QRadar Event Mapping

10 Questions

Which two fields are used by QRadar to map an event to a QID?

C. Event Category and Event ID

A QRadar Administrator needs to define a new user role with access to only see events in QRadar. Which permissions should be granted to the role?

B. Log Activity

Which framework can be visualized from the Use Case Manager application?

A. MITRE ATT&CK

Which type of rule tests event and flow traffic for changes in short-term events compared against a longer timeframe?

A. Anomaly rules Anomaly rules: Test event and flow traffic for changes in short-term events when you are comparing against a longer timeframe. For example, new services or applications that appear in a network, a web server crashes, firewalls that all start to deny traffic. Example: You want to be notified when one of your firewall devices is reporting more often than it usually does because your network might be under attack. You want to be notified when you receive twice as many events in 1 hour. You follow these steps: 1. Create and save a search that groups by log source, and displays only the count column. 2.Apply the saved search to an anomaly rule, and add the rule test, and when the average value (per interval) of count over the last 1 hour is at least 100% different from the average value (per interval) of the same property over the last 24 hours. Threshold rules Test events or flows for activity that is greater than or less than a specified range. Use these rules to detect bandwidth usage changes in applications, failed services, the number of users connected to a VPN, and detecting large outbound transfers. Behavioral rules Test events or flows for volume changes that occur in regular patterns to detect outliers.

The ____________ provides the current version, patch, and other system information for a QRadar system.

D. /opt/qradar/bin/myver -v

What is correct permissions of directories in /store/ariel/events/payloads and /store/ariel/flows/payloads ?

A. 755 you can do anything with the file or directory, and other users can read and execute it but not alter it.

Which utility is used for checking the integrity of event and flow logs

D. check_ariel_integrity.sh

QRadar administrators can use a tool to identify a reported issue that is associated to an APAR and work with IBM QRadar Support on a resolution or workaround. Which command allows administrators to review the logs for reported issues in QRadar?

B. /opt/qradar/support/defect-inspector

A QRadar 3128 (All-in-One) typically processes up to EPS and FPM.

A. 15000 & 300,000

An administrator needs to import data into QRadar for a specific use case. The data that has been provided to the administrator is stored in records that map a key to a value. Which type of data collection must the administrator create?

C. Reference map Reference map :A collection of data that maps a unique key to a value. How to use:Use a reference map to verify a unique combination of two property values. Examples:To correlate user activity on your network, create a reference map that uses the LoginID parameter as a key, and the Username as a valu

Study Notes