C2150-612 Exam - IBM Security QRadar SIEM V7.2.6 Associate Analyst

NEW QUESTION 1
How does a Device Support Module (DSM) function?

• A. A DSM is a configuration file that combines received events from multiple log sources and displays them as offenses in QRadar.
• B. A DSM is a background service running on the QRadar appliance that reaches out to devices deployed in a network for configuration data.
• C. A DSM is a configuration file that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as outputs.
• D. A DSM is an installed appliance that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as outputs.

Answer: D

NEW QUESTION 2
Which key elements does the Report Wizard use to help create a report?

• A. Layout, Container, Content
• B. Container, Orientation, Layout
• C. Report Classification, Time, Date
• D. Pagination Option, Orientation, Date

Answer: A

Explanation: References:
IBM Security QRadar SIEM Users Guide. Page: 201

NEW QUESTION 3
Which column shows information as icons on the Reports tab?

• A. Owner
• B. Formats
• C. Schedule
• D. Report Name

Answer: B

NEW QUESTION 4
What is a primary benefit of building blocks?

• A. They can notify users of strange behavior.
• B. They allow the execution of its test within all rules.
• C. They generate new events into the pipeline before rules fire.
• D. They allow for report results to be used in custom rules tests.

Answer: B

NEW QUESTION 5
Where can event data be exported from for external analysis?

• A. From the Offenses Ta
• B. select the offense and right click, select export event data
• C. From the list of events page, select actions and click export to XML or export to CSV
• D. From the offense summary page, select actions and click on export to XML or export to CSV
• E. From the Offenses Ta
• F. select the offense, click on actions, select export to XML or export to CSV

Answer: C

NEW QUESTION 6
Which type of tests are recommended to be placed first in a rule to increase efficiency?

• A. Custom property tests
• B. Normalized property tests
• C. Preference set lookup tests
• D. Payload contains regex tests

Answer: B

NEW QUESTION 7
Which QRadar component is designed to help increase the search speed in a deployment by allowing more data to remain uncompressed?

• A. QRadar Data Node
• B. QRadar Flow Processor
• C. QRadar Event Collector
• D. Qradar Event Processor

Answer: A

NEW QUESTION 8
What is an example of the use of a flow data that provides more information than an event data?

• A. Represents a single event on the network
• B. Automatically identifies and better classifies new assets found on a network
• C. Performs near real-time comparisons of application data with logs sent from security devices
• D. Represents network activity by normalizing IP addresses ports, byte and packet counts, as well as other details

Answer: D

Explanation: References:
http://www-01.ibm.com/support/docview.wss?uid=swg21682445

NEW QUESTION 9
How does flow data contribute to the Asset Database?

• A. Correlated Flows are used to populate the Asset Database.
• B. It provides administrators visibility on how systems are communicating on the network.
• C. Flows are used to enrich the Asset Database except for the assets that were discovered by scanners.
• D. It delivers vulnerability and ports information collected from scanners responsible for evaluating network assets.

Answer: C

NEW QUESTION 10
Which Anomaly Detection Rule type can test events or flows for volume changes that occur in regular patterns to detect outliers?

• A. Outlier Rule
• B. Anomaly Rule
• C. Threshold Rule
• D. Behavioral Rule

Answer: D

Explanation: References:
http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_rul_anomaly_de

NEW QUESTION 11
Which feature of a Next Generation Firewall is not available on previous firewalls?

• A. VPN Support
• B. Layer 3 based firewall rules
• C. Integrated signature based IPS engine
• D. Network and Port-Address Translation (NAT)

Answer: D

NEW QUESTION 12
Which three pages can be accessed from the Navigation menu on the Offenses tab? (Choose three.)

• A. Rules
• B. By Category
• C. My Offenses
• D. By Event Name
• E. Create Offense
• F. Closed Offenses

Answer: ABC

NEW QUESTION 13
Which approach allows a rule to test for Active Directory (AD) group membership?

• A. Import the AD membership information into the Asset Database using AXIS and use an asset rule test
• B. Use the built-in LDAP integration to execute a search for each event as it is received by the EventProcessor to test for group membership
• C. Maintain reference data for the AD group(s) of interest containing lists of usernames and then add rule tests to see if the normalized username is in the reference data
• D. Export the AD group membership information to a CSV file and place it inthe /store/AD_mapping.csv file on the console, then use the "is a member of AD group' test in the rule

Answer: B

NEW QUESTION 14
Which advantage of a report helps distinguish it from a search?

• A. Scheduling is available.
• B. It can be added as a dashboard item.
• C. It can be labeled for later use.
• D. A report can be assigned to specific users.

Answer: A

NEW QUESTION 15
In a distribution QReader deployment with multiple Event Collectors, from where can syslog and JDBC log sources collected?

• A. Syslog log sources and JDBC log sources may be collected by any Event Collector.
• B. One Event Collector must collect ALL syslog events and another Event Collector must collect All JDBC events.
• C. Syslog log sources and JDBC log sources are always collected by the collector assigned in the log source definition.
• D. Syslog log sources may be collected by any Event Collector, but JDBC log sources will always be collected by collector assigned in the log source definition.

Answer: C

NEW QUESTION 16
What is the effect of toggling the Global/Local option to Global in a Custom Rule?

• A. It allows a rule to compare events & flows in real time.
• B. It allows a rule to analyze the geographic location of the event source.
• C. It allows rules to be tracked by the central processor for detection by any Event Processor.
• D. It allows a rule to inject new events back into the pipeline to affect and update other incoming events.

Answer: D