IBM Security QRadar SIEM V7.2.7 Deployment v7.0 (C2150-614)

Page:    1 / 4   
Total 60 questions

After creating a custom Log Source Extension to parse a Source IP address from this event snippet 'IP Address: (, the Source IP is not being extracted from the payload.
The Log Source Extension is showing the following:
Which Regular Expression should be used to ensure the Source IP is parsed properly?

  • A. IP\sAddress\s\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\)
  • B. IP\sAddress:\s\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}))
  • C. IP\sAddress:\s\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\)
  • D. IP\sAddress:\s\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{13})\)

Answer : B

Which IBM Security QRadar function, if misconfigured, could cause rules that are only supposed to be applied to local hosts to be applied to external hosts?

  • A. VA Scanner
  • B. Log Collector
  • C. Flow Collector
  • D. Network Hierarchy

Answer : D

IBM Security QRadar uses the network hierarchy to understand your network traffic and provide you with the ability to view activity for your entire deployment.
IBM Security QRadar considers all networks in the network hierarchy as local.
References: m_netwk_hierarchy.html

You are tasked with configuring IBM Security QRadar SIEM V7.2.7 to pull a log file that generated daily at midnight from a custom application on a Microsoft Windows Server.
Which log source protocol should be used to accomplish this task?

  • A. WinCollect MSRPC
  • B. WinCollect Agent
  • C. WinCollect Log File
  • D. WinCollect File Forwarder

Answer : B

A managed WinCollect deployment has a QRadar appliance that shares information with the WinCollect agent installed on the Windows hosts that you want to monitor. The
Windows host can either gather information from itself, the local host, and, or remote
Windows hosts.
Note: The WinCollect application is a Syslog event forwarder that administrators can use for Windows event collection with QRadar. The WinCollect application can collect events from systems with WinCollect software installed (local systems), or remotely poll other
Windows systems for events.
References: ct_overview_new.html

A Deployment Professional needs to handle event logs from Point-of-Sale (POS) devices on cruise ships which have sporadic connectivity to the rest of the deployment.
Which appliance can be used to store and forward these events?

  • A. QRadar Flow Collector 1201
  • B. QRadar Flow Processor 1705
  • C. QRadar Event Processor 1628
  • D. QRadar Event Collector 1501

Answer : D

The IBM Security QRadar Event Collector 1501 (MTM 4380-Q2C) appliance is a dedicated event collector. By default, a dedicated event collector collects and parses event from various log sources and continuously forwards these events to an event processor. You can configure the QRadar Event Collector 1501 appliance to temporarily store events and only forward the stored events on a schedule.

A software install is being performed on a client's hardware. The Deployment Professional is about to install the QRadar software on a host which will become an HA primary.
Which command is mandatory?

  • A. /opt/qradar/
  • B. tail-f/var/bin/ha.logs
  • C. /opt/qradar/bin/
  • D. /media/cdrom/post/

Answer : D

To enable HA, QRadar connects a primary HA host with a secondary HA host to create an
HA cluster.
For a software installation of IBM Security QRadar, you must run the following script before the installation to enable HA:

A Deployment Professional is asked to determine what could be done to decrease latency of events received by an IBM Security QRadar V7.2.7 Console based in the United States, which is receiving logs sent directly from a data center in China.
Which appliance could be installed in the Chinese data center to accomplish this goal?

  • A. Data Node
  • B. Event Collector
  • C. Flow Processor
  • D. Event Processor

Answer : D

Example of an Event Processor:
The IBM Security QRadar Event Processor 1605 (MTM 4380-Q1E) appliance is a dedicated event processor that you can scale your QRadar deployment to manage higher
EPS rates. The QRadar Event Processor 1605 appliance includes an on-board event collector, event processor, and internal storage for events.
With the Basic License the capacity is 2500 EPS, and with an upgrade license it is 20000
References: vt_prcssr1605.html

A Deployment Professional working with IBM SecurityQRadar SIEM V7.2.7 is configuring scanners for dynamic scanning and is working with a customer to explain how dynamic scanning works, presenting the following example.

Asset IP: -

Scanner A CIDR: -

Scanner B CIDR: -
How is this asset scanned when utilizing dynamic scanning?

  • A. Scanner A would scan this asset as it has the bigger CIDR for accuracy.
  • B. Scanner B would try the scan first then Scanner A would make an attempt.
  • C. Scanner B would scan this asset as it has the smaller CIDR for accuracy.
  • D. Scanner A & B would scan this asset as it is contained within both their CIDRs.

Answer : A

In QRadar Vulnerability Manager you can assign different scanners to network CIDR ranges. During a scan, each asset in the CIDR range that you want to scan is dynamically associated with the correct scanner.

A client has reached the maximum of 5000 EPS for their 3128 All-in-One appliance. They have just completed an acquisition of a competitor company and would like to get them on- board with collecting events for correlation in QRadar. It has been determined that the newly acquired company has a large number of log sources, and it is estimated that its total
EPS will be approx. 22000 EPS.
What will meet the hardware requirements when changing to a distributed environment?

  • A. 1605 Event Processor
  • B. 1622 Event Processor
  • C. 1624 Event Processor
  • D. 1628 Event Processor

Answer : D

QRadar Event Processor 1628, with a Basic Licence, can process 2500 events per second
(EPS), and with Upgraded license it can process 40,000 events per second.

A Deployment Professional has come on-site to upgrade a IBM Security QRadar SIEM
V7.2.7 deployment to a new fix level. Before running the upgrade, the software and fix versions must be verified.
What must the Deployment Professional verify?

  • A. Appliances in a deployment must be same version and same fix level.
  • B. Appliances in a deployment could be different version and different fix level.
  • C. Appliances in a deployment must be same version but fix level could be different.
  • D. Appliances in a deployment could be different version but fix level must be the same.

Answer : A

Software versions for all IBM Security QRadar appliances in a deployment must be same version and fix level. Deployments that use different QRadar versions of software are not supported.
References: IBM Security Qradar Version 7.2.7 Upgrade Guide, page 1 upgrade.pdf

A Deployment Professional needs to store information in the IBM Security QRadar SIEM
V7.2.7 asset database which is provided from the customer's configuration management data base (CMDB). The CMDB provides a nightly dump of information like 'Technical
Owner' and Asset weight' tied to an IP address.
Which integration mechanism with QRadar will allow this information to be maintained?

  • A. Use REST-API calls with the /asset_model/assets/{asset_id} endpoint
  • B. Upload the information in a CSV format using the 'Import Assets' function
  • C. Send syslog LEEF formatted identity events to the 'Asset Profiler-2' log source
  • D. Schedule the AXIS scanner to import a pre-formatted XML file with the required data

Answer : B

You can import asset profile information.
The imported file must be a CSV file in the following format: p,name,weight,description
The import process merges the imported asset profiles with the asset profile information you have currently stored in the system.

Procedure -
References: asset_import.html

A Deployment Professional has created a new Building Block (BB), and it's not returning any expected events. The Deployment Professional has checked to ensure the BB is enabled and active. No errors are returned.
What should be done to correct this BB problem?

  • A. Add your new custom BB to the “System: Load Building Blocks” rule
  • B. Ensure that the BB has been set to “use” and a Deploy Full Configuration was done
  • C. Make sure that you use “Global System” so that all of the QRadar deployment uses it
  • D. Manually enter in all QID's of the events it till monitor so it will automatically be used

Answer : A


Note: Question -
Will a building block of type: Common work when added to 'System: Load Building Blocks'?

Answer -
The rule, System: Load Building Blocks is an Event only rule. If a building block is created from Type: Common, which includes both Events and Flows, and is then added to the
System: Load Building Blocks rule, it will load, but will only reflect Event offenses and not
Flow offenses. Flow offenses can be triggered when using Flow rules, which are then bound to the building block used in a Flow rule.

A Deployment Professional is working with IBM Security QRadar SIEM V7.2.7. for a new customer that is trying to create their network hierarchy. The customer currently has more than the maximum of 1,000 network objects and CIDR ranges. A few of the CIDRs of the customer are:
Which supernet should be used to shrink the amount of network objects for the supplied group of CIDRs?

  • A.
  • B.
  • C. C.
  • D. D.

Answer : C

Supernetting, also called Classless Inter-Domain Routing (CIDR), is a way to aggregate multiple Internet addresses of the same class.
Using supernetting, the network address and an adjacent address can be merged into The "23" at the end of the address says that the first 23 bits are the network part of the address, leaving the remaining nine bits for specific host addresses.

A Deployment Professional working with IBM Security QRadar SIEM V7.2.7 is noticing system notifications relating to performance degradation of the CRE relating to expensive rules. Upon locating the rules that are being expensive they need to be modified to no longer trigger this notification.
What are three causes for a rule to become expensive? (Choose three.)

  • A. Containing payload matches tests
  • B. Rule consisting of a large scope
  • C. Containing payload contains tests
  • D. Rule consisting of a narrow scope
  • E. Utilizing non-standard regular expressions
  • F. Utilizing non-optimized regular expressions

Answer : B,C,F

A user can create a custom rule that has a large scope, uses a regex pattern that is not efficient, includes Payload contains tests, or combines the rule with regular expressions.
When this custom rule is used, it negatively impacts performance, which can cause events to be incorrectly routed directly to storage. Events are indexed and normalized but they don't trigger alerts or offenses.

A Deployment Professional has been asked to create a new dashboard which consists of utilizing a saved search.
Which box should be checked when creating this search?

  • A. Add to my Dashboard
  • B. Include in my Dashboard
  • C. Add to my Dashboard items
  • D. Include in my Quick Searches

Answer : B

When you create a Search therre is a parameter Include in my Dashboard, which must be selected to include the data from your saved search on the Dashboard tab.

A Deployment Professional is investigating an offense and decides that a custom property should be added to the event and the rule to make them more useful. Once is added, though, the rule stops firing.
What could be causing this problem?

  • A. The custom property was disabled.
  • B. The events are not being correlated.
  • C. The events were affected by the rule change.
  • D. The rule threshold for the previews conditions is not met.

Answer : D

Page:    1 / 4   
Total 60 questions