QRadar#2 Flashcards
(45 cards)
Difference between Local and global rules
5 login failures by the same user in 10 minutes
local - all 5 login failures must appears on the same event processor
global - if 3 login fails were on an EP and 2 on second
A QRadar user needs to enable/disable few of the rules. Which role permission is required for enabling and disabling the rule? A. Offenses > Maintain CRE Rules B. Offenses > Maintain Use Cases C. Offenses > Toggle Custom Rules D. Offenses > Maintain Custom Rules
D. Offenses > Maintain Custom Rules
Which mode provides an analyst with a real-time view of their current event activity by
displaying a continuously updating sample of the most recent events?
A. Live Events
B. Real Time (displaying)
C. Real Time (streaming)
D. Last Interval (auto refresh)
C. Real Time (streaming)
How does an analyst determine which rules are most active in generating Offenses?
A. Assets -> Rules -> click Offense Count to reorder the column in ascending order
B. Admin -> Rules -> click Offense Count to reorder the column in descending order
C. Offenses -> Rules -> click Offense Count to reorder the column in ascending order
D. Offenses -> Rules -> click Offense Count to reorder the column in descending order
D. Offenses -> Rules -> click Offense Count to reorder the column in descending order
What is the maximum length of the Notes field in the Offenses tab? A. 1000 B. 1200 C. 1500 D. 2000
D. 2000
How many active Offenses can be in the QRadar system? A. 2500 B. 3000 C. 3500 D. 4000
A. 2500
The analyst needs to export an Offense outside QRadar to make a report of the incident.
Which export format is supported? (Choose two)
A. TSV (Tab Separated Values)
B. CSV (Comma Separated Values)
C. Fixed Field Text (Plain Text)
D. XML (Extensible Markup Language)
E. HTML (Hypertext Markup Language)
B. CSV (Comma Separated Values)
D. XML (Extensible Markup Language)
What period of inactivity causes an offense to go into dormant state? A. 5 days B. 5 hours C. 30 days D. 30 minutes
D. 30 minutes
A high number of Offenses are being generated for a specific event type.
What can the analyst do to investigate why Offenses are being created?
A. Review the health notification Offense rules.
B. Review the rules used in creating the Offense.
C. Review the Offense and enable the Offense high event rules.
D. Review the log sources and enable the anomaly Offense detection rules
B. Review the rules used in creating the Offense.
Which time stamp is used to determine whether events are being queued in the event pipeline for performance or licensing reasons? A. Start Time B. Device Time C. Storage Time D. Log Source Time
C. Storage Time
When is the offense magnitude re-evaluated
when new events are added to the offense.
What are the chart types in the dashboard.
Pie, Table, Bar, Time Series
What are the chart types in the report
Bar, Pie, Table, Line, Stacked Line, Stacked Bar
Super flow types: Type A - network sweep Type B - DDoS Type C - port scan Standard
Type B - DDos
Where is the vulnerability information located?
Asset tab
Base 64
Payload -> base 64
Schedule report is every Monday and the first day of mount. When they want a report on Thursday. MON - WED MON - THU (THU - WED) whole last week from last week to THU
whole last week
DSSE (device stop sending events)
runs in the absence of events.
Search for all viruses
Pause event/flow, double-click it, press Extract Property to extract virus (e.g. MD5),
Creating custom rule that use extracted property as an offense index field. Search by offense type.
Analyst. Manually generation report
Does not restart the existing report schedule.
Where are the Notes and Annotations located?
Bottom offense summary page
For 10min 15 mails received and see only 1 offense
Coalescing
What columns are defaultly displayed in offense log?
QID
Log source
New log source was created and low level category is stored
Events are not correctly parsed
Admin tab > log sources > parsing order
