IBM Security QRadar SIEM V7.2.7 Deployment 試験
Question No : 1
Which two permissions are required to modify custom properties? (Choose two.)
To create custom properties if you have the correct permission.
You must have the User Defined Event Properties or the User Defined Flow Properties permission.
Question No : 2
Two health insurance companies, Company A and Company B, have been involved in a merger. Both companies have IBM Security QRadar SIEM V7.2.7 implemented to monitor their environments.
It has been determined that Company A will assume the duties of compliance monitoring across the entire organization. Because of this, Company B will need to forward its events encrypted to Company A's QRAdar Event Collector.
What is one of the steps that must be done to make sure the information is encrypted in transit?
Encryption provides greater security for all traffic between managed hosts. To provide enhanced security, IBM Security QRadar also provides integrated support for OpenSSH. When integrated with QRadar, OpenSSH provides secure communication between components.
SSH uses a public key encryption system.
In a public key encryption system, any person can encrypt a message using the public key of the receiver, but such a message can be decrypted only with the receiver's private key.
Question No : 3
A Deployment Professional is asked to check on an anomaly that is based off of aggregated data collected for the rule “Spike in Data Outbound”. When looking at the Top 10 Events of an offense and clicking on the display icon for “Source Network is Users.Users_1”, the available data shows in a chart.
The Deployment Professional would like to examine the variation in the data in a linear manner.
Which chart type should be used?
Time series charts are graphical representations of your activity over time.
Question No : 4
A Deployment Professional needs to change the folder where automatic updates are downloaded.
Which Auto Update settings should be configured under Change Settings?
Configuring QRadar to install a local autoupdate file, Procedure
Question No : 5
A software install is being performed on a client's hardware. The Deployment Professional is about to install the QRadar software on a host which will become an HA primary.
Which command is mandatory?
To enable HA, QRadar connects a primary HA host with a secondary HA host to create an HA cluster.
For a software installation of IBM Security QRadar, you must run the following script before the installation to enable HA:
Question No : 6
A Deployment Professional needs to handle event logs from Point-of-Sale (POS) devices on cruise ships which have sporadic connectivity to the rest of the deployment.
Which appliance can be used to store and forward these events?
The IBM Security QRadar Event Collector 1501 (MTM 4380-Q2C) appliance is a dedicated event collector. By default, a dedicated event collector collects and parses event from various log sources and continuously forwards these events to an event processor. You can configure the QRadar Event Collector 1501 appliance to temporarily store events and only forward the stored events on a schedule.
Question No : 7
Which IBM Security QRadar function, if misconfigured, could cause rules that are only supposed to be applied to local hosts to be applied to external hosts?
IBM Security QRadar uses the network hierarchy to understand your network traffic and provide you with the ability to view activity for your entire deployment.
IBM Security QRadar considers all networks in the network hierarchy as local.
Question No : 8
Which task can be completed by using the Historical Correlation feature?
Use historical correlation to run past events and flows through the custom rules engine (CRE) to identify threats or security incidents that already occurred.
Question No : 9
Which set of rules should be adhered to in order to create valid expression for creating custom properties?
You can create a custom property type.
When you create a custom property, you can choose to create a Regex or a calculated property type.
Regex defines the field that you want to become the custom property. After you enter a regex statement, you can validate it against the payload. When you define custom regex patterns, adhere to regex rules as defined by the Java programming language.
Question No : 10
A Deployment Professional needs to create and share a saved search with other users.
What are the requirements for this action?
Create and share the Search Criteria, that the Dashboard Item will use.
The user account initiating this process must be in the Admin User Role. Only users in the Admin User Role have the ability to share saved Search Criteria.
Assign Search to Group(s): Select the check box for the group you want to assign this saved search. If you do not select a group, this saved search is assigned to the Other group by default.
Question No : 11
A Deployment Professional has received complaints from a customer stating that events from a satellite Location in Hong Kong are being delayed, which is affecting records processing. The Deployment Professional wants to improve event transfer from that location to the IBM Security QRadar SIEM V7.2.7
Which appliance could be installed in the satellite location to accomplish this goal?
An Event Collector is an appliance for collecting events in remote locations for periodic forwarding to an Event Processor or an all-in-one appliance.
An example is the IBM Security QRadar Event Collector 1501 (MTM 4380-Q2C) appliance, which is a dedicated event collector. By default, a dedicated event collector collects and parses event from various log sources and continuously forwards these events to an event processor.
Question No : 12
A Deployment Professional is looking over event and flow data for a new customer and sees that the customer is hitting 4,000 EPS/300,000 FPM, with bursts of up to 5,000 EPS/400,000 FPM. The customer is asking for the least amount of appliances to be installed to handle this traffic without any throttling.
Which combination should be installed?
The QRadar 3105 (All-in-One) appliance requires external QRadar QFlow Collectors for layer 7 network activity monitoring.
With an upgraded licence the QRadar Flow Processor 1705 supports 600,000 FPM, depending on traffic types.
Note: The IBM Security QRadar 3105 (All-in-One) (MTM 4380-Q1E) appliance is an all-in-one QRadar system that can profile network behavior and identify network security threats.
With a basic license it supports 25,000 FPM and 1000 EPS.
With an upgraded license it supports 200,000 FPM and 5000 EPS.
Question No : 13
A Deployment Professional using IBM Security QRadar SIEM V7.2.7 needs to discover all mail servers, but some of the mail servers are listening on TCP port 10025.
Which server type and port could be configured in server discovery to accomplish this goal?
Use the BB:PortDefinition: Mail Ports building block to include all common ports used by mail servers.
References: Juniper Security Threat Response Manager STRM Log Manager Users Guide Release 2012.0, page 159
Question No : 14
What is the impact on network bandwidth when selecting 'Global' on a rule instead of 'Local' in a distributed environment?
If you select Local, all rules are processed on the Event Processor on which they were received and offenses are created only for the events that are processed locally.
If you select Global, all matching events are sent to the QRadar Console for processing and therefore, the QRadar Console uses more bandwidth and processing resources.
Question No : 15
A current banking customer has just expanded by purchasing a small rural bank with a low bandwidth WAN connection.
The customer wants to expand its current QRadar SIEM 3105 all-in-one deployment to capture log events from the newly acquired branch and to forward them on a schedule, after hours during the trough of activity to the main branch. There is plenty of room for this additional EPS growth.
Which device will meet the requirements?
The IBM Security QRadar Event Processor 1605 (MTM 4380-Q1E) appliance is a dedicated event processor that you can scale your QRadar deployment to manage higher EPS rates. The QRadar Event Processor 1605 appliance includes an on-board event collector, event processor, and internal storage for events.
With the Basic License the capacity is 2500 EPS, and with an upgrade license it is 20000 EPS.