Question 

1
What is a unique feature of AQL filtering?
Your answer

  A.  It uses a graphical interface to build queries.

  B.  It can use pre-defined category definitions.

  C.  It can adjust what the network scanners catch.

  D.  It allows an SQL-like syntax for filtering.

Question 1
When can users change their account passwords in
the User Preferences interface of QRadar SIEM?
Your answer

  A.  when the account utilizes LDAP authentication

  B.  when the account utilizes RADIUS authentication

  C.  when the account utilizes local system authentication

  D.  when the account utilizes Active Directory authentication

That's rIght!
Question 2
Which two search criteria are required to add a custom Dash
Your answer

  A.  Fixed time period

  B.  Grouped
Your answer

Your answer

  C.  Time Series based

  D.  Compiled
Question 3
Passive network flow analytics provides what benefit?
Your answer

  A.  resolving network traffic issues

  B.  protecting against 0-day attacks

  C.  building asset profiles and classifying hosts

  D.  imposing network data flow limits

Question 4
What functionality is provided by the Flow Processor?
Your answer

  A.  receives third-party network flows and packages

  B.  receives log records, normalizes and forwards them to an event processor

  C.  provides temporary storage of normalized log events and payload

  D.  processes third-party network and QFlow through the CRE and stores the flows
Your answer

Your answer

Question 5
Which two statements are true regarding compliance
and control within today's organizations' IT structures?
Your answer

  A.  Being in compliance is more important than being in control.

  B.  It is possible to be in compliance and not be in control.

  C.  It is possible to be in control and not be in compliance.

  D.  Being in compliance demonstrates evidence of control

Question 6
What is the goal of a real-time Security Intelligence
solution?
Your answer

  A.  inform security analysts about a breach the moment an attacker penetrates the perimeter

  B.  make it harder for attackers to exfiltrate data by applying data-in-transit encryption

  C.  route all database activity monitoring data to a centralized console

Your answer

Your answer

  D.  implement proper privileged identity management to restrict access to high value assets
Question 7
Which data source can add and update information
about currently-running software products to
an asset profile?
Your answer

  A.  firewall logs

  B.  flow data

  C.  VPN lease files

  D.  system logs

Question 8
If a system uses multiple network adapters on
multiple networks but a user can only view one of
the networks, how will the system appear in the
QRadar Dashboard for that user?
Your answer

  A.  A yellow exclamation mark will appear next to the system.

  B.  The system will not have all its networks displayed.

  C.  A 'Hidden Data' message box will appear when reviewing results.

  D.  The user will not see the system asset profile at all.
Question 9
Which type of object does an asset profile describe?
Your answer

  A.  Service

  B.  Operating System

  C.  Network

  D.  Host
Question 10
In order to add new assets, which field can be included
in a CSV file when importing it into QRadar SIEM?
Your answer

  A.  MAC address

  B.  IP address

  C.  Operating System
Your answer

  D.  Vulnerabilities
Question 11
How can a MAC address be entered for an asset?
Your answer

  A.  by the QFlow software

  B.  by a system log scan

  C.  by an active scanner

  D.  by the Flow Collector

  E.  by manually editing the asset profile

Question 12
How does QRadar SIEM determine which services are
running on an asset?
Your answer

  A.  by probing the asset's network ports

  B.  by scanning system log files on the asset

  C.  by processing the asset's running task list

  D.  by observing network flows to/from the asset

Question 13
Your answer

What are two architectural components of the

Architecture discipline when discussing the the
O-ESA Enterprise Security Program?
Your answer

  A.  application architecture

  B.  conceptual architecture

  C.  logical architecture

  D.  facilities architecture

  E.  network architecture
Question 14
Which statement describes the process of
Vulnerability Management within the Operations
discipline of the O-ESA Enterprise Security
Architecture?
Your answer

A.  The process for identifying high-risk infrastructure components, assessing their vulnerabilitie
risk to the operational environment.
Your answer

  B.  The process of ensuring that the deployed technology conforms to the

organization's policies.

  C.  The process of responding to security-related events that may violate the

organization's security policies.

  D.  The process of protecting operational digital assets against accidental

or unauthorized modification.

Question 15
Which statement represents a characteristic of
today's social media as it relates to IT?
Your answer

  A.  It consists of unstructured data.

  B.  The data it contains is easy to work with.

  C.  It consists of structured data.

  D.  It utilizes predefined data models.

Question 16
Which statement is true when it comes to integrating BYOD
company organization?
Your answer
Your answer

  A.  It allows users greater choice while reducing security risks to the network itself.

  B.  By its very nature, mobile technology is outside of an organization's physical network perimeter
and control.

  C.  Asset management is no longer a concern since the company does not own the devices.

  D.  Companies no longer have to worry about the separation between work and personal data.

Question 17
Which statement is true concerning false positive
flows?
Your answer

  A.  They are processed, displayed under Network Activity, and stored by QRadar SIEM.

  B.  QFlow collectors will ignore them.

  C.  They still contribute to offenses.

  D.  They do not contribute to reports.

Question 18
What is a benefit of configuring a superflow in
QRadar SIEM?
Your answer

  A.  Reporting traffic is only captured on an hourly basis.

  B.  There is reduced traffic from the network QFlow collectors.

Your answer

  C.  Traffic from the QFlow collectors is encrypted and secure.

  D.  There is reduced processing on the QRadar SIEM host machine.

Question 19
You are reviewing events listed under the Network
Activity tab. Some of the events have a 'C' listed
after the number of Source Bytes. What does this
mean?
Your answer

  A.  The captured bytes contain Layer 7 payload.

  B.  The captured bytes are part of a saved search.

  C.  The captured bytes have a high severity rating.

  D.  The captured bytes are contained in a cache file.

Question 20
Which Superflow attack type is profiled by the
following characteristics: single source IP address
over many ports to a single destination IP address?
Your answer

  A.  Type A: network sweep

  B.  Type A: broadcast

  C.  Type B: distributed denial of service

Your answer

  D.  Type C: port scan

Question 21
You are creating a false positive flow using QRadar
SIEM and selecting the traffic direction of the flow.
Why would you rarely, if ever, designate the traffic
direction as being 'Any Source to any Destination?'
Your answer

  A.  It would utilize too much processing power.

  B.  It would only capture broadcast traffic.

  C.  It would create too much traffic on the local network.

  D.  It would eliminate all correlation of the flow with offenses.

Question 22
By default, how many bytes of Layer 7 payload does QRadar
Your answer

  A.  the total bytes received by the destination

  B.  the total bytes sent by the source

  C.  64 bytes

  D.  1024 bytes

Question 23
What does a 'false positive' designation do to a log
or flow event?
Your answer

  A.  reduces the severity of the event by half

  B.  prevents the event from contributing to an offense

  C.  permanently disables any filter in all future scans

  D.  automatically hides future events that match the event

Question 24
You are viewing a list of events within the 'List of
Events' display. You are currently highlighting a
firewall event with an IP address of 172.16.56.3,
involving a potentially malicious host. In exact order,
which two steps should you take in order to monitor
the designated malicious source IP?
Your answer

  A.  Add a filter on the IP address, and then delete the offense filter with the Clear Filter option.

  B.  Set the IP address as a normalized event, and then filter on the IP address.

  C.  Clear the offense filter, and then add filter on the IP address.

  D.  Identify the IP address as a false positive, and then clear the offense filter.

Question 25
What does the 'Log Source' field record?
Your answer

  A.  the source IP of the raw event

Your answer

  B.  the original device sending the raw payload

  C.  the database where the raw entry is stored

  D.  the network segment of the offense

Question 26
How is the raw payload of an event or flow stored by
QRadar SIEM?
Your answer

  A.  It is stored in its original and un-parsed format.

  B.  QRadar highlights only the relevant parts of the message.

  C.  Only the first 256 bytes of the message are saved.

  D.  QRadar adds a header describing the sending host.

Question 27
What is a negative implication of enabling time
series data?
Your answer

  A.  Events that contain time series data cannot be grouped.

  B.  QFlow cannot be utilized to analyze network traffic.

  C.  Flows that contain time series data cannot be grouped.

Your answer

  D.  It can negatively affect the performance of QRadar SIEM.

Question 28
Which three types of information are included in the
default 'List of Events' page?
Your answer

  A.  Source IP

  B.  QID

  C.  Event Name

  D.  Log Source

  E.  Protocol
Question 29
What is a unique feature of AQL filtering?
Your answer

  A.  It allows an SQL-like syntax for filtering.

  B.  It can adjust what the network scanners catch.

  C.  It can use pre-defined category definitions.

  D.  It uses a graphical interface to build queries.

Question 30
How does QRadar SIEM capture time-series data
in order to reduce storage needs?
Your answer
Your answer

Your answer

  A.  single source, single destination, changing ports

  B.  multiple source, multiple destination

  C.  multiple source, single destination

  D.  single source, multiple destination

Question 45
What benefit does IBM Security
QRadar Vulnerability Manager
provide to QRadar SIEM?
Your answer

  A.  It provides an active scanner that is present on all event

and flow collectors.

  B.  It provides advanced filters to examine specific activities

on the network.

  C.  It processes results from a hosted scanner to see a view

from inside the firewall boundaries.

  D.  It provides investigation capabilities to assess the

collected raw data from assets.
Question 46
Which two free vulnerability data
sources are used by QRadar SIEM?