IBM IBM Certifications C1000-018 Questions & Answers

• Question 21:

  An analyst observed a port scan attack on an internal network asset from a remote network. Which filter would be useful to determine the compromised host?

  A. Any IP

  B. Destination IP [Indexed]

  C. Source or Destination IP

  D. Source IP [Indexed]

  Correct Answer: A

• Question 22:

  From which tab in QRadar SIEM can an analyst search vulnerability data and remediate vulnerabilities?

  A. Log Activity

  B. Dashboard

  C. Assets

  D. Admin

  Correct Answer: C

  Explanation:

  When IBM Security QRadar Vulnerability Manager is enabled, you can perform vulnerability assessment

  tasks on the Vulnerabilities tab. From the Assets tab, you can run IBM Security QRadar Vulnerability

  Manager scans on selected assets.

  Reference: http://www.siem.su/docs/ibm/Administration_and_introduction/User_Guide.pdf

• Question 23:

  There are 5 authentication servers that report to different Event Processors. There is a requirement to generate an Offense if there are 5 consecutive failed logins detected across any of the 5 Event Processors.

  Which type of rule should the analyst create?

  A. Global Rule

  B. Persistent Rule

  C. Local Rule

  D. Offense Rule

  Correct Answer: A

  Explanation:

  Global rules These rules use the Any domain modifier and run across all tenants.

  Reference: https://www.ibm.com/docs/en/SS42VS_7.3.2/com.ibm.qradar.doc/b_qradar_admin_guide.pdf

• Question 24:

  An analyst needs to find all events that are creating offenses that are triggered by rules that contain the word suspicious in the rule name.

  Which query can the analyst use as a working sample?

  A. SELECT LOGSOURCETYPE(logsourceid), “from log_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

  B. SELECT LOGSOURCERULES(logsourceid), “from rule_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

  C. SELECT LOGGEDOFFENSE(logsourceid), *from offense_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

  D. SELECT LOGSOURCENAME(logsourceid), * from events where RULENAME(creeventlist) ILIKE ‘%suspicious%’

  Correct Answer: D

  Reference: https://www.ibm.com/docs/en/qradar-on-cloud?topic=searches-advanced-search-options

• Question 25:

  An analyst had been researching an Offense that has now disappeared from the active Offense list.

  What is the period of time that has to pass before an active Offense that receives no new contributing events or flows become inactive?

  A. 5 days

  B. 3 days

  C. 24 hours

  D. 1 hour

  Correct Answer: A

  Explanation:

  An offense remains in a dormant state for 5 days. If an event is added while an offense is dormant, the

  five-day counter is reset.

  Reference: https://www.ibm.com/docs/en/SS42VS_7.3.2/com.ibm.qradar.doc/b_qradar_users_guide.pdf

• Question 26:

  What information is included in flow details but is not in event details?

  A. Log source information

  B. Number of bytes and packets transferred

  C. Network summary information

  D. Magnitude information

  Correct Answer: C

  Explanation:

  Flows represent network activity by normalizing IP addresses, ports, byte and packet counts, and other

  data, into flow records, which effectively are records of network sessions between two hosts.

  Reference: https://www.ibm.com/docs/en/qsip/7.3.2?topic=overview-qradar-events-flows

• Question 27:

  An analyst aims to improve the detection capabilities on all the Offense rules. QRadar SIEM has a tool that allows the analyst to update all the Building Blocks related to Host and Port Definition in a single page.

  How is this accomplished?

  A. Admin –andgt; Reference Set management

  B. Assets –andgt; Asset Profiles

  C. Assets –andgt; Server Discovery

  D. Admin –andgt; Asset Profile Configuration

  Correct Answer: C

• Question 28:

  An analyst has to perform an export of events within a timeframe, but not all the columns are present in the log view for the time period the analyst has selected. The analyst only needs specific columns exported for an external analysis.

  How can the analyst accomplish this task?

  A. Edit the search and select the extra columns, then export the result with Action/Export to XML/Full Export. This export is only supported in XML.

  B. Edit the search and select the extra columns, then export the result with Action/Export to XML/Visible Columns. This export is only supported in XML.

  C. Edit the search result and select the extra columns, then export the result with Action/Export to CSV/ Full Export.

  D. Edit the search result and select the extra columns, then export the result with Action/Export to CSV/ Visible Columns.

  Correct Answer: D

  Reference: https://www.ibm.com/docs/en/qsip/7.4?topic=investigation-exporting-events

• Question 29:

  An analyst for a particular offense needs to investigate to understand the breakdown of the offense details.

  How can the analyst do this?

  A. Look at the magnitude information and its breakdown.

  B. Look at all the event QIDs attached to the offense.

  C. View the attack path of the offense.

  D. Look at the list of categories, event low level categories and the events attached.

  Correct Answer: A

• Question 30:

  Where can an analyst working with Offenses add a regular expression test into an existing rule?

  A. Left

  B. Top

  C. Bottom

  D. Right

  Correct Answer: B