IBM IBM Certifications C1000-018 Questions & Answers

• Question 11:

  What does the Assets tab provide?

  A unified view of the information that is known about:

  A. network devices.

  B. triggered Offenses.

  C. log sources.

  D. events and flows.

  Correct Answer: D

  Reference: https://www.ibm.com/support/pages/identity-and-how-log-source-events-update-assets-qradarsiem

• Question 12:

  An analyst is investigating a series of events that triggered an Offense. The analyst wants to get more detailed information about the IP address from the reference set.

  How can the analyst accomplish this?

  A. Click on Searches tab then perform an Advanced Search

  B. Click on Log Activity tab then perform a Quick Search

  C. Click on Searches tab then perform a Quick Search

  D. Click on Log Activity tab then perform an Advanced Search

  Correct Answer: A

• Question 13:

  The administrator had set up several scheduled reports that can be executed by analysts every Monday, and the first day of each month. On Thursday, an executive requests one of the weekly reports.

  If the analyst executes the report on Thursday, what information will the report contain?

  A. Data from Monday to Sunday from the previous week.

  B. Data from Thursday from the previous week to Wednesday from the current week.

  C. Data from Monday to Thursday from the current week.

  D. Data from Monday to Wednesday from the current week.

  Correct Answer: C

• Question 14:

  Which QRadar component stored Offenses?

  A. Console

  B. Data Node

  C. Event Processor

  D. Event Collector

  Correct Answer: B

  Explanation: QRadar Data Node Data Nodes enable new and existing QRadar deployments to add storage and processing capacity on demand as required. Data Nodes help to increase the search speed in your deployment by providing more hardware resources to run search queries on.

  Reference: https://www.ibm.com/docs/en/qsip/7.4?topic=overview-qradar-components

• Question 15:

  How does an analyst view the base64 encoded string of an event's raw payload that contains unprintable characters?

  A. Copy the raw payload and use an external tool to view base64 data

  B. Right click on the event –andgt; view base64 data

  C. Log Activity –andgt; Under Payload Information, click base64 tab

  D. Admin –andgt; Under Payload Information, click base64 tab

  Correct Answer: B

• Question 16:

  An analyst has observed that for a particular user, authentication to an organization's critical server is different than the normal access pattern.

  How can the analyst verify that all the authentications initiated from the user are valid?

  A. Perform a search with filter Destination IP group by Username, then validate the Username

  B. Perform a search with filter Source IP group by Username, then validate the Username

  C. Perform a search with filter Username group by Source IP, then validate the Destination IP

  D. Perform a search with filter Username group by Source IP, then validate the Source IP

  Correct Answer: B

• Question 17:

  An analyst is investigating a user's activities and sees that they have repeatedly executed an action which triggers a rule that emails the SOC team and creates an Offense, indexed on Username.

  The SOC team complained that they have received 15 emails in the space of 10 minutes, but the analyst can only see one Offense in the Offenses tab.

  How is this explained?

  A. There is a Rule Limiter on the Rule Action which creates the Offense, this should also be applied to the Rule Responses.

  B. This is expected behavior, the offense will contain the information about all 15 events.

  C. An Offense rule has been configured to send multiple emails upon Offense creation.

  D. The Custom Rules Engine (CRE) has fallen behind and the additional Offenses will be created shortly.

  Correct Answer: C

• Question 18:

  An analyst needs to review additional information about the Offense top contributors, including notes and annotations that are collected about the Offense.

  Where can the analyst review this information?

  A. In the top portion of the Offense Summary window

  B. In the bottom portion of the Offense main view

  C. In the bottom portion of the Offense Summary window

  D. In the top portion of the Offense main view

  Correct Answer: C

  Explanation:

  In the bottom portion of the Offense Summary window, review additional information about the offense top

  contributors, including notes and annotations that are collected about the offense.

  Reference: https://www.ibm.com/docs/en/qsip/7.4?topic=investigations-investigating-offense-by-using

  summary-information

• Question 19:

  An analyst needs to map a geographic location on all the internal IP addresses.

  Which option defines the functions where the analyst can-setup a geographic location of the network object in Network Hierarchy?

  A. GPS location and Map

  B. Group and IP address

  C. Log Activity and Network Activity

  D. Longitude and Latitude

  Correct Answer: B

  Reference: https://www.ibm.com/docs/en/qsip/7.4?topic=tasks-network-hierarchy

• Question 20:

  What is the difference between a Quick Search and an Advanced Search?

  A. An Advanced Search uses a saved search, while a Quick Search uses a query language.

  B. A Quick Search displays results by column, while an Advanced Search displays results by Category.

  C. A Quick Search uses a saved search, while an Advanced Search requires a query language.

  D. An Advanced Search displays results by Category, while a Quick Search displays results by column.

  Correct Answer: C

  Explanation:

  Quick Search

  Use the search box to quickly find documents by any keyword or criteria. Here you can also view and reuse your most recent and saved searches.

  Advanced Searching

  The advanced search allows you to build structured queries using the Jira Query Language.

  Reference: https://support.netdocuments.com/hc/en-us/articles/206955786-Quick-Search

  https://confluence.atlassian.com/jirasoftwareserver/advanced-searching-939938733.html