MPC Error Handling

Questions and Answers

An administrator is reviewing the system notifications and discovers this error: MPC: Unable to create new offense. The maximum number of active offenses has been reached. What is the default number of active offenses that can be open on a system?

A. 3000

B. 5000

C. 2500 (correct)

D. 10000

To comply with specific regulations, an administrator has been requested to increase asset retention to 365 days. In which QRadar section can the administrator find the asset retention settings?

A. Assets Tab / Asset Retention

B. Assets Tab / Retention settings

C. Admin Tab / Asset Retention

D. Admin Tab / System Configuration (correct)

An administrator needs to view the events per second (EPS) rate for an individual domain. Which Ariel Query Language (AQL) query provides the information?

A. select domain, DOMAINNAME(domain) from events GROUP BY domain last 1 HOURS

B. select DOMAINNAME(domainid) as Log Domain, sum(event count) / 24*60*60 as EPS from events where domainid=1 group by domainid order by EPS desc last 24 hours (correct)

C. select domainid, DOMAINNAME(domainid) from events GROUP BY domainid last 1 HOURS

D. select DOMAINNAME(domain) as Log Domain, sum(event count) / 24*60*60 as EPS from events where domain=checkpoint group by domain order by EPS desc last 24 hours

An offense remains in a dormant state for __________days

B. 5

Which event routing rule is required to add QRadar Data Store (QDS) capability to a deployment?

C. Log Only (exclude Analytics)

Which parameters can you use as a base for offense indexing?

D. Any event property

Which permission option allows the user to view only events and flows that are associated with both the log sources and networks that are specified in this security profile?

C. Networks AND Log Sources

An administrator needs to collect logs from the Command Line Interface (CLI). Which command should the administrator use?

D. /opt/qradar/support/get_logs.sh

What feature influences the offense chaining?

A. Indexing

A QRadar administrator added High Availability (HA) to the Event Processor and needs to verify the crossover link status between the primary and secondary hosts. Which commands can be used to verify the crossover status? (Choose two.)

A. /opt/qradar/ha/bin/ha cstate and C. /opt/qradar/ha/bin/qradar_nettune.pl crossover status

Study Notes

QRadar Offenses

• The maximum number of active offenses has a default limit, which can be reached, preventing new offenses from being created.

Asset Retention

• Asset retention settings can be found in QRadar to comply with specific regulations, such as increasing asset retention to 365 days.

QRadar Queries

• The AQL query that provides the events per second (EPS) rate for an individual domain is not specified in the text, but it's implied that such a query exists.

Offense Status

• An offense remains in a dormant state for 30 days.

QRadar Deployment

• The "Data Store" event routing rule is required to add QRadar Data Store (QDS) capability to a deployment.

Offense Indexing

• Parameters that can be used as a base for offense indexing are not specified in the text.

Security Profile

• The "Restricted Access" permission option allows a user to view only events and flows that are associated with both the log sources and networks specified in a security profile.

Log Collection

• The command to collect logs from the Command Line Interface (CLI) is not specified in the text.

Offense Chaining

• The "Offense Inference" feature influences offense chaining.

High Availability (HA)

• To verify the crossover link status between the primary and secondary hosts in a High Availability (HA) setup, administrators can use these two commands: ha_cluster_status and ha_crossover_status.

Description

This quiz assesses your understanding of error handling in MPC systems, specifically when encountering the 'Unable to create new offense' error. Test your knowledge of system limitations and offense management.