2

Download as pdf or txt
Download as pdf or txt
You are on page 1of 19

The safer , easier way to help you pass any IT exams.

Exam : C1000-026

Title : IBM Security QRadar SIEM


V7.3.2 Fundamental
Administration

Version : V8.02

1 / 18
The safer , easier way to help you pass any IT exams.

1.An administrator needs to import data into QRadar for a specific use case. The data that has been
provided to the administrator is stored in records that map a key to a value.
Which type of data collection must the administrator create?
A. Reference set
B. Reference map of sets
C. Reference map
D. Reference map of maps
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_conifig_r
ul_resp_reference_set.html

2.An administrator needs to know if a custom rule is being correlated correctly.


Which QRadar component is responsible for this process?
A. QRadar Event Collector
B. QRadar Console
C. Magistrate
D. QRadar Event Processor
Answer: D
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-global-correlation

3.An administrator needs to collect logs from the Command Line Interface (CLI).
Which command should the administrator use?
A. /opt/bin/qradar/support/get_logs.sh
B. /opt/support/get_logs.sh
C. /opt/support/qradar/get_logs.sh
D. /opt/qradar/support/get_logs.sh
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/pages/getting-help-what-information-should-be-submitted-qradar-
service-request

4.To comply with specific regulations, an administrator has been requested to increase asset retention to
365 days.
In which QRadar section can the administrator find the asset retention settings?
A. Admin Tab / Asset Retention
B. Assets Tab / Retention settings
C. Admin Tab / System settings
D. Assets Tab / Asset Retention
Answer: C
Explanation:

2 / 18
The safer , easier way to help you pass any IT exams.

Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_as
set_tuning_ip_retention.html

5.A QRadar administrator added High Availability (HA) to the Event Processor and needs to verify the
crossover link status between the primary and secondary hosts.
Which commands can be used to verify the crossover status? (Choose two.)
A. /opt/qradar/ha/bin/ha_getstate.sh
B. /opt/qradar/ha/bin/getStatus crossover
C. /opt/qradar/ha/bin/qradar_nettune.pl crossover status
D. /opt/qradar/ha/bin/qradar_nettune.pl linkaggr <interface> status
E. /opt/qradar/ha/bin/ha cstate
F. cat /proc/drbd
Answer: CF
Explanation:
Reference: https://www.ibm.com/developerworks/community/forums/html/topic?id=5c01c198-016d-461b-
a648-a87cdc445768

6.Which event routing rule is required to add QRadar Data Store (QDS) capability to a deployment?
A. Log Only (exclude Analytics)
B. Delete data When storage space is required
C. Bypass Correlation
D. Delete data immediately after the retention period has expired
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_dat
a_store.html

7.An administrator is seeing the following system notification:


38750057 – A protocol source configuration may be stopping events from being collected.
What is a valid user action to this issue?
A. Re-install the QRadar Console
B. Review the /var/log/qradar.log file for more information
C. Restart the QRadar Console
D. Review the /var/log/error.log file for more information
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/com.ibm.qradar.doc/38750057.html

8.An administrator needs to import a list of HR staff logins into a reference set.
Which file type can be used with the import function in the reference set editor window?
A. xml

3 / 18
The safer , easier way to help you pass any IT exams.

B. csv
C. xls
D. json
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qradar_adm_ref
data_ui.html

9.An administrator is about to integrate logs from a custom firewall in a QRadar deployment using syslog.
The SIEM has two domains, namely Domain A and Domain B.
While reviewing the following sample logs, the administrator notices a “context” keyword:
May 14 11:05:01 192.168.1.23 20190514 11:05:00 context=contextA permit 192.168.1.24 source:
10.10.1.15; source_port: 64094; destination: 10.10.13.34; service: 53; protocol: udp;
May 13 12:07:01 192.168.1.23 20190513 11:07:00 context=contextB permit 192.168.1.25 source:
10.10.1.15; source_port: 64094; destination: 10.10.13.34; service: 53; protocol: udp;
Which options assign the “contextA” logs to DomainA and the “contextB” logs to domain B? (Choose two.)
A. Create a single log source, create a “Context” custom event property, and assign the log to both
domains using a custom rule.
B. Create two individual log sources by configuring a separated logging instance for each context on the
firewall and assign each log source to the correct domain.
C. Create a single log source, create a “Context” custom event property, and assign the log to the correct
domain using custom event property value.
D. Create two individual log sources using the context value as log source identifier and assign each log
source to the correct domain.
E. Create a single log source, create a “Context” custom event property, and assign the log to the correct
domain using a custom rule.
Answer: BD

10.An administrator plans to deploy multiple log sources that share a common configuration.
How many log sources can be added at one time?
A. 1000
B. 750
C. 250
D. 500
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/t_logsource_bulkadd.ht
ml

11.An administrator needs to add the following networks to a QRadar network hierarchy as a single
Classless Inter-Domain Routin (CIDR) range:
192.168.64.0/24

4 / 18
The safer , easier way to help you pass any IT exams.

192.168.65.0/24
192.168.66.0/24
192.168.67.0/24
What is the correct supernet for these subnets?
A. Network 192.168.66.0 with subnet mask 255.255.252.0
B. Network 192.168.64.0 with subnet mask 255.255.252.0
C. Network 192.168.64.0 with subnet mask 255.255.255.0
D. Network 192.168.66.0 with subnet mask 255.255.252.0
Answer: C

12.Due to regulatory constraints, an administrator must increase the minimum password length and
complexity.
In which QRadar section can the administrator change this setting?
A. Admin / System settings
B. Admin / Password policy
C. Admin / Security profiles
D. Admin / Authentication
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SSHLHV_5.4.0/com.ibm.alps.doc/tasks/alps_configuri
ng_admin_settings.htm

13.Which log should be reviewed to determine the reasons a patch installer did not proceed during a
QRadar upgrade?
A. /var/log/qradar.audit
B. /var/log/qradar.log
C. /var/log/setup-*/patches.log
D. /var/log/upgrade.log
Answer: C
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-unable-run-patch-installer-and-update-exits-
screen-terminating-message

14.An administrator has added a new Event Processor to a QRadar deployment.


How many events per second (EPS) are granted from the temporary license and how many days will
those EPS last?
A. 10000 EPS for a 35 day period
B. 5000 EPS for a 45 day period
C. 10000 EPS for a 45 day period
D. 5000 EPS for a 35 day period
Answer: D
Explanation:
Reference:

5 / 18
The safer , easier way to help you pass any IT exams.

https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_lic
ense_mgmt.html

15.How many default dashboards does QRadar have?


A. 4
B. 5
C. 7
D. 6
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_customize_
dboard.html

16.An administrator needs to upgrade their QRadar environment. The administrator has downloaded the
Patchupdate File from Fixcentral and transferred this Image to the Appliance.
Which commands does the administrator need to run to start the upgrade process?
A. 1. cd/medial/updates
2. systemctl stop Qradar
3. Qradar.sh upgrade all
4. systemctl reboot
B. 1. mount –o loop –t squashfs XX_patchupdate.sfs /media/updates
2. cd /media/updates
3. /installer
C. 1. cd /media/updates
2. yum update XX_patchupdate.sfs
D. 1. patch XX_patchupdate.sfs
Answer: B

17.An administrator has to change the system hardware clock of the QRadar server. The administrator
has already restarted the main services (hostservices, tomcat, hostcontext) and needs to synchronize the
QRadar Console time with the QRadar managed hosts.
Which command can the administrator use to accomplish this?
A. /opt/qradar/support/all_servers.sh systemctl restart systemd-timedated.service
B. /opt/qradar/support/all_servers.sh /opt/qradar/bin/time_sync.sh
C. /sbin/hwclock –systohc /opt/qradar/bin/time_sync.sh
D. /opt/qradar/support/all_servers.sh service ntpd restart
Answer: B
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-configuring-ntp-settings-qradar-appliance

18.An administrator has been tasked to create a saved search that shows a list of multiple login failures
for a single user by username.
The administrator has done the following:

6 / 18
The safer , easier way to help you pass any IT exams.

1. Selected Last Hour in the view option.


2. In the Add filter window, selected the search parameter Custom Rule [Indexed].
3. Selected Equals for Operator.
4. Selected Authentication for Rule Group.
What is the next step the administrator needs to perform for the Rule option?
A. Select login failures followed by success to the same username
B. Select multiple login failures from the same source
C. Select multiple login failures to the same destination
D. Select multiple login failures for a single username
Answer: C

19.An administrator needs to extract a property from an intrusion detection system (IDS) log. Using a
regular expression, the administrator wants to extract a specific part of the log showing the matching
“policy ID” of the IDS.
Which type of property must the administrator create?
A. Custom event property
B. Custom flow property
C. Custom asset property
D. Normalized event property
Answer: D

20.A company has two different domains in their IBM QRadar system: Domain_A and Domain_B. An
administrator has been tasked to create a rule to look only at events that are tagged with Domain_A and
ignore rules that are tagged with the other domains.
What domain text should the administrator use to create this rule?
A. is from domain: Domain_A
B. from domain: Domain_A
C. domain is: Domain_A
D. domain is one of: Domain_A
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_domain_specifi
c_rules_offenses.html

21.What is a reason for restarting hostcontext service in QRadar?


A. A new user was created and it needs to be replicated
B. A new network hierarchy was uploaded
C. A new app was installed
D. The host is not responding to deploy requests
Answer: D
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-restarting-hostcontext-q-switch

7 / 18
The safer , easier way to help you pass any IT exams.

22.Which of the following dashboards is a QRadar default Dashboard?


A. Compliance and Reporting Monitoring
B. Vulnerability Overview
C. Monitoring Overview
D. Threat and Security Monitoring
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qrm_default_db
oard.html

23.A QRadar user reported the following notification:


38750099 – The accumulator was unable to aggregate all events/flows for this interval
When does this message appear?
A. When the aggregate data view configuration that is in memory is unable to write data to the database
B. When the system is unable to accumulate data aggregations within 60 seconds
C. When aggregated data views are disabled
D. When search results is unable to return over 200 unique objects
Answer: B
Explanation:
Reference: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/38750099.html

24.An administrator has been asked to configure a new QRadar console high availability (HA)
deployment. Both the primary and secondary consoles have been installed with the QRadar software.
What should the administrator do to complete the HA configuration?
A. Add the secondary console to the deployment, and then create the HA host.
B. Reinstall the QRadar software on the secondary console using an “HA Recovery Setup”.
C. Select “Secondary Host” on the wizard when adding the secondary host to the deployment.
D. Create the HA host to add the secondary console to the deployment.
Answer: A
Explanation:
Reference: https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/
b_qradar_ha_guide.pdf

25.A custom rule is generating events reporting that a specific user is failing to login too many times in the
last 5 minutes. The administrator opens the event details to investigate the anomaly associated with the
events but finds that no Anomaly details pane is shown.
What is the reason?
The events were generated by:
A. a Behavioral Detection Rule
B. an Anomaly Detection Rule
C. a Threshold Detection Rule
D. a standard Custom Rule
Answer: B

8 / 18
The safer , easier way to help you pass any IT exams.

Explanation:
Reference: http://www.siem.su/docs/ibm/Administration_and_introduction/User_Guide.pdf

26.An administrator may be asked to collect diagnostic information on one of our main services.
For example, ecs-ec.
Commands such as:
/opt/qradar/support/thredtop.sh
/opt/qradar/support/jmx.sh
These commands collect thread and statistical information on the Services pipeline, queues and filters.
How would an administrator identify a list of jmx ports for each service?
A. grep JMXPORT /opt/qradar/init/*
B. grep JMXPORT /opt/qradar/systemd/env/*
C. grep JMXPORT /opt/qradar/system/bin/*
D. grep JMXPORT /opt/qradar/system/mem/*
Answer: B

27.Which event QID test is used to send an email as a rule response when disk usage reaches a
threshold?
A. (38750076) Disk Sentry Reached Warn threshold
B. (38750076) Disk Sentry Disk Usage Exceeded Warning threshold levels
C. (38750076) Disk Usage Exceeded Warn threshold
D. (38750076) Disk Sentry Disk Usage Exceeded Warn threshold
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/pages/qradar-configuring-qradar-remote-alerts-about-disk-usage

28.Which app should be used for monitoring QRadar performance and health?
A. QRadar Deployment Intelligence
B. QRadar Monitoring Intelligence
C. QRadar Extension Management
D. QRadar Performance Overview
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.QDIapp.doc/c_qapps_QDI_intro.ht
ml

29.An administrator modified a configuration setting in the Global System Notifications using the QRadar
Console Admin tab.
What is the last step to apply changes?
A. Reload Web Server
B. Restart Services
C. Re-login to QRadar console

9 / 18
The safer , easier way to help you pass any IT exams.

D. Deploy Changes
Answer: D

30.An administrator wants to have all QRadar apps running on a new App Host that was configured to
have dedicated CPU, storage and memory resources for the Apps. Several issues were presented during
the installation of the App Host.
To troubleshoot, what should the administrator check?
A. If the completion of the /opt/qradar/check_app_host.sh script was successful
B. If port 5000 is opened on the console
C. If an IP table entry was already created to allow traffic from the App Host IP
D. If IP tables are disabled on the console
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_adm_apphost.h
tml

31.An administrator needs to combine multiple extraction and calculation-based properties into a single
property.
Which Ariel Query Language (AQL) statement can be used?
A. AQL-based custom properties
B. AQL functions and SELECT, FROM, or database names
C. AQL functions and AQL-based custom properties
D. AQL functions
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_aql_whatsnew_
731.html

32.After fixing the assets that contributed to the asset growth deviation, an administrator needs to find the
asset artifacts that have to be cleaned up.
What action should the administrator take to find the artifacts?
A. On the “Log Activity” tab, run the “Deviating Asset Growth: Asset Report event search”
B. On the Admin Tab, select System Configuration --> Asset Profiler Configuration
C. Run the ./cleanAssets.sh --list command
D. On the Asset tab, run the “Clean Assets” action
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_as
sets_deleting_invalid_assets.html

33.An administrator has been tasked to run all health checks at once using the DrQ command before a

10 / 18
The safer , easier way to help you pass any IT exams.

major event happens, such as an upgrade.


What does the DrQ command do?
A. It runs all available checks in /opt/ibm/si/diagnostiq with the checkup mode and with the summary
output mode.
B. It shows all the available drives on the QRadar managed host.
C. It runs all available checks in /opt/ibm/si/diagnostiq and writes the results in a txt file.
D. It checks all the available drives on the QRadar managed host and writes the results on a txt file.
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_drq_running_he
alth_checks.html

34.An administrator needs to add, delete and modify user accounts.


When deleting a user, what dependency checks are carried out?
A. Custom Rules, Historical Correlation Profiles, Security Profiles
B. Custom Rules, Report and Search Criteria, Security Roles
C. Custom Rules, Security Profiles, Report and Search Criteria
D. Custom Rules, Report and Search Criteria, Historical Correlation Profiles
Answer: D

35.An administrator needs to complete the upgrade process from V7.3.1 to V7.3.2.
What is the correct procedure?
A. Copy the ISO file extension to the recommended directories and use this file
B. Use the ISO file to execute the upgrade process
C. Do a clean installation using the ISO file on a bootable USB device
D. Copy the SFS file extension to the recommended directories and use this file
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_up_ugrad_s
ys.html

36.An administrator would like to categorize discovered assets by port definitions and add this information
to a server type building block for further use.
Which QRadar Console functionality should the administrator use?
A. Assets Tab – Actions - Scan
B. Assets Tab – Server Discovery
C. Admin Tab – Auto Update
D. Admin – Scheduled Scans
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/b_qradar_tuning_gui

11 / 18
The safer , easier way to help you pass any IT exams.

de.pdf

37.An administrator wants to upload a file with information related to network hierarchy instead of using
the GUI wizard.
How can the administrator do this?
A. Install application “Network Hierarchy Management for QRadar”
B. Upload file using REST API
C. Modify /opt/qradar/conf/remotenet.conf
D. Use upload button in Network Hierarchy wizard
Answer: A
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-restoring-network-hierarchy-using-network-
hierarchy-management-qradar-app-updated

38.What should an administrator do to successfully upgrade an IBM Security QRadar system from an
older version?
A. Verify the upgrade path, and review the software, hardware and high availability requirements.
B. Verify the upgrade path and update the QRadar apps.
C. Review the release notes and review the architecture.
D. Review the software, hardware and high availability requirements, and consider to update the firmware
on IBM Security QRadar appliances.
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/b_qradar_upgrade.p
df (9)

39.An administrator has reviewed the list of new features in the QRadar V7.3.2 release notes, and
decides to upgrade their system to this version.
What is the minimum supported version that the administrator can upgrade from?
A. 7.2.6
B. 7.3.0
C. 7.3.1
D. 7.2.8
Answer: A
Explanation:
Reference: https://www.ibm.com/support/pages/release-qradar-v732-sfs-73220190201201121

40.A company has several appliances and the administrator needs to copy a file to all appliances to run
some tests to verify the integrity of the processes. The /opt/qradar/support/all_servers.sh script can be
used to issue commands to all QRadar appliances within the deployment.
What option must be used with the script to copy the file to all appliances in the deployment?
A. /opt/qradar/support/all_servers.sh -p
B. /opt/qradar/support/all_servers.sh -k

12 / 18
The safer , easier way to help you pass any IT exams.

C. /opt/qradar/support/all_servers.sh -C
D. /opt/qradar/support/all_servers.sh -g
Answer: A
Explanation:
Reference: https://www-01.ibm.com/support/docview.wss?uid=swg21998517

41.An administrator enabled the base license of QRadar Vulnerability Manager.


How many assets can be scanned using this license?
A. up to 128
B. up to 256
C. up to 100
D. up to 512
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_qvm_deploy.ht
ml

42.When an administrator attempts to edit a log source after upgrading QRadar, a Device Support Module
(DSM), a protocol, or Vulnerability Information Services (VIS) components, the following error message
appears.
An error has occurred. Refresh your browser (press F5) and attempt the action again. If theproblem
persists, please contact customer support for assistance.
What action should the administrator take to troubleshoot this issue? (Choose two.)
A. systemctl restart snmpd
B. systemctl restart iptables
C. systemctl restart ecs-ep
D. systemctl start tomcat
E. systemctl restart httpd
F. Clear browser cache
Answer: DF
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/com.ibm.qradar.doc/t_QRadar_Troubl
eshooting_guide_PurgeFiles.html

43.What is the minimum memory in gigabyte (GB) required for a QRadar All-in-One Virtual 3199
appliance?
A. 128
B. 32
C. 24
D. 16
Answer: B
Explanation:

13 / 18
The safer , easier way to help you pass any IT exams.

Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_qradar_ha_vrt_
ap_reqs.html

44.An administrator needs to develop advanced filters to retrieve information from the QRadar System
pertaining to the top abnormal events of the most bandwidth-intensive IP addresses.
How can the administrator do this?
A. Build an AQL query using the QRadar Scratchpad
B. Combine GROUP BY and ORDER BY clauses in a single query
C. Use the IBM DataStudio to create the query
D. Build an AQL query using the QRadar GUI using Assets > Search Filter
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/b_qradar_aql.pdf (21)

45.An administrator needs to save the nightly QRadar backups on a network storage.
The administrator has established the connection to the network storage.
What should the administrator do next?
A. Change the Backup Repository Path to the network storage location using the Backup Recovery
Configuration window.
B. Change the Backup Repository Path by adding a new Network Activity Rule.
C. Change the Backup Repository Path to the network storage location using the System Settings
window.
D. Configure the new network storage using the Assets Manager
Answer: A
Explanation:
Reference:
http://ftpmirror.your.org/pub/misc/ftp.software.ibm.com/software/security/products/qradar/documents/7.2.
8/en/b_qradar_admin_guide.pdf (146)

46.Which IBM monitoring application can be used to see detailed health and status information at the
application, middleware, and system level?
A. QRadar Deployment Intelligence App
B. QRadar Operations App
C. QRadar Assistant App
D. QRadar Advisor With Watson App
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SSKMKU/com.ibm.QDIapp.doc/c_qapps_QDI_intro.ht
ml

47.An administrator logs in to the Offenses tab and finds a large number of new Offenses that need

14 / 18
The safer , easier way to help you pass any IT exams.

action.
What column in the list of Offenses should the administrator use to prioritize them?
A. Magnitude
B. Offense Type
C. Source IPs
D. Last Event/Flow
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/b_qradar_users_guid
e.pdf (43)

48.An administrator receives an expensive custom rule notification.


Which tool can now be enabled via the Advanced ‘System Settings’ – Custom Rule Settings to help
troubleshoot this?
A. Offense Analysis
B. Rule Analysis
C. Custom Rule Analysis
D. Performance Analysis
Answer: C

49.An administrator enters the QRadar web console into a web browser but does not get a response.
Which process is responsible for the QRadar GUI?
A. tomcat
B. consoled
C. magistrated
D. guid
Answer: A
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-core-services-and-impact-when-restarted

50.What happens if QRadar receives events at a higher rate than the license allows?
A. The events will be put into queues
B. The source system will be asked to resend the events later
C. The events will not be parsed
D. The events will be dropped immediately
Answer: A
Explanation:
Reference: https://www.ibm.com/support/pages/qradar-event-and-flow-burst-handling-buffer

51.An administrator would like to add a new managed host which uses an existing Network Address
Translation (NAT).
Which parameters have to be provided if “Host is NATed” is chosen while adding a managed host?
A. Select Network Attached Telemetric, Enter MAC address of the server or appliance to add

15 / 18
The safer , easier way to help you pass any IT exams.

B. Select NATed network, Enter public IP of the server or appliance to add


C. Select NATed network, Enter MAC address of the server or appliance to add
D. Select Network Attached Telemetric, Enter public IP of the server or appliance to add
Answer: B
Explanation:
Reference:
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=2ahUKEwihsu3Li5XmAhV
YwAIHHeCLDtoQFjAAegQIBhAC&url=https%3A%2F%2Fwww.ibm.com%2Fdeveloperworks%2Fcommu
nity%2Fforums%2Fajax%2Fdownload%2Fd5b20a5b-11bd-4a1d-b294-08ec138eb0e1%2F9d086dd8-ee
e9-4cbd-912d-26059ffdd0ca %2FQRadar_721_AdminGuide.pdf&usg=AOvVaw1GO4OmOjWV7uiyCLrd
E0FV

52.An administrator is tasked to reduce data volumes in the asset database and reduce stale data
contributing to asset growth deviation.
How can the administrator tune the configuration of the Asset Profiler?
A. In the System Configuration section of the Admin, access the Asset Profile Configuration and reduce
the retention values for the Asset Profiler Retention Configuration and Save. Next, deploy the changes
into the environment for the updates to take effect.
B. In the System Configuration section of the Admin, access the Asset Profile Configuration and increase
the retention values for the Asset Profiler Retention Configuration and Save. Next, deploy the changes
into the environment for the updates to take effect.
C. On the navigation menu, click Admin, click the Asset Profile Configuration and reduce the retention
values for the Asset Profiler Retention Configuration and Save. On the navigation menu, click Admin and
from the Advanced menu, click Restart Event Collection Services. Next, deploy the changes into the
environment for the updates to take effect.
D. In the System Configuration section of the Admin, access the Asset Profile Configuration and increase
the retention values for the Asset Profiler Retention Configuration and Save. On the navigation menu,
click Admin and from the Advanced menu, click Restart Event Collection Services. Next, deploy the
changes into the environment for the updates to take effect.
Answer: B
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/t_qradar_adm_as
set_tuning_ip_retention.html

53.An administrator would like to extend the functionality of QRadar using an external application.
Which file format is supported to successfully upload an application from the QRadar Console?
A. .zip
B. .tgz
C. .sh
D. .exe
Answer: A
Explanation:
Reference:

16 / 18
The safer , easier way to help you pass any IT exams.

https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.appfw.doc/b_qradar_appfram
ework_devguide.pdf

54.An administrator needs to save a search to use it in the dashboards.


To do so, which search feature does the administrator need to select in the “Include in my Dashboard”
checkbox?
A. Filter events of the last 7 days
B. Filter events of the last month
C. Filter events of the last 5 minutes
D. Group by some property
Answer: D
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.3/com.ibm.qradar.doc/b_qradar_users_g
uide.pdf (42)

55.An administrator logs into the QRadar Console to review the stored backup files. There is an
exclamation mark beside some files.
What is the cause of this?
A. Canceled backup files
B. Missing backup files
C. Corrupted backup files
D. Incomplete backup files
Answer: B

56.An administrator needs data backup.


What information is contained in the data backup?
A. Audit log information, Event data, Flow data, Report data, Indexes, Log sources
B. Audit log information, Event data, Indexes, Index management information, Flow data, Report data
C. Audit log information, Event data, Flow data, Report data, Indexes
D. Audit log information, Event data, Indexes, Index management information, Flow data, Report data,
Groups
Answer: C
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/com.ibm.qradar.doc/c_qradar_adm_m
an_back_recovery.html

57.A QRadar upgrade is planned and a maintenance window is scheduled. The administrator must stage
the FIXPACK from IBM Fix Central.
Which QRadar FIXPACK file type must the administrator download?
A. RPM
B. IMG
C. SFS

17 / 18
The safer , easier way to help you pass any IT exams.

D. XFS
Answer: C
Explanation:
Reference:
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Oth
er+software/IBM+QRadar+Network +Insights&release=7.3.0&platform=Linux&function=all

58.An administrator installed a new App Host and would like to move the existing applications from the
Console to the App Host.
What steps should be performed?
A. Admin Tab > Extension Management > Click to change where apps are run
B. Admin Tab > System Settings > Move apps
C. Admin Tab > Extension Management > Move apps
D. Admin Tab > System and License Management > Click to change where apps are run
Answer: D

59.An administrator needs to restore from backup the applications in QRadar.


Which configuration item should the administrator select?
A. Installed Applications Configuration
B. Backup Installed Applications
C. Installed Applications Backup Configuration
D. Installed Programs Configuration
Answer: A
Explanation:
Reference:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.2/com.ibm.qradar.doc/t_adm_appnode_app
backup.html

60.When troubleshooting issues with QRadar applications, which application Docker container log file can
be used to get more information about the apps?
A. /var/log/qradar.error
B. /var/log/qradar.log
C. /var/log/app.log
D. /store/log/app.log
Answer: D
Explanation:
Reference: https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/24f91a23-846b-
483c-ba22-d78b95eed91e/page/d504c946-a9b0-4277-8e4f-bc554ac30e4e/versions

18 / 18

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy