”. When looking atthe Top 10 Events of an offense and clicking on the display icon for “Source Network is Users.Users_1”, the available data shows in a chart. The DeploymentProfessional would like to examine the variation in the data in a linear manner.

Which chart type should be used?

A. TableB. Pie ChartC. Bar ChartD. Time Series


Explanation/Reference:Time series charts are graphical representations of your activity over time.

References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_time_ser_chart_over.html

QUESTION 20Two health insurance companies, Company A and Company B, have been involved in a merger. Both companies have IBM Security QRadar SIEM V7.2.7implemented to monitor their environments.

It has been determined that Company A will assume the duties of compliance monitoring across the entire organization. Because of this, Company B will need toforward its events encrypted to Company A's QRAdar Event Collector.

What is one of the steps that must be done to make sure the information is encrypted in transit?

A. Connect Company B's Event Collector to the off-site sourceB. Connect Company A's Event Collector to the off-site targetC. Ensure the SSH public key for the off-site source is available to Company A's Event CollectorD. Ensure the SSH private key for the off-site source is available to Company A's Event Collector



Explanation/Reference:Encryption provides greater security for all traffic between managed hosts. To provide enhanced security, IBM Security QRadar also provides integrated support forOpenSSH. When integrated with QRadar, OpenSSH provides secure communication between components.SSH uses a public key encryption system.In a public key encryption system, any person can encrypt a message using the public key of the receiver, but such a message can be decrypted only with thereceiver's private key.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_adm_encryption.html

QUESTION 21Which two permissions are required to modify custom properties? (Choose two.)


A. Maintain Custom RulesB. Normalized Event PropertiesC. User Defined Flow PropertiesD. User Defined Event PropertiesE. Normalized Flow Properties

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:To create custom properties if you have the correct permission.You must have the User Defined Event Properties or the User Defined Flow Properties permission.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/c_qradar_req_perm_cus_prop.html

QUESTION 22


A custom wants to create a tickets in an external ticketing system when a Rule is triggered, the intention is to use a Custom Action Script to call REST-API of theticketing system.

How could this be done in IBM Security QRadar SIEM V7.2.7?

A. In the Offense Rule Responses, select the “Run Custom Script” option,B. Call the QRadar REST-API endpoint/custom_actions/scripts/{scripts_id}C. Use a BASH script to run the 'curl' command to execute the required REST-API call in the ca_jailD. Monitor the Console's syslog file: /var/log/messages and execute a script when the event appears


Explanation/Reference:Attach scripts to custom rules to do specific actions in response to network events. Use the Custom Action window to manage custom action scripts.Use custom actions to select or define the value that is passed to the script and the resulting action.For the security of your deployment, QRadar does not support the full range of scripting functionality that is provided by the Python, Perl, or Bash languages.

Example of a BASH script with the curl command:#!/bin/bashconsole_ip=$1 api_token=$2offense_source_ip=$3

auth_header="SEC:$api_token"

output=$(curl -k -H $auth_header https://$console_ip/console/restapi/api/asset_model/assets?filter=interfaces%20contains%20%28%20ip_addresses%20contains%20%28%20value%20%3D%20%22$offense_source_ip%22%29%29)

# Basic print out of the output of the commandecho $output

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_adm_customActScripts.html

QUESTION 23A Deployment Processional is performing a new deployment and needs to collect flows through NetFlow version 5, Netflow version 9, IPFIX and Sflow. The networkis complex and heterogeneous.

What is the minimum number of flow sources that are needed for this IBM Security QRadar SIEM 7.2.7 deployment?


A. 1B. 2C. 3D. 4


Explanation/Reference:External flow sources includes any external flow sources that send flows to the QRadar QFlow Collector. If your QRadar QFlow Collector receives multiple flowsources, you can assign each flow source a distinct name. When external flow data is received by the same QRadar QFlow Collector, a distinct name helps todistinguish external flow source data from each other.External flow sources might include the following sources:

NetFlow (QRadar supports NetFlow versions 1, 5, 7, and 9)IPFIXsFlow J-FlowPacketeerPacketeerFlowlog file

References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_flow_source_ovrvw.html

QUESTION 24Which port must be open for Distributed Replicated Block Device (DRBD) traffic between primary and secondary HA-host?

A. TCP 7777B. TCP 7789C. UDP 7777D. UDP 7789


Explanation/Reference:Distributed Replicated Block Device uses TCP/UDP port 7789. The traffic is bidirectional between the secondary host and primary host in an HA cluster.


References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_common_ports.html

QUESTION 25During a new IBM Security QRadar V7.2.7 deployment, a Deployment Professional is performing a deployment in a client environment where there is no tab orSPAN to take advantage of QRadar's Internal Flow sources.

What could be a valid External flow source for collecting flows?

A. Network cardB. Napatech CardC. NetFlow protocolD. SNMP protocol


Explanation/Reference:External flow sources might include the following sources:

NetFlow (QRadar supports NetFlow versions 1, 5, 7, and 9)IPFIXsFlow J-FlowPacketeerPacketeerFlowlog file

Incorrect Answers:A: A network card can be used as an internal flow source, not as an external flow source.B: A Napatech card can be used as an internal flow source, not as an external flow source.D: SNMP cannot be used as a flow source.

References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_adm_flow_source_ovrvw.html

QUESTION 26A System Notification on a QRadar Console states “An allocated license has expired and is no longer valid”. After an investigation, the Deployment Professionalnotices that the X-Force feed license has expired.

How will this expiration affect the system?



A. QRadar will work normally, but X-Force feed will not be updated anymore.B. QRadar will work normally because the expired feature license has no effect.C. QRadar will not collect any events until the license has been renewed or removed.D. QRadar will collect events normally, but events are not correlated with X-Force feed.


Explanation/Reference:If the X-Force license expires on the QRadar Console, the IP reputation and URL databases will no longer receive updates and rules will leverage the existingvalues provided from the last good content update.

References: http://www-01.ibm.com/support/docview.wss?uid=swg21701213#expires

QUESTION 27Which QRadar module collects configurations of network devices?

A. Log ManagerB. Risk ManagerC. Incident ForensicsD. Vulnerability Manager


Explanation/Reference:You must configure IBM Security QRadar Risk Manager to read configuration information from the devices in your network.The configuration information that is collected from your network devices generates the topology for your network and allows QRadar Risk Manager to understandyour network configuration.

Data that is collected in QRadar Risk Manager is used to populate the topology with key information about your network environment.


Data collection is a three-step process:1. Provide QRadar Risk Manager with the credentials to download network device configurations.2. Discover devices to create a device list in Configuration Source Management.3. Back up the device list to obtain the device configurations and populate the topology with data about your network.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.doc/c_qrm_gs_ntwk_dta_col.html

QUESTION 28A Deployment Professional needs to store information in the IBM Security QRadar SIEM V7.2.7 asset database which is provided from the customer's configurationmanagement data base (CMDB). The CMDB provides a nightly dump of information like 'Technical Owner' and “Asset weight' tied to an IP address.

Which integration mechanism with QRadar will allow this information to be maintained?

A. Use REST-API calls with the /asset_model/assets/{asset_id} endpointB. Upload the information in a CSV format using the 'Import Assets' functionC. Send syslog LEEF formatted identity events to the 'Asset Profiler-2' log sourceD. Schedule the AXIS scanner to import a pre-formatted XML file with the required data


Explanation/Reference:You can import asset profile information.The imported file must be a CSV file in the following format: p,name,weight,description

The import process merges the imported asset profiles with the asset profile information you have currently stored in the system.

Procedure1. Click the Assets tab.2. On the navigation menu, click Asset Profiles.3. From the Actions list box, select Import Assets.4. Click Browse to locate and select the CSV file that you want to import.5. Click Import Assets to begin the import process.

References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_ug_asset_import.html

QUESTION 29A Deployment Professional wants to reduce the number of false positives being generated by a WebSense log source.


Which rule test could be created to solve this problem, assuming the Building Blocks have been updated for the customer's environment?

A. “and NOT when an event matches any of the following BB:HostDefinition: VA Scanner Source IP”B. “and NOT when an event matches any of the following BB:HostDefinition: Proxy Servers”C. “and NOT when an event matches any of the following BB:HostDefinition: Trusted Network Source IP”D. “and NOT when an event matches any of the following BB:HostDefinition: Network Management Servers”


Explanation/Reference:Websense/ForcePoint Content Gateway (Content Gateway) is a Linux-based, high-performance Web proxy and cache that provides real-time content scanning andWeb site classification to protect network computers from malicious Web content while controlling employee access to dynamic, user-generated Web 2.0 content.

Note: Proxy servers and virus servers can generate high volumes of traffic. To reduce the offenses created by these server types, edit the following building blocksto reduce the number of offenses:* BB:HostDefinition: VA Scanner Source IP Vulnerability assessment products launch attacks that can result in offense creation. To avoid this behavior and definevulnerability assessment products or any server you want to ignore as a source, edit the and when the source IP is one of the following test to include the IPaddresses of the following: VA Scanners, Authorized Scanners* BB:HostDefinition: Network Management Servers* BB:HostDefinition: Virus Definition and Other Update Servers* BB:HostDefinition: Proxy Servers* BB:NetworkDefinition: NAT Address Range* BB:NetworkDefinition: TrustedNetwork

References: http://www.websense.com/content/support/library/deployctr/v76/dic_wcg.aspxftp://public.dhe.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/CoreDocs/QRadar_71MR1_TuningGuide.pdf

QUESTION 30After creating a custom Log Source Extension to parse a Source IP address from this event snippet 'IP Address: (10.20.30.40), the Source IP is not being extractedfrom the payload.

The Log Source Extension is showing the following:

IP\sAddress:\s$(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Which Regular Expression should be used to ensure the Source IP is parsed properly?

A. IP\sAddress\s\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$


B. IP\sAddress:\s$(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))C. IP\sAddress:\s\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$D. IP\sAddress:\s$(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{13})$


Explanation/Reference:

QUESTION 31A customer expanded operations by merging with an acquisition, adding additional traffic. Overall concerns have surfaced about event collecting, and theDeployment Professional is asked about deployment costs, security, and resiliency due to the additional network segments. The focus is on keeping the overallSIEM collecting events as the priority.

Which deployment architecture collection method will meet this need?

A. SharedB. ClusterC. DistributedD. Centralized


Explanation/Reference:In the Centralized scenario, all the servers and collectors are in the same network. It makes the deployment and management way easier since we have just onepoint of maintenance and one point to “care about”, and it is very important especially when we have a geographically spread environment. But having all the SIEMsolution in one network means that all the environment will need to connect to the cluster.


Incorrect Answers:C: With a distributed deployment the main QRadar console will have access only to its’ collectors, and nothing more.


References: https://qradarinsights.com/2014/04/03/centralized-vs-distributed-collecting/

QUESTION 32A Deployment Professional is working with a customer running an IBM Security QRadar SIEM V7.2.7 installation that is currently running into performance issues.The customer is noticing that searches are taking a long time to finish and there are performance degradation system notifications in the Console.

Which two steps will lead to a performance increase for this customer? (Choose two.)

A. Disable indexes that don't have a % of searches using this index of 20% or higher for the last seven daysB. Disable indexes that don't have a % of searches using this property of 10% or higher for the last 24 hoursC. Search for indexes which are enabled but have a % of searches using property that is zero, disable those indexesD. Enable indexes that have a % of searches using this property higher than 10% and also % of searches missing this index greater than 10%E. Search for indexes which are disabled but have a % of searches using property above 30% and also % of searches missing index is above 30% and enable

them

Correct Answer: CESection: (none)Explanation


Explanation/Reference:C: If the properties where the index is enabled and the % of Searches Using Property is zero, then you should disable this index.

If after 30 days the statistics show that an enabled index is used in zero % of searches, then consideration should be made to disable the indexed property. This preserves resources for more important and actively used searches.

E: If the properties where the index is disabled and the % of Searches Using Property is above 30% and the % of Searches Missing Index is above 30%, then youshould enable this index.

If administrators see search percentages above 30% across multiple time spans, then users are leveraging this search property often and consideration should bemade to enable the index. These values indicate that enabling an index can improve performance for users who search specific properties frequently.



IBM.Testking.C2150-614.v2016-12-29.by.Sara...2016/12/29 · A: The IBM Security QRadar QFlow Collector 1202 (MTM 4380-Q3C) appliance provides high capacity and scalable Layer 7 application

Documents