An analyst noticed that from a particular subnet (203.0.113.0/24), all IP addresses are simultaneously
trying to reach out to the company's publicly hosted FTP server.
The analyst also noticed that this activity has resulted in a Type B Superflow on the Network Activity tab.
Under which category, should the analyst report this issue to the security administrator?
A. Syn Flood
B. Port Scan
C. Network Scan
D. DDoS
Which statement about False Positive Building Blocks applies?
Using False Positive Building Blocks:
A. helps to prevent unwanted alerts, but there is no effect on performance.
B. helps to prevent unwanted alerts, and reduces the performance impact of testing rules that do not need to be tested.
C. has no impact on unwanted alerts, but it does reduce the performance impact of testing rules that do not need to be tested.
D. has no impact on unwanted alerts, or performance.
Which filter would an analyst apply in the Log Activity tab to get a list of log sources not reporting to QRadar?
A. Log source status does not equal active
B. Custom rule equals device stopped sending events
C. Log source type does not equal active
D. Log source status does not equal error
The graph below shows a time series of a value. A rule has been created which will trigger at the indicated point.
Which type of QRadar rule has been used?
A. Common Rule
B. Threshold Rule
C. Behavioral Rule
D. Anomaly Rule
When an Offense is triggered, it only shows the events that triggered the Offense. The analyst wants to investigate further to see more events around the incident, not only those that triggered the Offense. The analyst clicks on the event count and sees the events belonging to the Offense.
How can the analyst proceed to see a more detailed picture of what occurred?
A. Right-click on the source IP, and choose More Options, then Information, and then Search Events.
B. Right-click on the destination IP, and choose More Options, then Raw Events.
C. Right-click on the source IP, and choose View in DSM Editor.
D. Right-click and filter on the Destination IP.
An analyst observed a port scan attack on an internal network asset from a remote network. Which filter would be useful to determine the compromised host?
A. Any IP
B. Destination IP [Indexed]
C. Source or Destination IP
D. Source IP [Indexed]
What does the Assets tab provide?
A unified view of the information that is known about:
A. network devices.
B. triggered Offenses.
C. log sources.
D. events and flows.
An analyst needs to use a new custom property in a rule.
What must be the mandatory characteristic of the custom property?
A. It must be shared.
B. It must be boolean.
C. It must be stored.
D. It must be extracted.
An analyst needs to perform a Quick search to find events under the Log Activity tab that contains an ‘exe’ file during a certain time period.
How can the analyst do this?
A. On the Search bar select Quick Filter, then insert filter criteria for ‘/*.exe/’ and then select a time interval from the view option's drop down.
B. Select Search – New Search from the menu bar, then select all the search criteria required from the UI options provided.
C. Select Quick Searches on the menu bar, then go through the list of saved searches available to see if one already exists, that can be altered.
D. On the Search bar select Quick Filter, insert: ‘exe, last 1 hour’ into the filter criteria, then click Search.
What are the different flow types in QRadar?
A. L2L, L2R, R2R, R2L
B. Standard, Type A, Type B, Type C
C. Standard, Type 1, Type2, Type 3
D. Type 1, Type 2, Type 3, Type 4
