IBM QRADAR SIEM Exam Exercise part 3

IBM QRADAR SIEM Exam Exercise part 3 (done)

51. An Administrator of an IBM Security QRadar SIEM V7.2.8 deployment needs to 
exclude the mail servers from a custom rule. How would the Administrator complete 
this task?
A. Create a building block that includes the IP addresses of all mail servers, 
use that building block in the custom rule, to exclude those hosts
B. Create several rules excluding each mail server. Place these rules with the 
custom rule in a master rule, making sure the custom rule is last in the sequence.
C. Create the custom rule. In the “Rule Response” section of the rule Wizard, 
select the Trigger Scan option. Add the mail server IP Addresses to the table 
and select exclude.
D. Create the custom rule. Create a Custom Action from the Admin Tab, 
to exclude the mail servers IP Addresses. In the “Rule Response” section of 
the Rule Wizard, select the Execute Custom Action option, selecting the appropriate 
Custom Action

52. The Administrator of an IBM Security QRadar SIEM V7.2.8 deployment needs to 
determine
which rules are most active in generating offenses. How would the Administrator
accomplish this form the offenses tab of the QRadar console?
A. Rules > Group > “Most Active Offense”
B. Rules > Rules > Offense Count to reorder the column in descending order.
C. All Offenses > All Offenses > Offense Count to reodrder the column in 
descending order.
D. All Offenses > All Offenses > Event to reorder the column in descending order. 
Use the
Actions menu to view the rule information for a specific offence

53. An IBM Security QRadar SIEM V7.2.8 Administrator will install 
a High Availability (HA) pair of appliances. The primary and secondary host are 
formatted with the same file system. To ensure compatibility between hosts which 
statement is considered a prerequisite?
A. The size of the /home partition on the secondary must be larger than the /home
partition of the primary
B. The size of the /var/opt/ha on the secondary must be larger than the /var/opt/ha
partition of the primary
C. The size of the /store partition on the secondary must be lesser than the /store 
partition of the primary
D. The size of the /store partition on the secondary must be equal to or larger than 
the /store partition of the primary.

54. When replacing a Console appliance in an IBM Security QRadar SIEM V7.2.8 
deployment using a new IP address or host name, what must be the same on the 
two Console appliance?
A. The Amount of storage must be the same
B. The Basic and Upgrade license must be the same
C. The software versions of both appliances must match
D. The Network Configuration and Protocol must be the same

55. Which is an officialy supported operating system for 
IBM Security QRadar SIEM V7.2.8 instalations on customer supplied hardware?
A. Ubuntu Linux
B. Windows 2012
C. Fedora Linux
D. Red Hat Enterprise Linux

56. An Administrator working with a customer looking to add 
IBM Security QRadar V7.2.8 into their network has some requirements. 
The customer is looking to have 40Tb of raw storage space for events and console data. 
Which appliances allow for this requirement to be met?
A. QRadar 3128 Console + QRadar 1410 Data Node
B. QRadar 3128 Console + QRadar 1400 Data Node
C. QRadar 3118 Console + QRadar 1410 Data Node
D. QRadar 3128 Console + QRadar Flow Processor 1728

57. When it comes to licensing, what is the difference between Events and Flows and 
how they are licensed?
A. Flows are licensed based on overall count over a minute, where Events 
are licensed based on overall count per second
B. Flows are licensed based on overall count per second, where Events are 
licensed based on overall count per a minute
C. Flows and Events are both licensed by overall count per minute under 
an Upgrade Licensed and per second on a Basic License
D. Flows and Events are both licensed by overall count per second under 
an Upgrade Licensed and per second on a Basic License.

58. Which AQL query, when run from IBM Security QRadar SIEM V7.2.8 will 
show EPS broken down by domains?
A. Select DOMAINNAME(domainid) as LogSource, sum(eventcount) / ((max(endTime) –
min (startTime)) / 1000) as EPS from events group by domainid order by EPS desc 
last 24 hours
B. Select DOMAINNAME (domainqid) as LogSource, sum(eventcount) / ((max(endTime) –
min (startTime)) / 1000) as EPS from events groups by domainqid order by 
FPM desc last 24 hours
C. Select DOMAINNAME (domainid) as LogSource, sum(events) / ((max(endTime) –
min(StartTime))/1000) as EPS from events group by domainid order by FPM desc 
last 24 hours
D. Select DOMAINNAME(domainid) as LogSource, sum(event)/((max(endtime) –
min(startTime))/1000) as EPS from events group by domainid order by EPS 
desc last 24 hours

59. An IBM Security QRadar SIEM V7.2.8 Administrator needs to download a nightly
configuration backup file from a past day through the Web Console. 
Which steps must be followed to achieve this?
A. Admin Tab > System Configuration > Backup and Recovery > Generate new backup >
Save
B. Admin Tab > System Configuration > Backup and Recovery > Choose the name of an
Existing backup
C. Admin Tab > System Configuration > Backup and Recovery > Import New Backup >
Select file extension > Save
D. Admin Tab > System Configuration > System Settings > Database Setting

60. An Administartor working within IBM Securtiy QRadar SIEM V7.2.8 has 
a network hierarchy that cannot support anymore network objects. 
TO remedy this, they want to implement a supernet. Some of the customer CIDRs are:
? 209.60.128.0/24
? 209.60.129.0/24
? 209.60.130.0/24
? 209.60.131.0/24
Which supernet should be used to shrink the amount of network objects for the supplied
group of CIDRs
A. 209.60.128.0/22
B. 209.60.129.0/23
C. 209.60.128.0/23
D. 209.60.127.0/27