IBM QRadar SIEM V7.3.2 Fundamental Analysis C1000-018 Exam Questions

1. An analyst needs to investigate an Offense and navigates to the attached rule(s).

Where in the rule details would the analyst investigate the reason for why the rule was triggered?

Rule actions

List of test conditions

Rule responses

Rules response limiter

2. How does an analyst view which rule triggered an Offense in the Offense summary page?

Display -> Rules

Actions -> View Rules

Actions -> Display Rules

Display -> Triggered Rules

3. An analyst needs to review additional information about the Offense top contributors, including notes and annotations that are collected about the Offense.

Where can the analyst review this information?

In the top portion of the Offense main view

In the bottom portion of the Offense main view

In the top portion of the Offense Summary window

In the bottom portion of the Offense Summary window

4. An analyst has been assigned a task to modify a rule in such a manner that Source IP of the triggered Offense from this rule should be stored in a Reference set.

Under which section of the rule wizard can the analyst achieve this?

Rule Response

Rule Action

Rule Test Stack Editor

Rule Response Limiter

5. An analyst notices that there are a number of invalid Offenses being created from a network node. This node has been determined to be in Domain 2 and has the following log sources sending it events: (3Com 8800 Series Switch from 172.18.1.1, Cisco ACE Firewall from 172.18.1.2, FireEye from 172.18.1.3, and Palo Alto PA Series from 172.18.1.8).

The analyst should create a False Positive Building Block that has a filter:

“when the destination IP is in 172.18.0.0/16”

“when the local network is Domain 2 and when the source IP is in 172.18.0.0/16”

“when the remote IP is one of the following 172.18.1.1, 172.18.1.2. 1.3 172. 18.18.1.8

“when the local network is Domain 2 and when the source IP is in 172.18.0.0/16”

6. Where can an analyst investigate a security incident to determine the root cause of an issue, and then work to resolve it?

Risk tab

Network Activity tab

Offense tab

Vulnerabilities tab

7. Which considering the ability to tune False Positives with the Confidence factor Setting, which statement applies?

Secure areas should have a lower confidence value, while less secure areas should have a higher confidence value.

Secure areas should have a higher confidence value, while less secure areas should have a lower confidence value a higher.

When setting a confidence factor, using a higher value will result in a higher number of Offenses.

To ensure that the results are comparable, it is important to apply a common Confidence Factor across all network segments.

8. From which tab in QRadar SIEM can an analyst search vulnerability data and remediate vulnerabilities?

Log Activity

Admin

Dashboard

Assets

9. An analyst is performing an investigation regarding an Offense. The analyst is uncertain to whom some of the external destination IP addresses in List of Events are registered.

How can the analyst verify to whom the IP addresses are registered?

Right-click on the destination address, More Options, then Information, and then DNS Lookup

Right-click on the destination address, More Options, then IP Owner

Right-click on the destination address, More Options, then Information, and then WHOIS Lookup

Right-click on the destination address, More Options, then Navigate, and then Destination Summary

10. An analyst needs to find all events that are creating offenses that are triggered by rules that contain the word suspicious in the rule name.

Which query can the analyst use as a working sample?

SELECT LOGSOURCENAME(logsourceid), * from events where RULENAME(creeventlist) ILIKE ,o/0suspicious%’

SELECT LOGGEDOFFENSE(logsourceid), * from offense_events where RULENAME(creeventlist) ILIKE ,%suspicious%’

SELECT LOGSOURCETYPE(logsourceid), – from log_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

SELECT LOGSOURCERULES(logsourceid), ” from rule_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

11. An analyst has created a custom property from the events for searching for critical information. The analyst also needs to reduce the number of event logs and data volume that is searched when looking for the critical information to maintain the efficiency and performance of QRadar.

Which feature should the analyst use?

Index Management

Log Management

Database Management

Event Management

12. What is required to create an anomaly rule?

triggered events

a grouped saved search

triggered flows

baseline anomalies

13. What steps are needed to add an Annotation to an event or flow that triggered a Rule?

When creating a Rule, a custom Annotation can be automatically applied to events and flows that originate from specified Sources.

Events and Flows cannot be Annotated, the only information allowed in an event or flow is data that was included in the original payload.

When creating a Rule, a custom Annotation can be specified to automatically be applied to the event or flow that triggered the Rule.

Annotations can be manually added to an Offense. These Annotations are then automatically applied to all events or flows which triggered the rule creating that Offense.

14. What does the Assets tab provide?

A unified view of the information that is kwon about:

events and flows.

triggered Offenses.

log sources.

network devices.

15. After working with an Offense, an analyst set the Offense as hidden.

What does the analyst need to do to view the Offense at a later time?

Click Clear Filter next to the “Exclude Hidden Offenses”.

In the all Offenses view, at the top of the view, select ‘’Show hidden‘’ from the ‘’Select an option‘’ drop- down.

In the al Offenses view, select Actions, then select show hidden Offenses.

Search for all Offenses owned by the analyst

Question 1 of 15

Test Online IBM C1000-018 Free Questions

Leave a Reply Cancel reply