IBM QRADAR SIEM Exam Exercise part 2

IBM QRADAR SIEM Exam Exercise part 2

26. What are the four categories of notifications found in 
IBM Security QRadar SIEM V7.2.8 system notifications?
A. Errors, Critical, Minor and Information
B. Errors, Warning, Information, and Health
C. Warning, Information, System and Critical
D. Errors, Warning, Information, and Performance

27. An Administrator working with IBM Security QRadar SIEM V7.2.8 needs to 
delete a single value named User1 from a reference set with the name “Allowed Users” 
from the command line interface. Which command will accomplish this?
A. ./UtilReferenceSet.sh purge “Allowed Users”User1
B. ./ReferenceSetUtil.sh purge “Allowed Users” User1
C. ./ReferenceSetUtil.sh delete “AllowedUsers User1
D. ./UtilRefernceSet.sh delete AllowedUsers User1

28. An Administrator working within IBM Security QRadar V7.2.8 has created 
a network hierarchy that includes the following groups and subgroups

Office #1 Group
? Miscellaneous 10.10.0.0/24
? Sales 10.10.8.0/24
? Marketing 10.10.1.0/24

Office #2 Group
? Miscellaneous 10.20.0.0/16
? Sales 10.20.8.0/24
? Marketing 10.20.1.0/24

A new subgroup is added to Office #1 having a CIDR of 10.10.50.0/24. 
Offenses are being triggered and during the investigation, it is noticed the rule 
should not fire if traffic is L2L. The offense is being triggered on traffic 
from 10.10.4.17 to 10.20.1.8
Is this rule using the network hierarchy correctly?
A. This rule is parsing the network hierarchy correctly as 
the 10.10.4.17 address is not contained in group, and therefore is remote
B. This Rule is parsing the network hierarchy correctly as 
the offices are both remotely geolocated, and connecting over the Internet, 
it is remote traffic
C. This rule isn’t parsing the network hierarchy correctly,as 
the network hierarchy contains the CIDR for 10.10.4.17 and 10.20.1.0/24, 
therefore being L2L traffic.
D. This rule isn’t parsing the network hierarchy correctly, as 
the network hierarchy contains both subnets, but is viewing traffic 
between groups to be remote instead of local

29. An Administrator using IBM Security QRadar SIEM V7.2.8 needs 
to force an instant backup to run. Which option should be selected
A. Backup Now
B. On Demand Backup
C. Launch on Demand Backup
D. Configure on Demand Backup

30. An IBM Security QRadar SIEM V7.2.8 Administrator needs to check 
if the “hostcontext” process is running. How can the Administrator do this?
A. Hostcontext status
B. Status hostcontext service
C. Service hostcontext status
D. ./etc/qradar/hostcontext status

31. An Adminstrator working with IBM Security QRadar SIEM V7.2.8 is 
constanly receiving the following message : 
“SAR Sentinal : Threshold crossed.”
Where will the Administrator tune the settings for these messages?
A. Admin tab > General Settings > Global System Notification
B. Admin tab > System Configuration > Global System Notifications
C. Admin tab > System Notifications > System Activity Reporter Notifications
D. Admin tab > System Configuration > General Settings > System Notifications

32. An Administrator working with IBM Security QRadar SIEM V7.2.8 only needs 
to remove a single host (10.1.95.142) from the reference set with the name 
“Asset Reconciliation IPv4 Whitelist” from the command line interface. 
Which command would accomplish this task?
A. ./ReferenceSetUtil.sh purge AssetReconciliationIPv4Whitelist 10.1.95.142
B. ./ReferenceSetUtil.sh delete AssetReconciliation IPv4Whitelist 10.1.95.142
C. ./ReferenceSetData.sh purge AssetReconciliationIPv4Whitelist 10.1.95.142
D. ./ReferenceSetData.sh delete AssetReconciliationIPv4Whitelist 10.1.95.142

33. An Administrator needs to create a new user role in the 
IBM Security QRadar SIEM V7.2.8 System. What steps need to be followed
A. System Configuration tab > Users and Roles > Add New Role > Add
B. Admin tab > System Configuration > User Management > User Roles > New
C. Admin tab > System and Settings > Users and Roles > Role Management > New
D. System Management tab > System Configuration > User Management > User Roles > New

34. An Administrator working with IBM Security QRadar SIEM V7.2.8 appliances needs 
to update firmware. How are the files acquired?
A. Firmware updates can be rertrieved from IBM developerWorks
B. Refer to support documents to download the firmware approved for QRadar Appliance
C. All firmware is automatically downloaded and no Administrator intervention is required
D. All firmware updates are applied as part of the QRadar software patching process and
should not be applied independently

35. An Administrator working with IBM Security QRadar SIEM V7.2.8 needs to enable 
the PCI report template. What is the procedure to accomplish this task?
A. Admin Tab > Reports > Templates > Compliance > PCI > Select “Enable”
B. Reports Tab > Enable “Show all templates” > Group List > Compliance > PCI
C. Reports Tab > Clear “Hide Inactive Reports” Box > Group List > Compliance > PCI
D. Admin Tab > Reports > Templates > Compliance > PCI > uncheck “Hide Template”

36. Administrators on versions of IBM Security QRadar SIEM older than V7.2.4 
must use specific upgrade path to transition to newer software versions. 
These requirements are outlined in what technical document?
A. Fix Level Recommendation Tool
B. IBM latest firmware release notes
C. QRadar Software upgrade progress technical note
D. IBM System Security Interoperation Center (SSIC)

37. An Administrator has configured a customized log source extension to provide 
asset updates to IBM Security QRadar V7.2.8 Instead of QRadar Receiving an Update 
that has the host name of the asset that the user logged in to, 
the log source generates many asset updates that all have the same host name. 
In this situation what will QRadar report?
A. This will cause state asset data
B. This will cause asset growth deviations
C. This will cause excessive authentication failure events
D. This will cause excessive flow data to be processed by the Magistrate

38. An Administrator working with IBM Security QRadar SIEM V7.2.8 deployment needs to build an
Ariel Query to find all flow data send in the last 24 hours where the amount of bytes being sent
and received are larger than 64 bytes. What Query needs to be used?
A. SELECT * FROM flows WHERE sourceBytes > 64 & destinationBytes > 64 LAST 1 DAY
B. SELCET * FROM flows WHERE sourceBytes > 64 & destinationBytes > 64 LAST 1 DAYS
C. SELECT * FROM flowsdata WHERE sourceBytes > 64 & destinationBytes > 64 LAST 1 DAY
D. SELECT * FROM flowsdata WHERE sourceBytes > 64 AND destinationBytes > 64 LAST 1 DAYS

39. An IBM Security QRadar SIEM V7.2.8 Administrator notices a specific MAC address added to the
Asset Reconciliation Domain MAC was blacklisted. What scenario is causing this occur?
A. When MAC address is associated to three or more different IP addresses in 2 hours or less
B. When an IPv4 address is associated to three or more different MAC addresses in 2 hours or less
C. When a MAC address is associated to three or more different IP addresses in 10 minutes or less
D. When an IPv4 address is associated to three or more different MAC addresses in 10 minutes or less

40. Offense data has become corrupted, what option should an IBM Security QRadar SIEM V7.2.8
Administrator consider to recover the offenses?
A. Use Clean SIM option
B. Log out and Log back in
C. Use Revert Offenses option
D. Restore the most recent backup archive

41. An Administrator will add a secondary host to an IBM Security QRadar SIEM V7.2.8 Console in a
High Availability (HA) deployment scenario. After checking the compatibility between primary
and secondary HA pairs, what other prerequisite should the Administrator check within
Managed Interfaces?
A. The shared external storage
B. The server certificate that is issued by the local CA
C. The existance of an additional distributed file system
D. The communication for Distributed Replicated Block Device

42. After downloading the <QRadar_patchupdate>.sfs file from Fix Central, what is the next step to
upgrade IBM Security QRadar SIEM V7.2.8?
A. Log in to the console as the Admin user > Admin tab > Advanced Menu > Clean SIM Model
B. Log in to the console as the Admin user > Admin tab > Advanced Menu > Upgrade option
C. Use SSH to log in to the system as the root user > Run the patch installer with the
following command : /media/updates/upgrade_qradar
D. Use SSH to log in to the system as the root user > copy the patch file to the /tmp
directory or to another location that has sufficient disk space

43. What is the maximum number of dashboards a user can create with IBM Security QRadar SIEM
V7.2.8?
A. 10
B. 25
C. 100
D. 255

44. How can an IBM Security QRadar SIEM V7.2.8 Administrator capture specific data to reference
set when QRadar receives the data from events or flow data?
A. Create or modify a report so the required data is exported to a Reference Set
B. On the Admin tab, create or modify the reference set to capture the required data
C. On the Admin tab define a Custom Action to add the required data to a Reference Set
D. Create or modify a rule so the Rule Response will add the required data to Reference Set

45. Where are the logs for QFlow stored on IBM Security QRadar SIEM V7.2.8?
A. /var/log/qflow.debug
B. /opt/var/log/qflow/debug
C. /opt/log/qradar/qflow.debug
D. /opt/qradarr/log/qglow.debug

46. An Administrator working with IBM Security QRadar SIEM V7.2.8 needs to copy data and
configuration backup file from the previous day to an off-site location. What is the default
location where files can be found?
A. /store/backup
B. /store/exports
C. /store/postgres
D. /stroe/backupHost

47. What is the Event Per Second (EPS) basic license limit in an IBM Security QRadar V7.2.8 2100
hardware appliance?
A. 200
B. 1000
C. 2500
D. 10000

48. An Adminstrator needs to see Events per Second (EPS) and Flows per Minute (FPM) coming to
IBM Security QRadar SIEM V7.2.8 through a dashboard. How could this be accomplished?
A. Download the dashboard from IBM Security App Exchange
B. Go to CLI and run the Script /opt/qradar/bin/createdashboard.sh
C. Select any dashboard and customize it. Add a system summary item
D. Create a new dashboard and then go to admin tab. Add item into the dashboard created

49. An Administrator using IBM Security QRadar SIEM V7.2.8 is using the following RegEx:
([-+]?d*$) What type of information is it designed to extract?
A. Integer
B. IP address
C. Port number
D. Domain name

50. What procedure does a user of IBM Security QRadar SIEMV7.2.8 need to follow to delete a
dashboard?
A. Clcik the “Dashboard” tab.
From the Show Dashboard list box,select the dashboard that you want to delete.
On the toolbar. Click “Delete Dashboard” Click “Yes”
B. Click the “Dashboard” tab.
From the Show Dashboard list box, select the dashboard that you want to deleteOn the toolbar, 
click “Remove Dashboard” Click “Yes”
C. Click the “Dashboard”tab.
On the toolbar, click “ Delete a Dashboard”
From the Delete a Dashboard window, select the dashboard that you want to delete.
Click “Yes”
D. Click the “Dashboard” tab.
From the Show Dashboard list box, select the dashboard that you want to delete
On the toolbar, click “Delete Dashboard for a user”
On the user selection Menu select the user you want to delete from the dashboard and
Click “Okay”
Click”Yes”