exam code: c2150-400 exam name: ibm security …... b. if used disk space reaches 85% for records...

http://www.gratisexam.com/

C2150-400_LeanderJan_176Q_02-04-2016

Number: C2150-400Passing Score: 800Time Limit: 120 minFile Version: 14.0


Exam code: C2150-400

Exam Name: IBM Security Qradar SIEM Implementation v 7.2.1

Version 14.0


C2150-400

QUESTION 1The following message is displayed in the System Notification Widget on the Dashboard:

Which script should be run to help determine the cause of the dropped events?

A. /opt/qradar/support/dumpGvData.shB. /opt/qradar/support/dumpDSMInfo.shC. /opt/qradar/support/cleanAssetModel.shD. /opt/qradar/support/findExpensiveCustomRules.sh

Correct Answer: DSection: (none)Explanation

Explanation/Reference:

QUESTION 2What is used to collect netflow and jflow traffic in a QRadar Distributed Deployment?

A. QRadar 3105 ConsoleB. QRadar 1705 ProcessorC. QRadar 1605 ProcessorD. QRadar 700 Risk Manager

Correct Answer: ASection: (none)Explanation



Reference: http://www.arrowecs.ae/FMS/16966.appliance_datasheet.pdf (page 3)

QUESTION 3What should the format of a CSV file be while importing assets on the QRadar console?

A. ip,portweight,descriptionB. ip,name,weightmagnitudeC. ip.name.weight.descriptionD. ip.name.severity.description

Correct Answer: CSection: (none)Explanation

Explanation/Reference:Reference: http://www-03.ibm.com/certify/tests/objC2150-195.shtml (search for name, weight, description)

QUESTION 4Which option needs to be specified in the syslinux configuration file to reinstall an IBM QRadar appliance via serial port from an USB flash-drive?

A. USB to serialB. Default serialC. Serial to USBD. serial redirect

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/7.2.0/QLM/EN/USB_In stallation.pdf (page 5)

QUESTION 5There is a Data Deletion Policy of "When storage is required."

Data will remain in storage until which scenario is reached?

A. If used disk space reaches 88% for records and 85% for payloads.


B. If used disk space reaches 85% for records and 88% for payloads.C. If used disk space reaches 85% for records and 83% for payloads.D. If used disk space reaches 83% for records and 85% for payloads.


Explanation/Reference:Reference: http://www.juniper.net/techpubs/software/management/strm/2013_2/strm-adminguide.pdf (page 85, see the table, 5th row, second column, firstbulleted point)

QUESTION 6Which two actions can be selected from the license drop-down in the system and license management screen when working with a new license? (Choose two.)


A. Apply licenseB. Upload licenseC. Allocate license to systemD. Allocate system to licenseE. Register system to license

Correct Answer: ACSection: (none)Explanation


QUESTION 7How frequently does the Automated Update Process run if Configuration files are updated on Primary and then Deploy Changes is not performed, and the updatesare made on the Secondary host through an Automated Update Process?


A. Every 10 minutesB. Every 15 minutesC. Every 30 minutesD. Every 60 minutes


Explanation/Reference:Reference:http://www.juniper.net/techpubs/software/management/strm/2010_0_R1/Admin_STRM.pdf (page 68, see the second note)

QUESTION 8What two are valid actions that a user can perform when monitoring offenses? (Choose two.)

A. Import offensesB. Backup offensesC. Restore offensesD. Send email notificationsE. Hide or close an offense from any offense list

Correct Answer: BESection: (none)Explanation


QUESTION 9What is a valid QVM scan status?

A. ActiveB. PausedC. ScanningD. Complete




QUESTION 10Which NetFlow versions does QRadar SIEM support?

A. 1, 2, 3, and 4B. 1, 4, 7, and 9C. 1, 3, 5, and 9D. 1, 5, 7, and 9


Explanation/Reference:Reference: http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_adm_ netflow.html (second para, first sentence)

QUESTION 11How do you view Raw Events on the Log Activity tab?

A. Select "Raw Events" from the View list boxB. Select "Raw Events" from the Actions list boxC. Select "Raw Events" from the Display list boxD. Select "Raw Events" from the Quick Searches list box


Explanation/Reference:Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/71MR1/LogMgr/LM- 71MR1-Usersguide.pdf (page 33)


QUESTION 12There is a requirement at the customer site to double the default QFlow Maximum Content Capture size.

What would be the resulting packet size?

A. 64 bytesB. 128 bytesC. 256 bytesD. 1024 bytes



QUESTION 13What is the result when adding host definition building blocks to QRadar?

A. Creates OffensesB. Reduces false positivesC. Makes searches run fasterD. Authorizes QRadar Services



QUESTION 14What is used to collect netflow and jflow traffic in a QRadar Distributed Deployment?

A. QRadar 3124 ConsoleB. QRadar 1624 ProcessorC. QRadar 1724 ProcessorD. QRadar 700 Risk Manager




QUESTION 15What will be restored when restoring event data or flow data for a particular period to a MH?

A. Only data sent to the console for that time period is restored to the MH.B. Only event data or flow data for the MH being restored will be restored to that MH.C. Only data that was accumulated for reports and searches will be restored to the MH.D. All data for all MHs for a specific time period is restored to its respective hosts in the deployment.



QUESTION 16Where do you save the "Login Message File" on the system when setting up a banner message for the authentication page?

A. /opt/qradar/conf/B. /opt/qradar/wwwC. /opt/tomcat/conf/D. /opt/qradar/webapps


Explanation/Reference:Reference: file:///Users/iMac/Downloads/QRadar_721_AdminGuide.pdf (page 90, see the table, last row, second column)

QUESTION 17


Which network monitoring port does Cisco NetFlow require to be configured in QRadar?

A. Port 514B. Port 161C. Port 2055D. Port 8080


Explanation/Reference:Reference: http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/c_qradar_adm_f low_source_ovrvw.html

QUESTION 18A QRadar administrator needs to tune the system by enabling or disabling the appropriate rules in order to ensure that the QRadar console generates meaningfuloffenses for the environment. Which role permission is required for enabling and disabling the rule?

A. Offenses > Maintain CRE RulesB. Offenses > Toggle Custom RulesC. Offenses > Manage Custom RulesD. Offenses > Maintain Custom Rules



QUESTION 19Which operating system is supported for creating a bootable flash drive for recovery?

A. Cisco IOSB. Florida LinuxC. Debian LinuxD. RedHat Linux




QUESTION 20Which three graph types are available for QRadar Log Manager reports? (Choose three.)

A. Pie graphB. HistogramC. Bar graphD. Trivial graphE. Stacked bar graphF. Stacked table graph

Correct Answer: ACFSection: (none)Explanation

Explanation/Reference:Reference: http://www.juniper.net/techpubs/software/management/strm/2012_0_R2/strm-lm- user-guide.pdf (page 18)

QUESTION 21Which line color inside the deployment editor signals that encrypted communication has been selected for the managed hosts in a distributed environment?

A. BlueB. GreyC. BlackD. Yellow




QUESTION 22A QRadar SIEM administrator wants to create a Flow Rule that includes a building block definition (BB) that includes applications that indicate communication withfile sharing sites. In which group will the administrator find this specified building block?

A. PolicyB. Host DefinitionsC. Network DefinitionD. Category Definitions



QUESTION 23Which character is used for naming subgroups when using the option Add Group in the Network Hierarchy editor?

A. +(plus)B. . (period)C. \ (Backslash)D. /(Forward Slash)



QUESTION 24Which expression imports all xml files in the report directory if the administrator is configuring a Nessus Scanner?

A. \xmlB. 'xml'C. *\.xmlD. */.xml



Explanation/Reference:Reference:ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/CoreDocs/ ManagingVAGuide-71MR1.pdf (page 14)

QUESTION 25Which two file systems does QRadar support for offboard storage partitions? (Choose two.)

A. XFSB. BtrfsC. F2FSD. EXT4E. NTFS

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:Reference: http://www.juniper.net/techpubs/en_US/jsa2014.1/information-products/topic- collections/jsa-configuring-offboard-storage.pdf (page 17)

QUESTION 26Assuming a Squid Proxy has logs in the following format:

Time elapsed remotehost code/status bytes method URL rfc931 peerstatus/peerhost type And these are some sample logs from a Squid server:


Which regular expression would you use to pull out the bytes field into a custom property?

A. \w+/\d+\s+(\d+)\s+B. \w+/\d+\s+(\d+)\S+C. \w+/\d+\S+(\d+)\s+D. \w+/\D+\s+(\D+)\s+



QUESTION 27Which Permission Precedence should be applied to the users security profile assuming the administrators only want the group to have access to Windows eventsand flows and not events from other networks?

A. No RestrictionsB. Log Sources OnlyC. Networks OR Log SourcesD. Networks AND Log Sources




QUESTION 28On the QRadar console you have received notification that CVE ID: CVE-2010-000 is being actively used.

What search parameter should you select from the list of search parameters in this situation?

A. Collateral Damage ReferenceB. Vulnerability External ReferenceC. Vulnerability Information SystemD. Vulnerability Internal System Reference


Explanation/Reference:Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/7.2.1/QRadar/EN/b_qra dar_gs_guide.pdf (page 250

QUESTION 29Which two statements are true regarding QRadar Log Sources and DSMs? (Choose two.)

A. One log source must have one DSM.B. One DSM must have many log sources.C. One log source must have many DSMs.D. One DSM can have only one log source.E. One DSM can be used in many log sources.

Correct Answer: CESection: (none)Explanation


QUESTION 30


What are the two expected Host Statuses after HA setup if the initial synchronization is complete? (Choose two.)

A. Primary: ActiveB. Primary: OfflineC. Secondary: FailedD. Secondary: ActiveE. Secondary: StandbyF. Primary: Synchronizing

Correct Answer: AESection: (none)Explanation


QUESTION 31Which default flow source is included in the QRadar SIEM?

A. IPFIXB. jFlowC. QFlowD. NetFlow


Explanation/Reference:Reference: http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.3/com.ibm.qradar.doc_7.2.3/c_qradar_adm_f low_source_ovrvw.html

QUESTION 32You have created an LSX log parser document to process the unknown log events from your unsupported log source. The events are coming up with Log sourcetype GenericDSM and the correct Log Source Event ID.

What is the next step in this process?



A. Create the high level and low level categories from the map id actionB. Map the custom log records to existing QRadar high level and low level categoriesC. Create the high level and low level categories from the Rules section in the Offense tabD. Run the qidmap.pl script to create high level and low level categories from the command line



QUESTION 33In which two ways can an administrator view all the events that are related to an offense from the Offense Details screen? (Choose two.)

A. Top 5 Source IPs sectionB. Click on Display > SourcesC. Click on Display > DestinationsD. Click on Event/Flow Count field's Events linkE. Click on Events button in Last 10 Events section

Correct Answer: BDSection: (none)Explanation


QUESTION 34Which tab in the QRadar web console allows flows to be monitored and investigated?


A. AdminB. AssetsC. OffensesD. Network Activity


Explanation/Reference:Reference:

QUESTION 35An off-site source can connect to which component?

A. Flow collectorB. Event collectorC. Flow processorD. Event processor

Correct Answer: BSection: (none)


Explanation

Explanation/Reference:Reference: http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_adm_ qradar_siem_component.html?cp=SS42VS_7.2.1%2F4-0-11-3-0&lang=fr (see off-site source)

QUESTION 36Which two fields are required to be filled out when adding a new network to the network hierarchy? (Choose two.)

A. WeightB. IP and CIDRC. Capture FilterD. Flow Source InterfaceE. Flow Retention Length



QUESTION 37A user of QRadar wishes to have a report showing the number of bytes per packet they see with their flows. The user decides to create a Custom Flow Property forthis application.

Which type of custom property is required for this to be accomplished?

A. Regex Custom PropertyB. Advanced Custom PropertyC. Computation Custom PropertyD. Calculation Based Custom Property




QUESTION 38Which attribute is valid when defining the user roles to provide the necessary access?

A. Admin: System AdministratorB. Log Activity: View Custom RulesC. Log Activity: Manage Time SeriesD. Network Activity: Maintain custom Rules



QUESTION 39Which configuration window defines the maximum number of TCP syslog connections?

A. Log SourcesB. System SettingC. Console SettingD. Deployment Editor



QUESTION 40A customer has log files from Windows-based systems and wants to push those logs to the QRadar console.

What options should the customer use in WinCollect to collect and forward these logs?

A. File ForwarderB. Flow Forwarder


C. Event ForwarderD. Windows-based Event Log Forwarder



QUESTION 41What is the minimum bandwidth needed between the primary and secondary HA host?

A. 1 gigabits per second (Gbps)B. 2 gigabits per second (Gbps)C. 3 gigabits per second (Gbps)D. 4 gigabits per second (Gbps)


Explanation/Reference:Reference:ftp://ftp.software.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/CoreDoc s/QRadar_71MR1_HighAvailabilityGuide.pdf (page 9)

QUESTION 42Which directory from the QRadar host can be moved to offboard storage?

A. A/arB. /storeC. /homeD. /media




QUESTION 43You have been asked to forward all event logs from QRadar to another central syslog server with the IP of 172.16.77.133. You also want the events to beprocessed by the CRE, but not stored on the system.

What will allow you to do this process?

A. Add a Routing Rule that under Current Filters "Matches All Incoming Events", under Routing Options, add a Forwarding destination for 172.16.77.133 with the"Raw Event" format. Then select the 'Forward' and 'Drop' options. Save and deploy.

B. Add a Routing Rule that, under Current Filters "Matches All Incoming Events", under Routing Options, add a Forwarding destination for 172.16.77.133 with the"Normalized Event" format. Then select the 'Forward' and 'Drop' options. Save and deploy.

C. Add a forwarding Destination for 172.16.77.133 with the "Raw Event" format. Then add a Routing Rule that, under Current Filters "Matches All IncomingEvents", under Routing Options, select the Forward destination that matches destination you created. Then select the 'Forward' and 'Drop' options. Save anddeploy.

D. Add a forwarding Destination for 172.16.77.133 with the "Normalized Event" format. Then add aRouting Rule that, under Current Filters "Matches All Incoming Events", under Routing Options, select the Forward destination that matches destination youcreated. Then select the 'Forward* and 'Drop* options. Save and deploy.



QUESTION 44Which function allows a custom event property to be removed from a selected event?

A. AnomalyB. Map EventC. False PositiveD. Extract Property




QUESTION 45Which two authentication methods for the QRadar User Interface are valid? (Choose two.)

A. SecureIDB. Digital SignaturesC. Password Authentication Protocol (PAP)D. Remote Authentication Dial In User Service (RADIUS)E. Terminal Access Controller Access-Control System (TACACS)

Correct Answer: DESection: (none)Explanation


QUESTION 46Which three tasks can an administrator perform from the QRadar SIEM reports tab? (Choose three.)

A. Brand reportsB. Ability to create custom reportsC. Ability to create custom compliance templatesD. Present statistics derived from source IP and destination IPE. Present measurements and statistics derived from real time dataF. Present measurements and statistics derived from events, flows and offenses

Correct Answer: BDFSection: (none)Explanation


QUESTION 47What type of users can view all reports that are created by other users?

A. Auditors


B. AnalystsC. ManagersD. Administrators


Explanation/Reference:Reference: http://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.2/com.ibm.qradar.doc_7.2.2/c_qradar_report _mgt.html?cp=SS42VS_7.2.2%2F6-0-11

QUESTION 48What does the message in the System Notification Widget on the Dashboard "Disk sentry:System disk usage back to normal levels ." tell you?

A. One of your File Systems has been reduced to below 92%.B. One of your File Systems has been reduced to below 95%.C. One of your File Systems has been reduced to below 98%.D. One of your File Systems has been reduced to below 90%.


Explanation/Reference:Reference:ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/CoreDocs/ QRadar_71MR1_TroubleshootingGuide.pdf (page 10)

QUESTION 49A QRadar administrator is sizing a distributed deployment. The deployment has approximately 2 million flows per minute (FPM ) and needs at least 7 terabytes ofstorage .

Which architecture is correct?

A. One 1724 flow processorB. One 1705 flow processorC. Two 1724 flow processorsD. Two 1705 flow processors




QUESTION 50A customer has a requirement to integrate with QRadar to capture events coming from IBM DB2.

Which protocol should an administrator use to integrate Log Enhanced Event format (LEEF) events while configuring Log Sources on QRadar console?

A. JDBCB. SNMPC. SyslogD. Log File



QUESTION 51There are unknown log records from unsupported security device events in the Log activity tab. You are planning to write an LSX for an unsupported security devicetype based on UDSM. What is the file format and payload option for exporting the unknown log records?

A. XLS and full exportB. CSV and full exportC. XML and visible columnD. PDF and visible column




QUESTION 52Which command will install the patch after mounting the patch file?

A. /media/updates/setupB. /media/updates/installerC. /media/updates/setup -patchD. /media/updates/installer -patch


Explanation/Reference:Reference: http://www-01.ibm.com/support/docview.wss?uid=swg27041545

QUESTION 53What does QRadar use to group the event or flow according to the network?

A. Network mappingB. Network hierarchyC. Application mappingD. Application hierarchy



QUESTION 54Which option will display the rule that triggered an offense from Offense Details screen?

A. Display > RulesB. Display > SourcesC. Offenses tab > RulesD. Display > Annotations




QUESTION 55A mail server typically communicates with 50 hosts per second in the middle of the night and then suddenly starts communicating with 1,000 hosts a second. Theadministrator wants to get an email alert whenever this situation is being observed.

Which type of rule should an administrator create to monitor this situation?

A. Flow RuleB. Anomaly RuleC. Threshold RuleD. Behavioral Rule



QUESTION 56What should be the latency between the primary and secondary HA hosts?

A. Less than 1 millisecondB. Less than 2 millisecondsC. Less than 3 millisecondsD. Less than 4 milliseconds




Reference:ftp://public.dhe.ibm.com/software/security/products/qradar/documents/71MR1/SIEM/CoreDocs/ QRadar_71MR1_HighAvailabilityGuide.pdf (page 14, link bandwidthand latency)

QUESTION 57Which two search filters are available on the QRadar console while making an asset search? (Choose two.)

A. PCI Severity. NERC SeverityB. Vulnerability CVSS Base Score. Vulnerability Risk ScoreC. Vulnerability on Open Port, Vulnerability on Open ServiceD. Vulnerability on Open Port, Vulnerability External ReferenceE. Vulnerability on Source Port, Vulnerability on Destination Port

Correct Answer: BESection: (none)Explanation


QUESTION 58From the given event payload format:

You are tasked with creating a Reference Set of the second IPs in the payload.

What needs to be done to complete this task?

A. Create a Custom Event Property to parse the second IP in the payload. From the Log Source config for the above event, choose "add to reference set" andselect your reference set.

B. From the Reference Set Management screen, select "create reference set from Log Source Event". Pick the Log Source from the drop down. Pick the EventName from the drop down.

C. From the Reference Set Management screen, select "create reference set from Log Source Event". Pick the Log Source from the drop down. Pick the CustomEvent Property from the drop down.


D. Create a Custom Event Property to parse the second IP in the payload. Create a rule that tests for events from the Log Source that is collecting the above event,and for Rule Response add the Custom Event Property to the Reference Set.



QUESTION 59What functionalities of QRadar provide the ability to collect, understand, and properly categorize events from external sources?

A. Log sourcesB. Flow sourcesC. Syslog sourcesD. External sources


Explanation/Reference:Reference: http://www.juniper.net/techpubs/en_US/jsa2014.1/information-products/topic- collections/jsa-log-source-user-guide.pdf (p. 14, log sources overview)

QUESTION 60What is a benefit of enabling indexes on event properties?


A. Improved Offense CorrelationB. Improved search performanceC. Improved Performance of Custom Rules


D. Improved accuracy of auto-discovery log sources



QUESTION 61Which IP address of a NATed server is used to access the server from outside the network?

A. Public IP addressB. Private IP addressC. Cluster IP addressD. Secondary IP address



QUESTION 62You notice the following message in the System Notification Widget on the Dashboard:

"Unable to automatically detect the associated log source for IP address."

When you hover over the message, you see this pop-up message:

What is the issue?


A. There are events coming from IP 127.0.0.1 that cannot be autodiscovered and a Log Source CreatedB. There are events coming from IP 192.168.2.90 that cannot be autodiscovered and a Log Source CreatedC. There are events coming from IP 172.16.77.25 that cannot be autodiscovered and a Log Source CreatedD. There are events coming from hostname red6.color.com that cannot be autodiscovered and a Log Source Created



QUESTION 63Which two proxy options are required to be set when using a Proxy Server for Auto Updates in QRadar? (Choose two.)

A. Proxy TypeB. Proxy NameC. Proxy ScheduleD. Proxy Server URLE. Proxy Port number


Explanation/Reference:Correct Answers: Proxy Server , Proxy Port , Proxy Username and Proxy Password.

QUESTION 64What does Server discovery allow the QRadar administrator to do?

A. DiscoverB. Define rules for hostsC. Create host searchesD. Populate host definition building blocks

Correct Answer: A


Section: (none)Explanation

Explanation/Reference:Reference:http://www.juniper.net/techpubs/software/management/strm/2010_0_R1/Admin_STRM.pdf (page 21, see the table, first row, second column, second bulleted point)

QUESTION 65Which statement is true with regard to planning QRadar SIEM high availability?

A. The secondary host can be in different subnet as teh primary host.B. The secondary HA host that you want to add to the HA cluster can be a component in another HA cluster.C. The secondary HA host that you want to add to the HA cluster must be a component in another HA cluster.D. When the IP address of the primary host is reassigned as a cluster virtual IP, the new IP address that you assign to the primary must be in the same subnet.



QUESTION 66Which two fileds are required to be filled out when adding a new network to the network hierarchy? (Choose two.)

A. NameB. CountryC. IP and CIDRD. Target Flow CollectorE. Maximum Content Capture

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Correct Answers: Name, Description, Group, IP/CIDR(s)

QUESTION 67


There are unknown log records from unsupported security device events in the Log activity tab. You are planning to write an LSX for an unsupported security devicetype based on UDSM.

What is the file format for exporting the unknown log records?

A. CSVB. PDFC. XLSD. Text



QUESTION 68IBM Security QRadar SIEM can be forced to run an instant configuration backup by selecting which option?

A. Backup NowB. On Demand BackupC. Launch On Demand BackupD. Configure On Demand Backup




A. Reports: Maintain TemplatesB. Network Activity: View Custom RulesC. Netwrok Activity: Manage Times SeriesD. Log Activity: User Defined Event Properties




QUESTION 70Which action can be performed on a license key?

A. Reuse allocation of a licenseB. Revert allocation of a licenseC. Revoke allocation of a licenseD. Recover allocation of license



QUESTION 71What does the message in the System Notification Widget on the Dashboard "Disk Sentry: Disk Usage exceeded max threshold " tell you?

A. One of your Files Systems has exceeded 92%.B. One of your Files Systems has exceeded 95%.C. One of your Files Systems has exceeded 98%.D. One of your Files Systems has exceeded 90%.


Explanation/Reference:Source: IBM QRadar Tuning and Troubleshooting Guide - Disk usage warning - Page 25-26.

QUESTION 72


From which screen can a Secondary Host be added to an HA host?

A. Admin -> System SettingsB. Admin -> Deployment EditorC. Admin -> Store and ForwardD. Admin -> System and License Management



QUESTION 73Which QRadar component requires the use of a NAPATECH card?

A. QRadar 3105 ConsoleB. QRadar 1705 ProcessorC. QRadar 1605 ProcessorD. QRadar QFlow Collector 1310


Explanation/Reference:Correct Answers: QFlow 1202, QFlow 1301 and QFlow 1310.

Source: IBM QRadar Hardware Guide - Appliance Specifications Page 23.

QUESTION 74Which line color inside the deployment editor signals that encrypted communication has been selected for the managed hosts in a distributed environment?

A. RedB. BlueC. BlackD. Green



Explanation/Reference:There answer is either Black or Blue .

WARNING: The answer in this question is NOT sure co rrect! Don't take the risk, verify the correct answ er!

QUESTION 75What is used to define the server types in the server discovery scrreen?

A. PortsB. HostnameC. Mac addressD. IP addresses



QUESTION 76A QRadar administrator is sizing a distributed deployment. The deployment has approximately 1.5 gigabytes of sustained throughput of traffic on a network tap.The network tap is a copper connection .

A. Qflow Collector 1310B. Qflow Collector 1202C. Qflow Collector 1201D. Qflow Collector 1301




QUESTION 77What options on the Reports tab allows you to import logos and specific images for use on reports?

A. DesignB. ImagesC. BrandingD. Customization



QUESTION 78What is the command to mount the Patch file 721_QRadar_patchupdate-7.2.1.679924.sfs in QRadar 7.2.1?

A. mount -o loop /media/updates 721_QRadar_patchupdate-7.2.1.679924.sfsB. mount -o squashfs -t loop 721_QRadar_patchupdate-7.2.1.679924.sfs /media/updatesC. mount -o loop /media/updates -t squashfs 721_QRadar_patchupdate-7.2.1.67924.sfsD. mount -o loop -t squashfs 721_QRadar_patchupdate-7.2.1.679924.sfs /media/updates/


Explanation/Reference:Source: IBM Knowledge Center > Upgrading QRadar products

QUESTION 79A customer is getting sufficient detection of proxy servers and customer wants to tune the building block "Defualt--BB-Host-Definition: Proxy Servers".

Which test the "Default-BB-Host Definition: Proxy Servers" need to be edited for tuning?

A. Edit the "and when the destination IP is one of the following" test to include the IP addresses


B. Edit the "and when the source or destination netwirk is on of the following" test to include the networkC. Edit the "and when the source IP is one of the follwoing" test to include the IP addresses of the proxy serversD. Edit the "and when either the source or destination IP is one of the following" test to include the IP addresses of the proxy servers



QUESTION 80What inidicates if an offense is flagged for follow-up?

A. A flag in the Flag columnB. Follow-up System NotificationC. Follow-up email notification from that offenseD. A flag in Offense Note inidicating follow-up required



QUESTION 81Which option is used to set the Secondary host to an active state?

A. Click on Primary, then click on High Availability > Set System OfflineB. Click on Secondary, then click on High Availability > Restore SystemC. Click on Secondary, then click on High Availability > Set System OnlineD. Click on HA Cluster, then click on High Availability > Set System Offline




QUESTION 82Where does the information about total number of Assets and Vulnerability processed appear?

A. Asset table in Assets tabB. VA Scanner Configuration screenC. Vulnerabilities Tab > Scan ResultD. Mouse Ober popup on Schedule Scan Status field



QUESTION 83Which user account in the QRadar host must be used to configure offboard storage?

A. RootB. AdminC. StorageD. Administrator



QUESTION 84What does My Offenses display?

A. Offenses closed by the userB. Offenses assigned to the userC. Offenses protected by the userD. Offenses triggered byrules created by the user




QUESTION 85Where is an email address from which you want to receive email alerts on QRadar SIEM located?

A. Admin > System settings > Alert Email From AddressB. Admin > Console settings > Alert Email From AddressC. Admin > System settings > Administrative Email AddressD. Admin > Console settings > Administrative Email Address



QUESTION 86Which sampling technology provides continuous monitoring of application level traffic flows on all interfaces simultaneously?

A. SflowB. J-flowC. PacketeerD. Flowlog file



QUESTION 87


What is used to collect security events in a QRadar Distributed Deployment?


A. QRadar 3105 ConsoleB. QRadar 1705 ProcessorC. QRadar 1605 ProcessorD. QRadar 1201 QFlow Collector



QUESTION 88What is required to allow authentication to work properly when using a vendor authentication module like Active Directory?

A. Authentication Bind passwordB. An SSH tunnel between QRadar and the authentication serverC. QRadar and the authentication server must be on the same subnetD. Time Synchronization between QRadar and the authentication server



QUESTION 89Which text box allows you to search event and flow payloads using a text string?


A. DisplayB. Add FilterC. Quick FilterD. Save Criteria



QUESTION 90Which two types are available for the graph type "horizontal bar" on QRadar? (Choose tow.)

A. Top Source IPsB. Top Source PortsC. Top Login FailuresD. Top Destination IPsE. Top Destination Ports

Correct Answer: ADSection: (none)Explanation


QUESTION 91What defines the maximum number of objects in network hierarchy?

A. QRadar patch levelB. QRadar license keyC. QRadar release levelD. QRadar activiation key

Correct Answer: A


Section: (none)Explanation


QUESTION 92An of-site source can be connected to which component?

A. QFlowB. Event CollectorC. Flow ProcessorD. Event Processor



QUESTION 93What is the benefits of enabling indexes on event properties?

A. Decreased disk usageB. Improved report accuracyC. Improved search performanceD. Improved performance for regular expression patterns



QUESTION 94Given QRadar network heirarchy defined as 9.182.160.0/23 for the CIDR network 9.182.160.0, what is the customer's network IP range?


A. 9.182.160.0 - 9.182.161.255B. 9.182.160.0 - 9.182.160.255C. 9.182.160.1 - 9.182.160.255D. 9.182.160.1 - 9.182.160.127


Explanation/Reference:The answer is 9.182.160.0 - 9.182.161.255

Network: 9.182.160.0CIDR Notation: /23Subnet Mask: 255.255.254.0Broadcast: 9.182.161.255

QUESTION 95How many streaming events per second can be displayed before being accumulated in a result buffer?

A. 30 results per secondB. 40 results per secondC. 50 results per secondD. 60 results per second



QUESTION 96Which tab in the QRadar web console allows events to be monitored and investigated?

A. AdminB. OffensesC. ForensicsD. Log Activity




QUESTION 97A customer wants to detect users that logged in from IP addresses in different locations simultaneously.

How can the customer achieve this using teh QRadar console?

A. Create a rule to test for login failures from different country with 15 minutesB. Create a rule to check for a local login within corporate network and simultaneous remote loginC. Create a rule to test for 2 or more logins from VPN or AD from different countries within 15 minutesD. Create an offense to test for 2 or more logins from VPN or AD from different countries within 15 minutes


Explanation/Reference:WARNING: The answer in this question is NOT sure co rrect! Don't take the risk, verify the correct answ er!

QUESTION 98Which flow source is sampled?

A. sFlowB. PCAPC. QFlowD. Flog log file




QUESTION 99Assuming a Squid Proxy has logs in the follwoing format:

time elapsed remotehost code/status bytes method URL rfc931 peerstatus/peerhost type

And these are some sample logs from Squid server:

1286536310.075 452 192.168.0.227 TCP_MISS/200 5067 GET http://www.test.com/vi/VfnuY/default.jpg-DIRECT/10.20.153.118 image/jpeg1286536310.524 935 192.168.0.68 TCP_MISS/200 1021 POST http://www.test.com/services - DIRECT/172.16.41.128 application/xml1286536310.550 495 192.168.0.227 TCP_MISS/204 406 GET http://test.com/get_video? - DIRECT/10.12.231.1.136 text/html 1153239176.287 632 172.16.10.92TCP_IMS_HIT/304 215 GET http://www.test.com/index.html - NONE/-text/html

Which regular expression would you use to pull out the bytes field into custom property?

A. \w+/\d+\s+(\d+)\s+(POST|GET)B. \w+/\d+\S+(\d+)\S+(POST|GET)C. \w+/\d+\s+(\d+)\s+^(POST|GET)D. \W+/\D+\D+(\D+)\D+(POST|GET)



QUESTION 100Which tab can used to create, edit, distribute and manage reports?

A. AdminB. AssetsC. ReportsD. Dashboard





A. IBM AIXB. MAC OS XC. Ubuntu LinuxD. Windows OS


Explanation/Reference:Correct Answers:

* Red Hat Enterprise Linux 6.5 (Santiago)* Microsoft Windows Vista* Microsoft Windows 7* Microsoft Windows 2008* Microsoft Windows 2008 R2

Note: Ubuntu /Debian is NOT supported

QUESTION 102A QRadar administrator is sizing a distributed deployment. The deployment has approximately 25,000 events per second and needs at least 7 terabytes ofstorage .


A. One 1605 event processorB. One 1624 event processorC. Two 1605 event processorsD. Two 1624 event processors

Correct Answer: CSection: (none)


Explanation

Explanation/Reference:Answer: Either Two or One 1605 event processor. Ver ify the correct answer.

QUESTION 103Which TCP port must be open to allow communication between the primary and secondary HA hosts?

A. 7709B. 7788C. 7789D. 7790



QUESTION 104Which offboard storage solution utilizes ethernet infrastructure rather than a dedicated SAN network?

A. FTPB. NFSC. iSCSID. Fibre Channel



QUESTION 105Which proxy option can be set in the QRadar Auto Update Advanced settings?

A. Proxy Type


B. Proxy NameC. Proxy ScheduleD. Proxy Password


Explanation/Reference:Correct Answers: Proxy Server, Proxy Port, Proxy Username and Proxy Password .

QUESTION 106A user of QRadar wishes to have a report showing the total bytes seen on their Internet connection. The user decides to create a Custom Flow Property to add thebytes sent and bytes received together.

Which type of custom property is required for this to be accomplished?

A. Regex Custom PropertyB. Computed Custom PropertyC. Arithmetic Based Custom PropertyD. Calculation Based Custom Property



QUESTION 107Which Security Profile Permission Precedence should be applied so the users of that profile can only see the flows related to the "Windows Servers" network?

A. Network OnlyB. No RestrictionsC. Log Sources OnlyD. Network AND Log Source

Correct Answer: ASection: (none)


Explanation


QUESTION 108Which feature of QRadar is used for correlation purposes to help reduce false positives?

A. Flow informationB. Events informationC. Asset port informationD. Asset profile information



QUESTION 109A customer has developed a custom Universal Device Supprt Module (uDSM's) for an unsupported device. The customer wants to parse Device Time field which isnot in standard format.

Which parameter should an administrator define in the LSX template in this situation?

A. ext-timeB. ext-dateC. ext-dataD. ext-devicedate


Explanation/Reference:Source: IBM Security QRadar SIEM Version 7.1.0 MR1 - Log Sources User Guide - Page 71 - DeviceTime

QUESTION 110


Which two types of charts are available on QRadar SIEM Report editor? (Choose two.)

A. Top EventsB. Top Source IPsC. Top Login FailuresD. Top Destination IPsE. Top Access Failures



QUESTION 111A QRadar SIEM administrator wants to report when a local system connects to the internet on more than 100 destination ports over a 2 hour period. Theadministrator created an anomaly rule to capture this scenario.

Which type of rule should be selected in the rule creation wizard in this situation?

A. Flow TuleB. Event RuleC. Offense RuleD. Common rule



QUESTION 112Which two proxy options are supported by QRadar Auto Update Advanced settings? (Choose two.)

A. Proxy PortB. Proxy TypeC. Proxy Name


D. Proxy CategoryE. Proxy Username


Explanation/Reference:Correct Answers: Proxy Server, Proxy Port , Proxy Username and Proxy Password.

QUESTION 113Which serial option needs to be set in the syslinux configuration file to reinstall a malfunctioning appliance via serial port from an USB flash-drive?

A. Default serialB. Serial port redirectC. Serial install optionD. Serial console redirect



QUESTION 114Which three messages are displayed in the Next Run Time Column while a QRadar Administrator is manually generating a report? (Choose three.)

A. GeneratingB. (x hour(s) x min(s))C. Generating QueuesD. (x hour(s) x min(s) y sec(s))E. Queued (position in the queue)F. Queued in the database column

Correct Answer: ADESection: (none)Explanation


Explanation/Reference:Explanation: When a report generates, the Next Run Time column displays one of the three following messages:

* Generating - The report is generating

* Queued (positioning the queue) - The report is queued for generation. The message indicates the position of the report in the queue. For example, 1 of 3.

* (x hour(s) x min(s) y sec(s)) - The report is scheduled to run. The message is a count-down timer that specifies when the report will run next.

Source: IBM Knowledge Center > Managing IBM Security QRadar Risk Manager reports > Manually generating a report

QUESTION 115What is used to collect security events in a QRadar Distributed Deployment?

A. QRadar 3124 ConsoleB. QRadar 1724 ProcessorC. QRadar 1624 ProcessorD. QRadar 1310 QFlow Collector



QUESTION 116Which action prevents an offense from being removed from the database?

A. HideB. ShowC. ExportD. Protect




QUESTION 117Which string creates a network hierarchy group called WebServers inside a group called DMZ?

A. DMZ/WebServersB. DMZ_WebServersC. DMZWebServersD. DMZ+WebServers



QUESTION 118What does the message in the System Notification Widget in the Dashboard "Disk Sentry: Disk usage exceeded WARNING threshold" tell you?

A. One of your File Systems has exceeded 92%.B. One of your File Systems has exceeded 95%.C. One of your File Systems has exceeded 98%.D. One of your File Systems has exceeded 90%.



QUESTION 119


Which scanners report vulnerabilities on all ports? (Choose two.)

A. AxisB. NMapC. QualysD. tcpdumpE. nCircle IP360

Correct Answer: BCSection: (none)Explanation


QUESTION 120Which two primary data sources send updates to the Asset profiler? (Choose two.)

A. Source IPB. Source PortC. Scan ResultD. Destination IPE. Identity Events

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:WARNING: The answers in this question are NOT sure correct. Don't take the risk, verify the answers!

QUESTION 121What does Server discovery do?

A. Defines rules for hostsB. Creates asset searchesC. Populates host definition building blocksD. Builds complex search queries for events flows






A. Cisco IOSB. Sun SolarisC. Debian LinuxD. MS Windows Vista


Explanation/Reference:Correct Answers:

* Red Hat Enterprise Linux 6.5 (Santiago)* Microsoft Windows Vista* Microsoft Windows 7* Microsoft Windows 2008* Microsoft Windows 2008 R2

Note: Ubuntu/Debian is NOT supported


QUESTION 123A flow is sequence of packets that have which common characteristics?

A. Same source, MAC address, flow source and destination IP addressB. Same source IP address, flow source and transport layer port informationC. Same source and destination IP address and transport layer port informationD. Same destination IP address, source bytes and transport layer port information



QUESTION 124Which appliance is used to collect, store, and process event and flow data in case of hardware and network failure?

A. Replicated applianceB. Secondary applianceC. High availability applianceD. High accessibility appliance



QUESTION 125How do you view an offense that is associated with an event from the Log Activity tab?

A. Double click the eventB. Click the Offense icon next to the eventC. Right click the event, select View OffensesD. Select the event, and select Offenses from the View list box




QUESTION 126Which network monitoring port does Juniper Jflow require to be configured in QRadar?

A. Port 80B. Port 443C. Port 1080D. Port 2055



QUESTION 127Which two options are available for Override parameter when an administrator views the Asset Profile Summary page? (Choose two.)

A. ForeverB. Until Next ScanC. After Next ScanD. Before Next ScanE. After Specified Time



QUESTION 128


There are unknown log records from unsupported security device events in the Log activity tab. You are plannig to write an LSX for an unsupported security devicetype based on UDSM.

What is the file format and payload option for exporting the unknown log records?

A. PDF and full exportB. CSV and full exportC. XML and visible columnD. CSV and visible column



QUESTION 129Which two formats can reports be generated in? (Choose two.)

A. JPEG imag (JPG)B. Comma Sperated Values (CSV)C. Microsoft Word Document (DOC)D. Hypertext Markup Language (HTML)E. Adobe Portable Document Format (PDF)



QUESTION 130What is QRadar QFlow Collector combined with QRadar SIEM designed to do?

A. Collect Netflow recordsB. Layer 7 application visibilityC. Receive Syslog messages


D. Ensure secure message collection



QUESTION 131Who can view all offenses?

A. All usersB. Admin userC. User who has accesss to All Log Sources and All NetworksD. Restricted User who has access to a Specific Log Source and Network


Explanation/Reference:Answer: All users

Explanation: All users can view all offenses regardless of which log source is associated with the offense. The Offenses tab does not use device level user permissions to determine which offenses each user is able to view; as determined by networkpermissions.

Source: https://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.doc/c_qradar_off_overview.html

QUESTION 132How many IP addresses are required if the customer is planning to do high availability installation of one 31xx, two 16xx, and one 171xx appliances?

A. 8B. 10C. 12


D. 15



QUESTION 133Which parameter defines the location of the user profiles under the Admin tab?

A. Authentication > User Data FilesB. System settings > User Data FilesC. Security Profiles > User Data FilesD. Console settings > User Data Files


Explanation/Reference:Answer : Authentication > User Data Files OR Security Profiles > User Data Files

WARNING: The answer in this question is NOT sure co rrect! Don't take the risk, verify the correct answ er!

QUESTION 134Which offboard storage solution provides the fastest performance?

A. AoEB. NFSC. iSCSID. Fibre Channel




QUESTION 135How many days does QRadar keep record of Closed Offense by default?

A. 1 dayB. 5 daysC. 3 daysD. 7 days



QUESTION 136Which Permission Precedence should be applied in the Security Profile so the users can see events from the "Windows Servers" log source group and from otherlog sources that match the destination or source network "Windows"?

A. No RestrictionsB. Log Sources OnlyC. Networks OR Log SourcesD. Networks AND Log Sources



QUESTION 137Which two IP Addresses are required to Add a HA host? (Choose two.)

A. Public IP AddressB. Private IP Address


C. Cluster IP AddressD. Remote IP AddressE. IP Address of Secondary Host



QUESTION 138Which two types of charts are available on QRadar SIEM Report editor? (Choose two.)

A. Top EventsB. Top Source IPsC. Top Login FailuresD. Top Destination IPsE. Top Access Failures



QUESTION 139An off-site target can connect to which component

A. Flow collectorB. Event collectorC. Flow processorD. Event processor




QUESTION 140A QRadar administrator is sizing a distributed deployment. The deployment has approximately 2 gigabytes of sustained throughput of traffic on a network tap.The network tap is a 10 gigabyte fiber connection.


A. Qflow Collector 1301B. Qflow Collector 1201C. Qflow Collector 1310D. Qflow Collector 1202



QUESTION 141Which two data collection types are supported for SAINT scanner configurations? (Choose two.)

A. App ScanB. Live ScanC. Report OnlyD. Passive ScanE. Vulnerability Scan

Correct Answer: BCSection: (none)Explanation


QUESTION 142


The current settings for QFlow do not capture enough payload.

How would you change the packet capture size?

A. ConsoleB. Command lineC. System settingsD. Deployment editor



QUESTION 143Given the network IP range of 192.168.160.1 to 192.168.160.127, what format would this be entered into a network hierarchy object?

A. 192.168.160.128/24B. 192.168.160.0/24C. 192.168.160.0/23D. 192.168.160.0/25



QUESTION 144A customer wants to view Log Sources based on functionality on QRadar console. The customer wants to categorize its Log Sources into multiple groups, whichallows the customer to efficiently view and track its log sources.

What is the maximum number of log sources a log source group can display on the QRadar console?

A. 100B. 500


C. 750D. 1000



QUESTION 145Which view option allows you to view events as they occur?

A. AutomaticB. Live EventsC. Real Time (streaming)D. Last Interval (auto refresh)



QUESTION 146Which two formats can events be exported to? (Choose two.)

A. Web page (HTML)B. Excel Spreadsheet (XLS)C. Comma-Separated Values (CSV)D. Portable Document Format (PDF)E. Extensible Markup Language (XML)





A. Assets: Server DiscoveryB. Offenses: View Custom RulesC. Offenses: Maintain Custom RulesD. Network Activity: User Defined Flow Properties



QUESTION 148Which two IP Addresses are required to setup NATed environment? (Choose two.)

A. Public IP AddressB. Private IP AddressC. Remote IP AddressD. Secondary IP AddressE. Destination IP Address



QUESTION 149Which file needs to be installed to patch to QRadar release 7.2.1.xxx?

A. 721_QRadar_patchupdate-7.2.1.xxx.isoB. 721_QRadar_patchupdate-7.2.1.xxx.sfs


C. 721_QRadar_patchupdate-7.2.1.xxx.md5D. 721_QRadar_patchupdate-7.2.1.xxx.patch



QUESTION 150Which two fields are required to be filled out when adding a new network to the network hierarchy? (Choose two.)

A. GroupB. CountryC. Mail ServerD. DNS ServerE. IP and CIDR



QUESTION 151Which statement is true with regard to auto discovery functionality?

A. All supported DSMs are auto discovered.B. Only 50 Log Sources can be auto discovered.C. Auto discovered log sources are assigned to a generic log source group.D. QRadar license key defines the maximum number of log sources that can be auto discovered.




Expanation:


exam code: c2150-400 exam name: ibm security …... b. if used disk space reaches 85% for records...

Documents