After creating a custom Log Source Extension to parse a Source IP address from this event snippet 'IP Address: (10.20.30.40), the Source IP is not being extracted from the payload.
The Log Source Extension is showing the following:
IP\sAddress:\s\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
Which Regular Expression should be used to ensure the Source IP is parsed properly?
Answer : B
Which IBM Security QRadar function, if misconfigured, could cause rules that are only supposed to be applied to local hosts to be applied to external hosts?
Answer : D
Explanation:
IBM Security QRadar uses the network hierarchy to understand your network traffic and provide you with the ability to view activity for your entire deployment.
IBM Security QRadar considers all networks in the network hierarchy as local.
References:
http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_ad m_netwk_hierarchy.html
You are tasked with configuring IBM Security QRadar SIEM V7.2.7 to pull a log file that generated daily at midnight from a custom application on a Microsoft Windows Server.
Which log source protocol should be used to accomplish this task?
Answer : B
Explanation:
A managed WinCollect deployment has a QRadar appliance that shares information with the WinCollect agent installed on the Windows hosts that you want to monitor. The
Windows host can either gather information from itself, the local host, and, or remote
Windows hosts.
Note: The WinCollect application is a Syslog event forwarder that administrators can use for Windows event collection with QRadar. The WinCollect application can collect events from systems with WinCollect software installed (local systems), or remotely poll other
Windows systems for events.
References:
http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.wincollect.doc/c_wincolle ct_overview_new.html
A Deployment Professional needs to handle event logs from Point-of-Sale (POS) devices on cruise ships which have sporadic connectivity to the rest of the deployment.
Which appliance can be used to store and forward these events?
Answer : D
Explanation:
The IBM Security QRadar Event Collector 1501 (MTM 4380-Q2C) appliance is a dedicated event collector. By default, a dedicated event collector collects and parses event from various log sources and continuously forwards these events to an event processor. You can configure the QRadar Event Collector 1501 appliance to temporarily store events and only forward the stored events on a schedule.
A software install is being performed on a client's hardware. The Deployment Professional is about to install the QRadar software on a host which will become an HA primary.
Which command is mandatory?
Answer : D
Explanation:
To enable HA, QRadar connects a primary HA host with a secondary HA host to create an
HA cluster.
For a software installation of IBM Security QRadar, you must run the following script before the installation to enable HA:
/media/cdrom/post/prepare_ha.sh
References:
http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar
_ha_overview.html
A Deployment Professional is asked to determine what could be done to decrease latency of events received by an IBM Security QRadar V7.2.7 Console based in the United States, which is receiving logs sent directly from a data center in China.
Which appliance could be installed in the Chinese data center to accomplish this goal?
Answer : D
Explanation:
Example of an Event Processor:
The IBM Security QRadar Event Processor 1605 (MTM 4380-Q1E) appliance is a dedicated event processor that you can scale your QRadar deployment to manage higher
EPS rates. The QRadar Event Processor 1605 appliance includes an on-board event collector, event processor, and internal storage for events.
With the Basic License the capacity is 2500 EPS, and with an upgrade license it is 20000
EPS.
References:
http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.doc/c_hwg_e vt_prcssr1605.html
A Deployment Professional working with IBM SecurityQRadar SIEM V7.2.7 is configuring scanners for dynamic scanning and is working with a customer to explain how dynamic scanning works, presenting the following example.
Asset IP: 10.2.2.3 -
Scanner A CIDR: 10.2.2.0/24 -
Scanner B CIDR: 10.2.2.3/32 -
How is this asset scanned when utilizing dynamic scanning?
Answer : A
Explanation:
In QRadar Vulnerability Manager you can assign different scanners to network CIDR ranges. During a scan, each asset in the CIDR range that you want to scan is dynamically associated with the correct scanner.
A client has reached the maximum of 5000 EPS for their 3128 All-in-One appliance. They have just completed an acquisition of a competitor company and would like to get them on- board with collecting events for correlation in QRadar. It has been determined that the newly acquired company has a large number of log sources, and it is estimated that its total
EPS will be approx. 22000 EPS.
What will meet the hardware requirements when changing to a distributed environment?
Answer : D
Explanation:
QRadar Event Processor 1628, with a Basic Licence, can process 2500 events per second
(EPS), and with Upgraded license it can process 40,000 events per second.
A Deployment Professional has come on-site to upgrade a IBM Security QRadar SIEM
V7.2.7 deployment to a new fix level. Before running the upgrade, the software and fix versions must be verified.
What must the Deployment Professional verify?
Answer : A
Explanation:
Software versions for all IBM Security QRadar appliances in a deployment must be same version and fix level. Deployments that use different QRadar versions of software are not supported.
References: IBM Security Qradar Version 7.2.7 Upgrade Guide, page 1 http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.7/en/b_qradar_ upgrade.pdf
A Deployment Professional needs to store information in the IBM Security QRadar SIEM
V7.2.7 asset database which is provided from the customer's configuration management data base (CMDB). The CMDB provides a nightly dump of information like 'Technical
Owner' and Asset weight' tied to an IP address.
Which integration mechanism with QRadar will allow this information to be maintained?
Answer : B
Explanation:
You can import asset profile information.
The imported file must be a CSV file in the following format: p,name,weight,description
The import process merges the imported asset profiles with the asset profile information you have currently stored in the system.
Procedure -
References:
http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_ug_ asset_import.html
A Deployment Professional has created a new Building Block (BB), and it's not returning any expected events. The Deployment Professional has checked to ensure the BB is enabled and active. No errors are returned.
What should be done to correct this BB problem?
Answer : A
Explanation:
Note: Question -
Will a building block of type: Common work when added to 'System: Load Building Blocks'?
Answer -
The rule, System: Load Building Blocks is an Event only rule. If a building block is created from Type: Common, which includes both Events and Flows, and is then added to the
System: Load Building Blocks rule, it will load, but will only reflect Event offenses and not
Flow offenses. Flow offenses can be triggered when using Flow rules, which are then bound to the building block used in a Flow rule.
References: http://www-01.ibm.com/support/docview.wss?uid=swg21963724
A Deployment Professional is working with IBM Security QRadar SIEM V7.2.7. for a new customer that is trying to create their network hierarchy. The customer currently has more than the maximum of 1,000 network objects and CIDR ranges. A few of the CIDRs of the customer are:
Which supernet should be used to shrink the amount of network objects for the supplied group of CIDRs?
Answer : C
Explanation:
Supernetting, also called Classless Inter-Domain Routing (CIDR), is a way to aggregate multiple Internet addresses of the same class.
Using supernetting, the network address 209.60.128.0/24 and an adjacent address
209.60.129.0/24 can be merged into 209.60.128.0/23. The "23" at the end of the address says that the first 23 bits are the network part of the address, leaving the remaining nine bits for specific host addresses.
References: http://searchnetworking.techtarget.com/definition/supernetting
A Deployment Professional working with IBM Security QRadar SIEM V7.2.7 is noticing system notifications relating to performance degradation of the CRE relating to expensive rules. Upon locating the rules that are being expensive they need to be modified to no longer trigger this notification.
What are three causes for a rule to become expensive? (Choose three.)
Answer : BCF
Explanation:
A user can create a custom rule that has a large scope, uses a regex pattern that is not efficient, includes Payload contains tests, or combines the rule with regular expressions.
When this custom rule is used, it negatively impacts performance, which can cause events to be incorrectly routed directly to storage. Events are indexed and normalized but they don't trigger alerts or offenses.
References:
http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/3875012
0.html
A Deployment Professional has been asked to create a new dashboard which consists of utilizing a saved search.
Which box should be checked when creating this search?
Answer : B
Explanation:
When you create a Search therre is a parameter Include in my Dashboard, which must be selected to include the data from your saved search on the Dashboard tab.
References: http://www-01.ibm.com/support/docview.wss?uid=swg21679314#create
A Deployment Professional is investigating an offense and decides that a custom property should be added to the event and the rule to make them more useful. Once is added, though, the rule stops firing.
What could be causing this problem?
Answer : D
Have any questions or issues ? Please dont hesitate to contact us