C1000-018 Online Practice Questions and Answers

What event information within an offense would provide the analyst with a deep insight as to how it was created?

A. Event Category

B. Event QID

C. Event Payload

D. Event Magnitude

An analyst is investigating an Offense and has found that the issue is that a firewall appears to be misconfigured and has permitted traffic that should be prevented to pass.

As part of the firewall rule change process, the analyst needs to send the offense details to the firewall team to demonstrate that the firewall permitted traffic that should have been blocked.

How would the analyst send the Offense summary to an email mailbox?

A. Find the CRE Event in the Log Activity tab, open the event detail and select ‘Email linked Offense details’ from the ‘Action’ menu.

B. Search for the events linked to the Offense in the Log Activity tab; Select all events and copy them using CTRL-C then paste into an email client.

C. Open the Offense in the Offenses tab, select ‘Email’ from the ‘Action’ menu item and, optionally, add some extra information.

D. Identify the Offense in the Offense list, right click on the Offense and select ‘Custom Action Script’; ‘Offense Mailer’

An auditor has requested a report for all Offenses that have happened in the past month. This report generates at the end of every month but the auditor needs to have it for a meeting that is in the middle of the month.

What will happen to the scheduled report if the analyst manually generates this report?

A. The scheduled report needs to be reconfigured.

B. The analyst needs to delete the scheduled report and create a new one.

C. The report will get duplicated so the analyst can then run one manually.

D. The report still generates on the schedule initially configured.

An analyst has to perform an export of events within a timeframe, but not all the columns are present in the log view for the time period the analyst has selected. The analyst only needs specific columns exported for an external analysis.

How can the analyst accomplish this task?

A. Edit the search and select the extra columns, then export the result with Action/Export to XML/Full Export. This export is only supported in XML.

B. Edit the search and select the extra columns, then export the result with Action/Export to XML/Visible Columns. This export is only supported in XML.

C. Edit the search result and select the extra columns, then export the result with Action/Export to CSV/ Full Export.

D. Edit the search result and select the extra columns, then export the result with Action/Export to CSV/ Visible Columns.

An analyst needs to find all events that are creating offenses that are triggered by rules that contain the word suspicious in the rule name.

Which query can the analyst use as a working sample?

A. SELECT LOGSOURCETYPE(logsourceid), “from log_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

B. SELECT LOGSOURCERULES(logsourceid), “from rule_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

C. SELECT LOGGEDOFFENSE(logsourceid), *from offense_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

D. SELECT LOGSOURCENAME(logsourceid), * from events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

An analyst is investigating a user's activities and sees that they have repeatedly executed an action which triggers a rule that emails the SOC team and creates an Offense, indexed on Username.

The SOC team complained that they have received 15 emails in the space of 10 minutes, but the analyst can only see one Offense in the Offenses tab.

How is this explained?

A. There is a Rule Limiter on the Rule Action which creates the Offense, this should also be applied to the Rule Responses.

B. This is expected behavior, the offense will contain the information about all 15 events.

C. An Offense rule has been configured to send multiple emails upon Offense creation.

D. The Custom Rules Engine (CRE) has fallen behind and the additional Offenses will be created shortly.

The administrator had set up several scheduled reports that can be executed by analysts every Monday, and the first day of each month. On Thursday, an executive requests one of the weekly reports.

If the analyst executes the report on Thursday, what information will the report contain?

A. Data from Monday to Sunday from the previous week.

B. Data from Thursday from the previous week to Wednesday from the current week.

C. Data from Monday to Thursday from the current week.

D. Data from Monday to Wednesday from the current week.

What does the Assets tab provide?

A unified view of the information that is known about:

A. network devices.

B. triggered Offenses.

C. log sources.

D. events and flows.

Which are the supported protocol configurations for Check Point integration with QRadar? (Choose two.)

A. CHECKPOINT REST API

B. SYSLOG

C. JDBC

D. SFTP

E. OPSEC/LEA

What are the different flow types in QRadar?

A. L2L, L2R, R2R, R2L

B. Standard, Type A, Type B, Type C

C. Standard, Type 1, Type2, Type 3

D. Type 1, Type 2, Type 3, Type 4