When might a Security Analyst want to review the payload of an event?
A. When immediately after login, the dashboard notifies the analyst of payloads that must be investigated
B. When "Review payload" is added to the offense description automatically by the "System: Notification" rule
C. When the event is associated with an active offense, the payload may contain information that is not normalized or extracted fields
D. When the event is associated with an active offense with a magnitude greater than 5, the payload should be reviewed, otherwise it is not necessary
When using the right click event filtering functionality on a Source IP, one can filter by "Source IP is not [*]". Which two other filters can be shown using the right click event filtering functionality? (Choose two.)
A. Filter on DNS entry [*]
B. Filter on Source IP is [*]
C. Filter on Time and Date is [*]
D. Filter on Source or Destination IP is [*]
E. Filter on Source or Destination IP is not [*]
Which type of tests are recommended to be placed first in a rule to increase efficiency?
A. Custom property tests
B. Normalized property tests
C. Reference set lookup tests
D. Payload contains regex tests
What is the default view when a user first logs in to QRadar?
A. Report Tab
B. Offense Tab
C. Dashboard tab
D. Messages menu
What set of Key fields can trigger coalescing?
A. Source IP address, Source port, Severity, Username, and Event ID
B. Source IP address, Destination IP address, Destination port, Direction, and Event ID
C. Source IP address, Destination IP address, Destination port, Username, and Event ID
D. Destination IP address, Destination port, Relevance, Username, and Low Level Category
Which kind of information do log sources provide?
A. User login actions
B. Operating system updates
C. Flows generated by users
D. Router configuration exports.
Which flow fields should be used to determine how long a session has been active on a network?
A. Start time and end time
B. Start time and storage time
C. Start time and last packet time
D. Last packet time and storage time
What is the effect of toggling the Global/Local option to Global in a Custom Rule?
A. It allows a rule to compare events and flows in real time.
B. It allows a rule to analyze the geographic location of the event source.
C. It allows rules to be tracked by the central processor for detection by any Event Processor.
D. It allows a rule to inject new events back into the pipeline to affect and update other incoming events.
What ability does marking a custom property as "optimized" provide?
A. Allows you to use the custom property in a rule test
B. Allows you to process events above your license rating
C. Allows offenses to merge both events and flows into the same offense
D. Allows for offenses, events and flows to be compared directly in real time
Which port does HTTP traffic commonly use?
A. Port 22
B. Port 53
C. Port 80
D. Port 443