IBM IBM Certifications C2150-624 Questions & Answers

• Question 51:

  An Administrator is adding a log source in IBM Security QRadar SIEM V7.2.8.

  What required software application that supports the log source should be used for this procedure?

  A. QRadarQFlow Collector

  B. QRadar Event Collector

  C. Device Support Module (DSM)

  D. IBM X-Force Exchange plug-in for QRadar

  Correct Answer: C

  Download and install a device support module (DSM) that supports the log source. A DSM is software application that contains the event patterns that are required to identify and parse events from the original format of the event log to the format that QRadar can use.

• Question 52:

  What are three protocols that collect flow data from network devices, such as routers, and send this data to IBM Security QRadar SIEM V7.2.8?

  A. NetFlow, J-Flow and sFlow

  B. NetFlow, IPFIX and syslog

  C. NetFlow, rsyslog and sFlow

  D. NetFlow, Packeteer and syslog

  Correct Answer: A

  NetFlow, J-Flow, and sFlow are protocols that collect flow data from network devices, such as routers, and send this data to QRadar.

• Question 53:

  How can an IBM Security QRadar SIEM V7.2.8 Administrator capture specific data to a reference set when QRadar receives the data from events or flow data?

  A. Create or modify a report so the required data is exported to a Reference: Set.

  B. On the Admin tab. create or modify the reference set to capture the required data.

  C. On the Admin tab define a Custom Action to add the required data to a Reference: Set.

  D. Create or modify a rule so the Rule Response will add the required data to a Reference: Set.

  Correct Answer: B

  You can click on the admin tab and select system configuration. The Reference: set management will be seen. Click New and configure the parameters.

• Question 54:

  An Administrator of an IBM Security QRadar SIEM V7.2.8 deployment needs to exclude the mail servers

  from a custom rule.

  How would the Administrator complete this task?

  A. Create a building block that includes the IP addresses of all mail servers, use that building block in the custom rule, to exclude those hosts.

  B. Create several rules excluding each mail server. Place these rules with the custom rule in a master rule, making sure the custom rule is last in the sequence.

  C. Create a custom rule. In the "Rule Response" section of the Rule Wizard, select the Trigger Scan option. Add the mail server IP Addresses to the table and select exclude.

  D. Create the custom rule. Create a Custom Action from the Admin Tab, to exclude the mail servers IP Addresses. In the "Rule Response" section of the Rule Wizard, select the Execute Custom Action option, selecting the appropriate Custom Action.

  Correct Answer: A

  Building blocks use the same tests as rules, but have no actions associated with them. Building blocks group together commonly used tests, to build complex logic, so they can be used in rules. Building blocks are often configured to test groups of IP addresses, privileged usernames, or collections of event names. For example, you might create a building block that includes the IP addresses of all mail servers in your network, then use that building block in another rule, to exclude those hosts. The building block defaults are provided as guidelines, which should be reviewed and edited based on the needs of your network.

• Question 55:

  An IBM Security QRadar SIEM V7.2.8 Administrator needs to retain authentication failure data to a specific

  domain, for a longer period than the rest of the event data being collected.

  How is this task completed?

  A. The administrator will need to create a custom rule with the appropriate filters and retention period.

  B. The administrator will need to create a new Event Retention Bucket with the appropriate filters and retention period.

  C. The administrator will need to create a custom filter in the log activity tab with the appropriate parameters and retention period.

  D. The administrator will need to create a custom report with the appropriate parameters and use the report format TAR (Tape archive).

  Correct Answer: B

  In current versions of QRadar you can set custom retention buckets for Events and Flows. The 10 non-default retention buckets are processed sequentially from top to bottom. Any events that do not match the retention buckets are automatically placed in the default retention bucket, located at the bottom of the list. Custom retention buckets allow the ability to add a time period and filters. If you enable a retention bucket with a defined criteria it will start deleting data from the time is was created. Any data that matches the custom retention bucket before it was created is subject to the criteria of the default retention bucket setting. If you need to delete data from before the Custom retention bucket was created you can shorten the default retention bucket so data is deleted immediately.

• Question 56:

  An Administrator using IBM Security QRadar SIEM V7.2.8 is using the RegEx syntax below:

  (\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)

  What type of information is it designed to extract?

  A. An IP Address

  B. GPS Coordinates

  C. A Telephone Number

  D. A simple integer no longer than 4 digits

  Correct Answer: A

  Sample regular expressions:

  email: (.+@[^\.].*\.[a-z]{2,}$)

  URL: (http\://[a-zA-Z0-9\-\.]+\.[a-zA-Z]{2,3}(/\ S*)?$)

  Domain Name: (http[s]?://(.+?)["/?:])

  Floating Point Number: ([-+]?\d*\.?\d*$)

  Integer: ([-+]?\d*$)

  IP Address: (\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)

  For example: To match a log that resembles: SEVERITY=43 Construct the following Regular

  Expression: SEVERITY=([-+]?\d*$)

• Question 57:

  An Administrator needs to create a new user role in the IBM Security QRadar SIEM V7.2.8 system. What steps need to be followed?

  A. System Configuration tab -> Users and Roles -> Add New Role -> Add

  B. Admin tab -> System Configuration -> User Management -> User Roles -> New

  C. Admin tab -> System and Settings -> Users and Roles -> Role Management -> New

  D. System Management tab -> System Configuration -> User Management -> User Roles -> New

  Correct Answer: B

  By default, your system provides a default administrative user role, which provides access to all areas of

  QRadar SIEM. Users who are assigned an administrative user role cannot edit their own account.

  This restriction applies to the default Admin user role. Another administrative user must make any account

  changes.

• Question 58:

  When replacing a Console appliance in an IBM Security QRadar SIEM V7.2.8 deployment using a new IP address or host name, what must be the same on the two Console appliances?

  A. The amount of storage must be the same.

  B. The Basic and Upgrade license must be the same.

  C. The software versions of both appliances must match.

  D. The Network Configuration and Protocol must be the same.

  Correct Answer: C

  The software version of the new Console appliance must match the software version of the old Console appliance. QRadar does not allow appliances at different software versions in the deployment. Administrators might be required to reinstall an ISO for the appliance to downgrade or use a Fix Pack (SFS) to upgrade on the new appliance. The paperwork that came with your appliance lists the installed software version.

• Question 59:

  An Administrator working with IBM Security QRadar SIEM V7.2.8 was tasked with adding a new Microsoft Azure log source.

  What protocol is supported for this?

  A. FTP

  B. JDBC

  C. Syslog

  D. WinCollect

  Correct Answer: C

• Question 60:

  An Administrator working with IBM Security QRadar SIEM V7.2.8 only needs to remove a single host

  (10.1.95.142)

  from the reference set with the name "Asset Reconciliation IPv4 Whitelist" from the

  command line interface.

  Which command would accomplish this task?

  A.

  ./RefereceSetUtil.sh purge Asset\ Reconciliation\ IPv4\ Whitelist 10.1.95.142

  B.

  ./RefereceSetUtil.sh delete Asset\ Reconciliation\ IPv4\ Whitelist 10.1.95.142

  C.

  ./RefereceSetData.sh purge Asset\ Reconciliation\ IPv4\ Whitelist 10.1.95.142

  D.

  ./RefereceSetData.sh delete Asset\ Reconciliation\ IPv4\ Whitelist 10.1.95.142

  Correct Answer: B

  The syntax for the command is:

  ReferenceSetUtil.sh add "Asset Reconciliation IPv4 Whitelist" IP