Free IBM QRadar SIEM V7.3.2 Fundamental Analysis Exam C1000-018 Exam Practice Test

What is the purpose of Anomaly detection rules?

• They inspect other QRadar rules.
  
• They detect if QRadar is operating at peak performance and error free.
  
• They detect unusual traffic patterns in the network from the results of saved flow and events.
  
• They run past events and flows through the Custom Rules Engine (CRE) to identify threats or security incidents that already occurred.
  

An analyst needs to review additional information about the Offense top contributors, including notes and annotations that are collected about the Offense.Where can the analyst review this information?

• In the top portion of the Offense main view
  
• In the bottom portion of the Offense main view
  
• In the top portion of the Offense Summary window
  
• In the bottom portion of the Offense Summary window
  

An analyst needs to map a geographic location on all the internal IP addresses.Which option defines the functions where the analyst can-setup a geographic location of the network object in Network Hierarchy?

• GPS location and Map
  
• Group and IP address
  
• Log Activity and Network Activity
  
• Longitude and Latitude
  

An analyst needs to create a rule that includes a building block definition that identifies a communication to a local SMTP server that then connects to an unapproved remote peer.In which group will the analyst find this specified building block?

• Category Definitions
  
• Host Definitions
  
• Network Definitions
  
• Policy
  

An analyst needs to investigate why an Offense was created.How can the analyst investigate?

• Review the Offense summary to investigate the flow and event details.
  
• Review the X-Force rules to investigate the Offense flow and event details.
  
• Review pages of the Asset tab to investigate Offense details.
  
• Review the Vulnerability Assessment tab to investigate Offense details.
  

What are the different flow types in QRadar?

• L2L, L2R, R2R, R2L
  
• Standard, Type A, Type B, Type C
  
• Standard, Type 1, Type2, Type 3
  
• Type 1, Type 2, Type 3, Type 4
  

There are 5 authentication servers that report to different Event Processors. There is a requirement to generate an Offense if there are 5 consecutive failed logins detected across any of the 5 Event Processors.Which type of rule should the analyst create?

• Global Rule
  
• Persistent Rule
  
• Local Rule
  
• Offense Rule
  

Which consideration should be given to the position of rule tests that evaluate regular expressions (Regex tests)?

• They can only be used in Building Blocks to ensure they are evaluated as infrequently as possible.
  
• They are usually the most specific. As such, they should appear first in the order.
  
• They are usually the most expensive. As such, they should appear last in the order.
  
• They are stateful tests. As such QRadar automatically evaluates them last.
  

An analyst notices that there are a number of invalid Offenses being created from a network node. This node has been determined to be in Domain 2 and has the following log sources sending it events: (3Com 8800 Series Switch from 172.18.1.1, Cisco ACE Firewall from 172.18.1.2, FireEye from 172.18.1.3, and Palo Alto PA Series from 172.18.1.8).The analyst should create a False Positive Building Block that has a filter:

• 'when the destination IP is in 172.18.0.0/16'
  
• 'when the local network is Domain 2 and when the source IP is in 172.18.0.0/16'
  
• 'when the remote IP is one of the following 172.18.1.1, 172.18.1.2. 1.3 172. 18.18.1.8
  
• 'when the local network is Domain 2 and when the source IP is in 172.18.0.0/16'
  

What is a valid offense naming mechanism?This information should:

• set the naming of the associated offense(s).
  
• set or replace the naming of the associated offense(s).
  
• replace the naming of the associated offense(s).
  
• be included in the naming of the associated offense(s).