C1000-018 Online Practice Questions and Answers

An analyst wants to analyze the long-term trending of data from a search. Which chart would be used to display this data on a dashboard?

A. Bar Graph

B. Time Series chart

C. Pie Chart

D. Scatter Chart

After working with an Offense, an analyst set the Offense as hidden. What does the analyst need to do to view the Offense at a later time?

A. In the all Offenses view, at the top of the view, select “Show hidden” from the “Select an option” drop-down.

B. Search for all Offenses owned by the analyst.

C. Click Clear Filter next to the “Exclude Hidden Offenses”.

D. In the all Offenses view, select Actions, then select show hidden Offenses.

When an analyst sees the system notification “The appliance exceeded the EPS or FPM allocation within the last hour”, how does the analyst resolve this issue? (Choose two.)

A. Delete the volume of events and flows received in the last hour.

B. Adjust the license pool allocations to increase the EPS and FPM capacity for the appliance.

C. Tune the system to reduce the volume of events and flows that enter the event pipeline.

D. Adjust the resource pool allocations to increase the EPS and FPM capacity for the appliance.

E. Tune the system to reduce the time window from 60 minutes to 30 minutes.

Which statement about False Positive Building Blocks applies?

Using False Positive Building Blocks:

A. helps to prevent unwanted alerts, but there is no effect on performance.

B. helps to prevent unwanted alerts, and reduces the performance impact of testing rules that do not need to be tested.

C. has no impact on unwanted alerts, but it does reduce the performance impact of testing rules that do not need to be tested.

D. has no impact on unwanted alerts, or performance.

An analyst for a particular offense needs to investigate to understand the breakdown of the offense details.

How can the analyst do this?

A. Look at the magnitude information and its breakdown.

B. Look at all the event QIDs attached to the offense.

C. View the attack path of the offense.

D. Look at the list of categories, event low level categories and the events attached.

An analyst aims to improve the detection capabilities on all the Offense rules. QRadar SIEM has a tool that allows the analyst to update all the Building Blocks related to Host and Port Definition in a single page.

How is this accomplished?

A. Admin –andgt; Reference Set management

B. Assets –andgt; Asset Profiles

C. Assets –andgt; Server Discovery

D. Admin –andgt; Asset Profile Configuration

There are 5 authentication servers that report to different Event Processors. There is a requirement to generate an Offense if there are 5 consecutive failed logins detected across any of the 5 Event Processors.

Which type of rule should the analyst create?

A. Global Rule

B. Persistent Rule

C. Local Rule

D. Offense Rule

What is a valid offense naming mechanism? This information should:

A. set the naming of the associated offense(s).

B. set or replace the naming of the associated offense(s).

C. replace the naming of the associated offense(s).

D. be included in the naming of the associated offense(s).

What are the different flow types in QRadar?

A. L2L, L2R, R2R, R2L

B. Standard, Type A, Type B, Type C

C. Standard, Type 1, Type2, Type 3

D. Type 1, Type 2, Type 3, Type 4

An analyst needs to investigate why an Offense was created. How can the analyst investigate?

A. Review the Offense summary to investigate the flow and event details.

B. Review the X-Force rules to investigate the Offense flow and event details.

C. Review pages of the Asset tab to investigate Offense details.

D. Review the Vulnerability Assessment tab to investigate Offense details.