C2150-612 Exam - IBM Security QRadar SIEM V7.2.6 Associate Analyst

NEW QUESTION 1
A Security Analyst found multiple connection attempts from suspicious remote IP addresses to a local host on the DMZ over port 80. After checking related events no successful exploits were detected.
Upon checking international documentation, this activity was part of an expected penetration test which requires no immediate investigation.
How can the Security Analyst ensure results of the penetration test are retained?

• A. Hide the offense and add a note with a reference to the penetration test findings
• B. Protect the offense to not allow it to delete automatically after the offense retention period has elapsed
• C. Close the offense and mark the source IP for Follow-Up to check if there are future events from the host
• D. Email the Offense Summary to the penetration team so they have the offense id, add a note, and close the Offense

Answer: B

Explanation: References:
http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_Off_Retention.html

NEW QUESTION 2
What is the primary goal of data categorization and normalization in QRadar?

• A. It allows data from different kinds of devices to be compared.
• B. It preserves original data allowing for forensic investigations.
• C. It allows for users to export data and import it into other system.
• D. It allows for full-text indexing of data to improve search performance.

Answer: A

NEW QUESTION 3
What are three examples of a custom Dashboard? (Choose three.)

• A. Asset View
• B. Top Applications
• C. Most Recent Offenses
• D. Tabs which are accessible
• E. Source and Destination DNS
• F. Internet Threat Information Center

Answer: BCE

NEW QUESTION 4
What is one of the major differences between event and network data (flow)?

• A. Flows can replay a whole packet by packet sessions, while events are just a snapshot.
• B. A flow can have a life span that can last seconds, minutes, hours or days, while events ate only a snapshot,
• C. An event can have a life span that can last seconds, minutes, hours or days, while flows can only span 1 minute.
• D. Events represent network activity by normalizing IP addresses, ports, byte and pucket count
• E. while flows do not.

Answer: B

NEW QUESTION 5
What is a primary goal with the use of building blocks?

• A. A method to create reusable rule responses
• B. A reusable test stack that can be used in other rules
• C. A method to generate reference set updates without using a rule
• D. A method to create new events back into the pipeline without using a rule

Answer: B

NEW QUESTION 6
Which saved searches can be included on the Dashboard?

• A. Event and Flow saved searches
• B. Asset and Network saved searches
• C. User and Vulnerability saved searches
• D. Network Activity and Risk saved searches

Answer: A

NEW QUESTION 7
Which three optional items can be added to the Default and Custom Dashboards without requiring additional licensing? (Choose three.)

• A. Offenses
• B. Log Activity
• C. Risk Change
• D. Flow Search
• E. Risk Monitoring
• F. Asset Management

Answer: ACE

NEW QUESTION 8
Which log source and protocol combination delivers events to QRadar in real time?

• A. Sophos Enterprise console via JDBC
• B. McAfee ePolicy Orchestrator via JDBC
• C. McAfee ePolicy Orchestrator via SNMP
• D. Solaris Basic Security Mode (BSM) via Log File Protocol

Answer: C

NEW QUESTION 9
Which file type is available for a report format?

• A. TXT
• B. DOC
• C. PDF
• D. PowerPoint

Answer: C

NEW QUESTION 10
While on the Offense Summary page, a specific Category of Events associated with the Offense can be investigated.
Where should a Security Analyst click to view them?

• A. Click on Events, then filter on Flows
• B. Highlight the Category and click the Events icon
• C. Scroll down to Categories and view Top 10 Source IPs
• D. Right Click on Categories and choose Filter on Network Activity

Answer: B

Explanation: References:
IBM Security QRadar SIEM Users Guide. Page: 42

NEW QUESTION 11
What are two benefits of using a netflow flow source? (Choose two)

• A. They can include data payload
• B. They can include router interface information.
• C. They can include usernames involved in the flow.
• D. They can include ASN numbers of remote addresses.
• E. They can include authentication methods used to access the network.

Answer: BD

NEW QUESTION 12
Which browser is officially supported for QRadar?

• A. Safari version 9.0-3
• B. Chromium version 33
• C. 32-bit Internet Explorer 9
• D. Firefox version 38.0 ESR

Answer: C

NEW QUESTION 13
What is a main function of a Cisco Adaptive Security Appliance (ASA)?

• A. A Proxy
• B. A Switch
• C. A Firewall
• D. An Authentication device

Answer: C

NEW QUESTION 14
When QRadar processes an event it extracts normalized properties and custom properties. Which list includes only Normalized properties?

• A. Start time, Source IP, Username, Unix Filename
• B. Start time, Username, Unix Filename, RACF Profile
• C. Start time, Low Level Category, Source IP, Username
• D. Low Level Category, Source IP, Username, RACF Profile

Answer: C

NEW QUESTION 15
Which type of search uses a structured query language to retrieve specified fields from the events, flows, and simarc tables?

• A. Add Filter
• B. Asset Search
• C. Quick Search
• D. Advanced Search

Answer: D

Explanation: References:
http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_ug_search_bar.

NEW QUESTION 16
Where could you get additional details on why the offense was triggered when Summary page?

• A. Display > Notes
• B. Display > Rules
• C. Display > Flows
• D. Display > Events

Answer: B