Black Friday Day Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

Question # 6

An analyst noticed that from a particular subnet (203.0.113.0/24), all IP addresses are simultaneously trying to reach out to the company's publicly hosted FTP server.

The analyst also noticed that this activity has resulted in a Type B Superflow on the Network Activity tab-Under which category, should the analyst report this issue to the security administrator?

A.

Port Scan

B.

Syn Flood

C.

DDoS

D.

Network Scan

Full Access
Question # 7

When is the rating of an Offense magnitude re-evaluated?

A.

when a port is opened

B.

when the threat assessment changes

C.

when new events are added to the Offens

D.

when the number of vulnerabilities increases

Full Access
Question # 8

The administrator had set up several scheduled reports that can be executed by analysts every Monday, and the first day of each month. On Thursday, an executive requests one of the weekly reports.

If the analyst executes the report on Thursday, what information will the report contain?

A.

Data from Thursday from the previous week to Wednesday from the current week

B.

Data from Monday to Wednesday from the current week.

C.

Data from Monday to Thursday from the current week.

D.

Data from Monday to Sunday from the previous week.

Full Access
Question # 9

An analyst is encountering a large number of false positive results. Legitimate internal network traffic contains valid flows and events which are making it difficult to identify true security incidents.

What can the analyst do to reduce these false positive indicators?

A.

Create X-Force rules to detect false positive events.

B.

Create an anomaly rule to detect false positives and suppress the event.

C.

Filter the network traffic to receive only security related events.

D.

Modify rules and/or Building Block to suppress false positive activity.

Full Access
Question # 10

Why would an analyst update host definition building blocks in QRadar?

A.

To reduce false positives.

B.

To narrow a search.

C.

To stop receiving events from the host.

D.

To close an Offense

Full Access
Question # 11

From which tab in QRadar SIEM can an analyst search vulnerability data and remediate vulnerabilities?

A.

Log Activity

B.

Admin

C.

Dashboard

D.

Assets

Full Access
Question # 12

An analyst wants to find all events where Process name includes reference to exe files. Which quick search will return the expected result?

A.

(Process name) AND /.*exe/

B.

/Process name/AND (/exe) )

C.

/Process name/ AND /.*exe/

D.

"Process name" AND "*exe"

Full Access
Question # 13

Which statement about False Positive Building Blocks applies?

Using False Positive Building Blocks:

A.

helps to prevent unwanted alerts, but there is no effect on performance.

B.

helps to prevent unwanted alerts, and reduces the performance impact of testing rules that do not need to be tested.

C.

has no impact on unwanted alerts, but it does reduce the performance impact of testing rules that do not need to be tested.

D.

has no impact on unwanted alerts, or performance.

Full Access
Question # 14

An analyst notices that there are a number of invalid Offenses being created from a network node. This node has been determined to be in Domain 2 and has the following log sources sending it events: (3Com 8800 Series Switch from 172.18.1.1, Cisco ACE Firewall from 172.18.1.2, FireEye from 172.18.1.3, and Palo Alto PA Series from 172.18.1.8).

The analyst should create a False Positive Building Block that has a filter:

A.

"when the destination IP is in 172.18.0.0/16"

B.

"when the local network is Domain 2 and when the source IP is in 172.18.0.0/16"

C.

"when the remote IP is one of the following 172.18.1.1, 172.18.1.2. 1.3 172. 18.18.1.8

D.

"when the local network is Domain 2 and when the source IP is in 172.18.0.0/16"

Full Access
Question # 15

What event information within an offense would provide the analyst with a deep insight as to how it was created?

A.

Event Category

B.

Event QID

C.

Event Payload

D.

Event Magnitude

Full Access