C1000-018 시험 - IBM실제시험문제와 답 - 60문항

Question No : 1

An analyst has created a custom property from the events for searching for critical information. The analyst also needs to reduce the number of event logs and data volume that is searched when looking for the critical information to maintain the efficiency and performance of QRadar.
Which feature should the analyst use?

A.Index Management
B.Log Management
C.Database Management
D.Event Management

정답:

Question No : 2

How can an analyst search for all events that include the keyword 'vims'?

A.By going to the Network Activity tab and run a quick search with the 'virus' keyword.
B.By going to the Log Activity tab and run a quick search with the 'virus' keyword.
C.By going to the Offenses tab and run a quick search with the 'virus' keyword.
D.By going to the Log Activity tab and run this AQL: select * from events where eventname like "virus'

정답:

Question No : 3

Which component in QRadar collects and creates flow information?

A.sflow
B.NetFIow
C.Qflow
D.J-Flow

정답:
Explanation: https://www.ibm.com/support/pages/qradar-about-flows-and-difference-between-qflow-collector-and-qradar-event-collector

Question No : 4

To provide insight into why QRadar considers the event to be threatening, what does QRadar add to the Offense that users cannot edit or delete?

A.Annotations
B.Attack path
C.Location
D.Source IP

정답:
Explanation: https://www.ibm.com/docs/en/qsip/7.4?topic=investigations-investigating-offense-by-using-summary-information
Annotations provide insight into why QRadar considers the event or observed traffic to be threatening.
QRadar can add annotations when it adds events or flows to an offense. The oldest annotation shows information that QRadar added when the offense was created. Users cannot add, edit, or delete annotations.

Question No : 5

What is the intent of the magnitude of an offense?

A.It measures the age of the event attached to the offense.
B.It measures the age of the offense.
C.It measures the importance of the offense.
D.It measures the importance of the event attached to the offense.

정답:
Explanation:
The age of the offense.
Reference: https://www.ibm.com/docs/en/qsip/7.3.3?topic=management-offense-prioritization

Question No : 6

Which use case type is appropriate for VPN log sources? (Choose two.)

A.Advanced Persistent Threat (APT)
B.Insider Threat
C.Critical Data Protection
D.Securing the Cloud

정답:
Explanation:
Reference: https://www.ibm.com/docs/en/dsm?topic=management-threat-use-cases-by-log-source-type

Question No : 7

Which QRadar timestamp specifies when the event was received from the log source?

A.Collect time
B.Start time
C.Storage time
D.Log Source time

정답:
Explanation: https://www.ibm.com/mysupport/s/question/0D50z00006PEG2mCAH/why-do-i-see-different-time-stamps-for-qradar-events?language=en_US

Question No : 8

Which QRadar component stores Event data?

A.App Host
B.Event Collector
C.Event Processor
D.Flow Collector

정답:

Question No : 9

What is required to create an anomaly rule?

A.triggered events
B.a grouped saved search
C.triggered flows
D.baseline anomalies

정답:

Question No : 10

What happens to a Closed Offense after the offense retention period which defaults to 30 days7

A.It is automatically archived.
B.It is hidden from view.
C.It is deleted from the system.
D.It is manually deleted by the administrator

정답:

Question No : 11

Where can an analyst investigate a security incident to determine the root cause of an issue, and then work to resolve it?

A.Risk tab
B.Network Activity tab
C.Offense tab
D.Vulnerabilities tab

정답:

Question No : 12

Where can an analyst working with Offenses add a regular expression test into an existing rule?

A.Top
B.Right
C.Bottom
D.Left

정답:

Question No : 13

An analyst needs to find all events that are creating offenses that are triggered by rules that contain the word suspicious in the rule name.
Which query can the analyst use as a working sample?

A.SELECT LOGSOURCENAME(logsourceid), * from events where RULENAME(creeventlist) ILIKE ‘%suspicious%’
B.SELECT LOGGEDOFFENSE(logsourceid), * from offense_events where RULENAME(creeventlist) ILIKE ,%suspicious%'
C.SELECT LOGSOURCETYPE(logsourceid), - from log_events where RULENAME(creeventlist) ILIKE '%suspicious%'
D.SELECT LOGSOURCERULES(logsourceid), " from rule_events where RULENAME(creeventlist) ILIKE '%suspicious%'

정답:
Explanation:
Reference: https://www.ibm.com/docs/en/qradar-on-cloud?topic=searches-advanced-search-options

Question No : 14

Which statement about False Positive Building Blocks applies?
Using False Positive Building Blocks:

A.helps to prevent unwanted alerts, but there is no effect on performance.
B.helps to prevent unwanted alerts, and reduces the performance impact of testing rules that do not need to be tested.
C.has no impact on unwanted alerts, but it does reduce the performance impact of testing rules that do not need to be tested.
D.has no impact on unwanted alerts, or performance.

정답:
Explanation:
Reference: https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-Understanding-Eliminating-Unwanted-Alerts/ta-p/44924

Question No : 15

An analyst needs to create a new custom dashboard to view dashboard items that meet a particular requirement.
What are the main steps in the process?

A.Select New Dashboard and enter unique name, description, add items and save.
B.Select New Dashboard and copy name, add description, items and save.
C.Request the administrator to create the custom dashboard with required items.
D.Locate existing dashboard and modify to include indexed items required and save.

정답:
Explanation:
To create or edit your dashboards, log in as an administrator, click the Dashboards tab, and then click the gear icon. In edit mode, you can create new dashboards, add and remove widgets, edit display values in existing widgets, and reorder tabs.
Reference: https://documentation.solarwinds.com/en/success_center/tm/content/threatmonitor/tm-editdashboards.htm

IBM C1000-018 시험