2
2
2
Exam : C1000-026
Version : V8.02
1 / 18
The safer , easier way to help you pass any IT exams.
1.An administrator needs to import data into QRadar for a specific use case. The data that has been
provided to the administrator is stored in records that map a key to a value.
Which type of data collection must the administrator create?
A. Reference set
B. Reference map of sets
C. Reference map
D. Reference map of maps
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_conifig_r
ul_resp_reference_set.html
3.An administrator needs to collect logs from the Command Line Interface (CLI).
Which command should the administrator use?
A. /opt/bin/qradar/support/get_logs.sh
B. /opt/support/get_logs.sh
C. /opt/support/qradar/get_logs.sh
D. /opt/qradar/support/get_logs.sh
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/pages/getting-help-what-information-should-be-submitted-qradar-
service-request
4.To comply with specific regulations, an administrator has been requested to increase asset retention to
365 days.
In which QRadar section can the administrator find the asset retention settings?
A. Admin Tab / Asset Retention
B. Assets Tab / Retention settings
C. Admin Tab / System settings
D. Assets Tab / Asset Retention
Answer: C
Explanation:
2 / 18
The safer , easier way to help you pass any IT exams.
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_as
set_tuning_ip_retention.html
5.A QRadar administrator added High Availability (HA) to the Event Processor and needs to verify the
crossover link status between the primary and secondary hosts.
Which commands can be used to verify the crossover status? (Choose two.)
A. /opt/qradar/ha/bin/ha_getstate.sh
B. /opt/qradar/ha/bin/getStatus crossover
C. /opt/qradar/ha/bin/qradar_nettune.pl crossover status
D. /opt/qradar/ha/bin/qradar_nettune.pl linkaggr <interface> status
E. /opt/qradar/ha/bin/ha cstate
F. cat /proc/drbd
Answer: CF
Explanation:
Reference: https://www.ibm.com/developerworks/community/forums/html/topic?id=5c01c198-016d-461b-
a648-a87cdc445768
6.Which event routing rule is required to add QRadar Data Store (QDS) capability to a deployment?
A. Log Only (exclude Analytics)
B. Delete data When storage space is required
C. Bypass Correlation
D. Delete data immediately after the retention period has expired
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_dat
a_store.html
8.An administrator needs to import a list of HR staff logins into a reference set.
Which file type can be used with the import function in the reference set editor window?
A. xml
3 / 18
The safer , easier way to help you pass any IT exams.
B. csv
C. xls
D. json
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qradar_adm_ref
data_ui.html
9.An administrator is about to integrate logs from a custom firewall in a QRadar deployment using syslog.
The SIEM has two domains, namely Domain A and Domain B.
While reviewing the following sample logs, the administrator notices a “context” keyword:
May 14 11:05:01 192.168.1.23 20190514 11:05:00 context=contextA permit 192.168.1.24 source:
10.10.1.15; source_port: 64094; destination: 10.10.13.34; service: 53; protocol: udp;
May 13 12:07:01 192.168.1.23 20190513 11:07:00 context=contextB permit 192.168.1.25 source:
10.10.1.15; source_port: 64094; destination: 10.10.13.34; service: 53; protocol: udp;
Which options assign the “contextA” logs to DomainA and the “contextB” logs to domain B? (Choose two.)
A. Create a single log source, create a “Context” custom event property, and assign the log to both
domains using a custom rule.
B. Create two individual log sources by configuring a separated logging instance for each context on the
firewall and assign each log source to the correct domain.
C. Create a single log source, create a “Context” custom event property, and assign the log to the correct
domain using custom event property value.
D. Create two individual log sources using the context value as log source identifier and assign each log
source to the correct domain.
E. Create a single log source, create a “Context” custom event property, and assign the log to the correct
domain using a custom rule.
Answer: BD
10.An administrator plans to deploy multiple log sources that share a common configuration.
How many log sources can be added at one time?
A. 1000
B. 750
C. 250
D. 500
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/t_logsource_bulkadd.ht
ml
11.An administrator needs to add the following networks to a QRadar network hierarchy as a single
Classless Inter-Domain Routin (CIDR) range:
192.168.64.0/24
4 / 18
The safer , easier way to help you pass any IT exams.
192.168.65.0/24
192.168.66.0/24
192.168.67.0/24
What is the correct supernet for these subnets?
A. Network 192.168.66.0 with subnet mask 255.255.252.0
B. Network 192.168.64.0 with subnet mask 255.255.252.0
C. Network 192.168.64.0 with subnet mask 255.255.255.0
D. Network 192.168.66.0 with subnet mask 255.255.252.0
Answer: C
12.Due to regulatory constraints, an administrator must increase the minimum password length and
complexity.
In which QRadar section can the administrator change this setting?
A. Admin / System settings
B. Admin / Password policy
C. Admin / Security profiles
D. Admin / Authentication
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SSHLHV_5.4.0/com.ibm.alps.doc/tasks/alps_configuri
ng_admin_settings.htm
13.Which log should be reviewed to determine the reasons a patch installer did not proceed during a
QRadar upgrade?
A. /var/log/qradar.audit
B. /var/log/qradar.log
C. /var/log/setup-*/patches.log
D. /var/log/upgrade.log
Answer: C
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-unable-run-patch-installer-and-update-exits-
screen-terminating-message
5 / 18
The safer , easier way to help you pass any IT exams.
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_lic
ense_mgmt.html
16.An administrator needs to upgrade their QRadar environment. The administrator has downloaded the
Patchupdate File from Fixcentral and transferred this Image to the Appliance.
Which commands does the administrator need to run to start the upgrade process?
A. 1. cd/medial/updates
2. systemctl stop Qradar
3. Qradar.sh upgrade all
4. systemctl reboot
B. 1. mount –o loop –t squashfs XX_patchupdate.sfs /media/updates
2. cd /media/updates
3. /installer
C. 1. cd /media/updates
2. yum update XX_patchupdate.sfs
D. 1. patch XX_patchupdate.sfs
Answer: B
17.An administrator has to change the system hardware clock of the QRadar server. The administrator
has already restarted the main services (hostservices, tomcat, hostcontext) and needs to synchronize the
QRadar Console time with the QRadar managed hosts.
Which command can the administrator use to accomplish this?
A. /opt/qradar/support/all_servers.sh systemctl restart systemd-timedated.service
B. /opt/qradar/support/all_servers.sh /opt/qradar/bin/time_sync.sh
C. /sbin/hwclock –systohc /opt/qradar/bin/time_sync.sh
D. /opt/qradar/support/all_servers.sh service ntpd restart
Answer: B
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-configuring-ntp-settings-qradar-appliance
18.An administrator has been tasked to create a saved search that shows a list of multiple login failures
for a single user by username.
The administrator has done the following:
6 / 18
The safer , easier way to help you pass any IT exams.
19.An administrator needs to extract a property from an intrusion detection system (IDS) log. Using a
regular expression, the administrator wants to extract a specific part of the log showing the matching
“policy ID” of the IDS.
Which type of property must the administrator create?
A. Custom event property
B. Custom flow property
C. Custom asset property
D. Normalized event property
Answer: D
20.A company has two different domains in their IBM QRadar system: Domain_A and Domain_B. An
administrator has been tasked to create a rule to look only at events that are tagged with Domain_A and
ignore rules that are tagged with the other domains.
What domain text should the administrator use to create this rule?
A. is from domain: Domain_A
B. from domain: Domain_A
C. domain is: Domain_A
D. domain is one of: Domain_A
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_domain_specifi
c_rules_offenses.html
7 / 18
The safer , easier way to help you pass any IT exams.
24.An administrator has been asked to configure a new QRadar console high availability (HA)
deployment. Both the primary and secondary consoles have been installed with the QRadar software.
What should the administrator do to complete the HA configuration?
A. Add the secondary console to the deployment, and then create the HA host.
B. Reinstall the QRadar software on the secondary console using an “HA Recovery Setup”.
C. Select “Secondary Host” on the wizard when adding the secondary host to the deployment.
D. Create the HA host to add the secondary console to the deployment.
Answer: A
Explanation:
Reference: https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/
b_qradar_ha_guide.pdf
25.A custom rule is generating events reporting that a specific user is failing to login too many times in the
last 5 minutes. The administrator opens the event details to investigate the anomaly associated with the
events but finds that no Anomaly details pane is shown.
What is the reason?
The events were generated by:
A. a Behavioral Detection Rule
B. an Anomaly Detection Rule
C. a Threshold Detection Rule
D. a standard Custom Rule
Answer: B
8 / 18
The safer , easier way to help you pass any IT exams.
Explanation:
Reference: http://www.siem.su/docs/ibm/Administration_and_introduction/User_Guide.pdf
26.An administrator may be asked to collect diagnostic information on one of our main services.
For example, ecs-ec.
Commands such as:
/opt/qradar/support/thredtop.sh
/opt/qradar/support/jmx.sh
These commands collect thread and statistical information on the Services pipeline, queues and filters.
How would an administrator identify a list of jmx ports for each service?
A. grep JMXPORT /opt/qradar/init/*
B. grep JMXPORT /opt/qradar/systemd/env/*
C. grep JMXPORT /opt/qradar/system/bin/*
D. grep JMXPORT /opt/qradar/system/mem/*
Answer: B
27.Which event QID test is used to send an email as a rule response when disk usage reaches a
threshold?
A. (38750076) Disk Sentry Reached Warn threshold
B. (38750076) Disk Sentry Disk Usage Exceeded Warning threshold levels
C. (38750076) Disk Usage Exceeded Warn threshold
D. (38750076) Disk Sentry Disk Usage Exceeded Warn threshold
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/pages/qradar-configuring-qradar-remote-alerts-about-disk-usage
28.Which app should be used for monitoring QRadar performance and health?
A. QRadar Deployment Intelligence
B. QRadar Monitoring Intelligence
C. QRadar Extension Management
D. QRadar Performance Overview
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.QDIapp.doc/c_qapps_QDI_intro.ht
ml
29.An administrator modified a configuration setting in the Global System Notifications using the QRadar
Console Admin tab.
What is the last step to apply changes?
A. Reload Web Server
B. Restart Services
C. Re-login to QRadar console
9 / 18
The safer , easier way to help you pass any IT exams.
D. Deploy Changes
Answer: D
30.An administrator wants to have all QRadar apps running on a new App Host that was configured to
have dedicated CPU, storage and memory resources for the Apps. Several issues were presented during
the installation of the App Host.
To troubleshoot, what should the administrator check?
A. If the completion of the /opt/qradar/check_app_host.sh script was successful
B. If port 5000 is opened on the console
C. If an IP table entry was already created to allow traffic from the App Host IP
D. If IP tables are disabled on the console
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_adm_apphost.h
tml
31.An administrator needs to combine multiple extraction and calculation-based properties into a single
property.
Which Ariel Query Language (AQL) statement can be used?
A. AQL-based custom properties
B. AQL functions and SELECT, FROM, or database names
C. AQL functions and AQL-based custom properties
D. AQL functions
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_aql_whatsnew_
731.html
32.After fixing the assets that contributed to the asset growth deviation, an administrator needs to find the
asset artifacts that have to be cleaned up.
What action should the administrator take to find the artifacts?
A. On the “Log Activity” tab, run the “Deviating Asset Growth: Asset Report event search”
B. On the Admin Tab, select System Configuration --> Asset Profiler Configuration
C. Run the ./cleanAssets.sh --list command
D. On the Asset tab, run the “Clean Assets” action
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_as
sets_deleting_invalid_assets.html
33.An administrator has been tasked to run all health checks at once using the DrQ command before a
10 / 18
The safer , easier way to help you pass any IT exams.
35.An administrator needs to complete the upgrade process from V7.3.1 to V7.3.2.
What is the correct procedure?
A. Copy the ISO file extension to the recommended directories and use this file
B. Use the ISO file to execute the upgrade process
C. Do a clean installation using the ISO file on a bootable USB device
D. Copy the SFS file extension to the recommended directories and use this file
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_up_ugrad_s
ys.html
36.An administrator would like to categorize discovered assets by port definitions and add this information
to a server type building block for further use.
Which QRadar Console functionality should the administrator use?
A. Assets Tab – Actions - Scan
B. Assets Tab – Server Discovery
C. Admin Tab – Auto Update
D. Admin – Scheduled Scans
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/b_qradar_tuning_gui
11 / 18
The safer , easier way to help you pass any IT exams.
de.pdf
37.An administrator wants to upload a file with information related to network hierarchy instead of using
the GUI wizard.
How can the administrator do this?
A. Install application “Network Hierarchy Management for QRadar”
B. Upload file using REST API
C. Modify /opt/qradar/conf/remotenet.conf
D. Use upload button in Network Hierarchy wizard
Answer: A
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-restoring-network-hierarchy-using-network-
hierarchy-management-qradar-app-updated
38.What should an administrator do to successfully upgrade an IBM Security QRadar system from an
older version?
A. Verify the upgrade path, and review the software, hardware and high availability requirements.
B. Verify the upgrade path and update the QRadar apps.
C. Review the release notes and review the architecture.
D. Review the software, hardware and high availability requirements, and consider to update the firmware
on IBM Security QRadar appliances.
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/b_qradar_upgrade.p
df (9)
39.An administrator has reviewed the list of new features in the QRadar V7.3.2 release notes, and
decides to upgrade their system to this version.
What is the minimum supported version that the administrator can upgrade from?
A. 7.2.6
B. 7.3.0
C. 7.3.1
D. 7.2.8
Answer: A
Explanation:
Reference: https://www.ibm.com/support/pages/release-qradar-v732-sfs-73220190201201121
40.A company has several appliances and the administrator needs to copy a file to all appliances to run
some tests to verify the integrity of the processes. The /opt/qradar/support/all_servers.sh script can be
used to issue commands to all QRadar appliances within the deployment.
What option must be used with the script to copy the file to all appliances in the deployment?
A. /opt/qradar/support/all_servers.sh -p
B. /opt/qradar/support/all_servers.sh -k
12 / 18
The safer , easier way to help you pass any IT exams.
C. /opt/qradar/support/all_servers.sh -C
D. /opt/qradar/support/all_servers.sh -g
Answer: A
Explanation:
Reference: https://www-01.ibm.com/support/docview.wss?uid=swg21998517
42.When an administrator attempts to edit a log source after upgrading QRadar, a Device Support Module
(DSM), a protocol, or Vulnerability Information Services (VIS) components, the following error message
appears.
An error has occurred. Refresh your browser (press F5) and attempt the action again. If theproblem
persists, please contact customer support for assistance.
What action should the administrator take to troubleshoot this issue? (Choose two.)
A. systemctl restart snmpd
B. systemctl restart iptables
C. systemctl restart ecs-ep
D. systemctl start tomcat
E. systemctl restart httpd
F. Clear browser cache
Answer: DF
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/com.ibm.qradar.doc/t_QRadar_Troubl
eshooting_guide_PurgeFiles.html
43.What is the minimum memory in gigabyte (GB) required for a QRadar All-in-One Virtual 3199
appliance?
A. 128
B. 32
C. 24
D. 16
Answer: B
Explanation:
13 / 18
The safer , easier way to help you pass any IT exams.
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_qradar_ha_vrt_
ap_reqs.html
44.An administrator needs to develop advanced filters to retrieve information from the QRadar System
pertaining to the top abnormal events of the most bandwidth-intensive IP addresses.
How can the administrator do this?
A. Build an AQL query using the QRadar Scratchpad
B. Combine GROUP BY and ORDER BY clauses in a single query
C. Use the IBM DataStudio to create the query
D. Build an AQL query using the QRadar GUI using Assets > Search Filter
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/b_qradar_aql.pdf (21)
45.An administrator needs to save the nightly QRadar backups on a network storage.
The administrator has established the connection to the network storage.
What should the administrator do next?
A. Change the Backup Repository Path to the network storage location using the Backup Recovery
Configuration window.
B. Change the Backup Repository Path by adding a new Network Activity Rule.
C. Change the Backup Repository Path to the network storage location using the System Settings
window.
D. Configure the new network storage using the Assets Manager
Answer: A
Explanation:
Reference:
http://ftpmirror.your.org/pub/misc/ftp.software.ibm.com/software/security/products/qradar/documents/7.2.
8/en/b_qradar_admin_guide.pdf (146)
46.Which IBM monitoring application can be used to see detailed health and status information at the
application, middleware, and system level?
A. QRadar Deployment Intelligence App
B. QRadar Operations App
C. QRadar Assistant App
D. QRadar Advisor With Watson App
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.QDIapp.doc/c_qapps_QDI_intro.ht
ml
47.An administrator logs in to the Offenses tab and finds a large number of new Offenses that need
14 / 18
The safer , easier way to help you pass any IT exams.
action.
What column in the list of Offenses should the administrator use to prioritize them?
A. Magnitude
B. Offense Type
C. Source IPs
D. Last Event/Flow
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/b_qradar_users_guid
e.pdf (43)
49.An administrator enters the QRadar web console into a web browser but does not get a response.
Which process is responsible for the QRadar GUI?
A. tomcat
B. consoled
C. magistrated
D. guid
Answer: A
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-core-services-and-impact-when-restarted
50.What happens if QRadar receives events at a higher rate than the license allows?
A. The events will be put into queues
B. The source system will be asked to resend the events later
C. The events will not be parsed
D. The events will be dropped immediately
Answer: A
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-event-and-flow-burst-handling-buffer
51.An administrator would like to add a new managed host which uses an existing Network Address
Translation (NAT).
Which parameters have to be provided if “Host is NATed” is chosen while adding a managed host?
A. Select Network Attached Telemetric, Enter MAC address of the server or appliance to add
15 / 18
The safer , easier way to help you pass any IT exams.
52.An administrator is tasked to reduce data volumes in the asset database and reduce stale data
contributing to asset growth deviation.
How can the administrator tune the configuration of the Asset Profiler?
A. In the System Configuration section of the Admin, access the Asset Profile Configuration and reduce
the retention values for the Asset Profiler Retention Configuration and Save. Next, deploy the changes
into the environment for the updates to take effect.
B. In the System Configuration section of the Admin, access the Asset Profile Configuration and increase
the retention values for the Asset Profiler Retention Configuration and Save. Next, deploy the changes
into the environment for the updates to take effect.
C. On the navigation menu, click Admin, click the Asset Profile Configuration and reduce the retention
values for the Asset Profiler Retention Configuration and Save. On the navigation menu, click Admin and
from the Advanced menu, click Restart Event Collection Services. Next, deploy the changes into the
environment for the updates to take effect.
D. In the System Configuration section of the Admin, access the Asset Profile Configuration and increase
the retention values for the Asset Profiler Retention Configuration and Save. On the navigation menu,
click Admin and from the Advanced menu, click Restart Event Collection Services. Next, deploy the
changes into the environment for the updates to take effect.
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_as
set_tuning_ip_retention.html
53.An administrator would like to extend the functionality of QRadar using an external application.
Which file format is supported to successfully upload an application from the QRadar Console?
A. .zip
B. .tgz
C. .sh
D. .exe
Answer: A
Explanation:
Reference:
16 / 18
The safer , easier way to help you pass any IT exams.
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.appfw.doc/b_qradar_appfram
ework_devguide.pdf
55.An administrator logs into the QRadar Console to review the stored backup files. There is an
exclamation mark beside some files.
What is the cause of this?
A. Canceled backup files
B. Missing backup files
C. Corrupted backup files
D. Incomplete backup files
Answer: B
57.A QRadar upgrade is planned and a maintenance window is scheduled. The administrator must stage
the FIXPACK from IBM Fix Central.
Which QRadar FIXPACK file type must the administrator download?
A. RPM
B. IMG
C. SFS
17 / 18
The safer , easier way to help you pass any IT exams.
D. XFS
Answer: C
Explanation:
Reference:
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Oth
er+software/IBM+QRadar+Network +Insights&release=7.3.0&platform=Linux&function=all
58.An administrator installed a new App Host and would like to move the existing applications from the
Console to the App Host.
What steps should be performed?
A. Admin Tab > Extension Management > Click to change where apps are run
B. Admin Tab > System Settings > Move apps
C. Admin Tab > Extension Management > Move apps
D. Admin Tab > System and License Management > Click to change where apps are run
Answer: D
60.When troubleshooting issues with QRadar applications, which application Docker container log file can
be used to get more information about the apps?
A. /var/log/qradar.error
B. /var/log/qradar.log
C. /var/log/app.log
D. /store/log/app.log
Answer: D
Explanation:
Reference: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/24f91a23-846b-
483c-ba22-d78b95eed91e/page/d504c946-a9b0-4277-8e4f-bc554ac30e4e/versions
18 / 18