IBM C2150-614 - IBM Security QRadar SIEM V7.2.7 Deployment Exam

Page:    1 / 12   
Total 60 questions

How can a Deployment Professional fix rules that are not distinguishing between remote and local hosts?

  • A. Configure the NetFlow
  • B. Create a Reference Set
  • C. Configure the VA Scanners
  • D. Create the Network Hierarchy


Answer : D

Explanation:
IBM Security QRadar uses the network hierarchy to understand your network traffic and provide you with the ability to view activity for your entire deployment.
IBM Security QRadar considers all networks in the network hierarchy as local.

A Deployment Professional was asked to investigate the following error:
Custom Rule Engine has detected a total of 20487 dropped event(s). 20487 event(s) were dropped in the last 62 seconds. Queue is at 99 percent capacity
The Deployment Professional needs to run the command
/opt/qradar/bin/findExpensiveCustomRules.sh to gather the necessary troubleshooting logs.
When should this command be run?

  • A. Right after a reboot
  • B. Run “service hostcontext restart” first
  • C. While the system is dropping events
  • D. Restart ECS, then run command


Answer : C

Explanation:
The script "findExpensiveCustomRules.sh" script is designed to query the QRadar data pipeline and report on the processing statistics from the Custom Rules Engine (CRE). The script monitors metrics and collecting statistics on how many events hit each rule, how long it takes to process a rule, total execution time and average execution time. When the script completes it turns off these performance metrics. The findExpensiveCustomRules script is a useful tool for creating on demand reports for rule performance, it is not a tool for tracking historical rule data in QRadar. The core functionality of this script is often run when users begin to see drops in events or events routed to storage between components in QRadar.
References: http://www-
01.ibm.com/support/docview.wss?uid=swg21985252&myns=swgother&mynp=OCSSBQA
C&mync=R&cm_sp=swgother-_-OCSSBQAC-_-R

A Deployment Professional is reviewing a custom rule that is supposed to be catching internal users that might be leaking information. The customer has requested that events that are being used for this rule have the email address of the sender.
This information is in the payload in the format email from: [email protected] subject:
Which regular expression should be used to create a custom property to fulfill this request?

  • A. \d(.+@[ˆ\.].*\.[a-z]{2,})\d
  • B. \b(.+@[ˆ\.].*\.[a-z]{2,})\b
  • C. C. ˆ[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}
  • D. D. [A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}$


Answer : B

Explanation:
Example of a requglar expression for emails:
Email: (.+@[^\.].*\.[a-z]{2,}$)
\b means boundary, so the capture group is looking for word characters until a boundary.
Incorrect:
A: \d matches against a digit [0-9].
C, D: (.+@[^\.](.+@[^\.].*\.[a-z]{2,}$).*\.[a-z]{2,}$) is the correct regular expression for emails.
References:
http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_rege x_cus_prop.html http://www.websense.com/content/support/library/email/hosted/admin_guide/regex.aspx

A Deployment Professional is working with a customer running an IBM Security QRadar
SIEM V7.2.7 installation that is currently running into performance issues. The customer is noticing that searches are taking a long time to finish and there are performance degradation system notifications in the Console.
Which two steps will lead to a performance increase for this customer? (Choose two.)

  • A. Disable indexes that don't have a % of searches using this index of 20% or higher for the last seven days
  • B. Disable indexes that don't have a % of searches using this property of 10% or higher for the last 24 hours
  • C. Search for indexes which are enabled but have a % of searches using property that is zero, disable those indexes
  • D. Enable indexes that have a % of searches using this property higher than 10% and also % of searches missing this index greater than 10%
  • E. Search for indexes which are disabled but have a % of searches using property above 30% and also % of searches missing index is above 30% and enable them


Answer : C,E

Explanation:
C: If the properties where the index is enabled and the % of Searches Using Property is zero, then you should disable this index.
If after 30 days the statistics show that an enabled index is used in zero % of searches, then consideration should be made to disable the indexed property.
This preserves resources for more important and actively used searches.
E: If the properties where the index is disabled and the % of Searches Using Property is above 30% and the % of Searches Missing Index is above 30%, then you should enable this index.
If administrators see search percentages above 30% across multiple time spans, then users are leveraging this search property often and consideration should be made to enable the index. These values indicate that enabling an index can improve performance for users who search specific properties frequently.
References: http://www-01.ibm.com/support/docview.wss?uid=swg21689802

A current banking customer has just expanded by purchasing a small rural bank with a low bandwidth WAN connection.
The customer wants to expand its current QRadar SIEM 3105 all-in-one deployment to capture log events from the newly acquired branch and to forward them on a schedule, after hours during the trough of activity to the main branch. There is plenty of room for this additional EPS growth.
Which device will meet the requirements?

  • A. 1202 QFlow Collector
  • B. 1400 Data Node
  • C. 1501 Event Collector
  • D. 1605 Event Processor


Answer : D

Explanation:
The IBM Security QRadar Event Processor 1605 (MTM 4380-Q1E) appliance is a dedicated event processor that you can scale your QRadar deployment to manage higher
EPS rates. The QRadar Event Processor 1605 appliance includes an on-board event collector, event processor, and internal storage for events.
With the Basic License the capacity is 2500 EPS, and with an upgrade license it is 20000
EPS.

Page:    1 / 12   
Total 60 questions