QRadar Event Mapping Quiz and Flashcards

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

Which two fields are used by QRadar to map an event to a QID?

A. High-level Category and Low-level Category
B. Event ID and Event Name
C. Event Category and Event ID (correct)
D. Event Category and High-level Category

A QRadar Administrator needs to define a new user role with access to only see events in QRadar. Which permissions should be granted to the role?

A. Network Activity
B. Log Activity (correct)
C. Events
D. Networks

Which framework can be visualized from the Use Case Manager application?

A. MITRE ATT&CK (correct)
B.. Lockheed Martin Cyber Kill Chain
C. NIST 800-53
D. Diamond Model of Intrusion Analysis

Which type of rule tests event and flow traffic for changes in short-term events compared against a longer timeframe?

A. Anomaly rules Anomaly rules: Test event and flow traffic for changes in short-term events when you are comparing against a longer timeframe. For example, new services or applications that appear in a network, a web server crashes, firewalls that all start to deny traffic. Example: You want to be notified when one of your firewall devices is reporting more often than it usually does because your network might be under attack. You want to be notified when you receive twice as many events in 1 hour. You follow these steps: 1. Create and save a search that groups by log source, and displays only the count column. 2.Apply the saved search to an anomaly rule, and add the rule test, and when the average value (per interval) of count over the last 1 hour is at least 100% different from the average value (per interval) of the same property over the last 24 hours. Threshold rules Test events or flows for activity that is greater than or less than a specified range. Use these rules to detect bandwidth usage changes in applications, failed services, the number of users connected to a VPN, and detecting large outbound transfers. Behavioral rules Test events or flows for volume changes that occur in regular patterns to detect outliers. (A) Signup and view all the answers

The ____________ provides the current version, patch, and other system information for a QRadar system.

D. /opt/qradar/bin/myver -v (D) Signup and view all the answers

What is correct permissions of directories in /store/ariel/events/payloads and /store/ariel/flows/payloads ?

A. 755 you can do anything with the file or directory, and other users can read and execute it but not alter it. (A) Signup and view all the answers

Which utility is used for checking the integrity of event and flow logs

D. check_ariel_integrity.sh (D) Signup and view all the answers

QRadar administrators can use a tool to identify a reported issue that is associated to an APAR and work with IBM QRadar Support on a resolution or workaround. Which command allows administrators to review the logs for reported issues in QRadar?

B. /opt/qradar/support/defect-inspector (B) Signup and view all the answers

A QRadar 3128 (All-in-One) typically processes up to EPS and FPM.

A. 15000 & 300,000 (A) Signup and view all the answers

An administrator needs to import data into QRadar for a specific use case. The data that has been provided to the administrator is stored in records that map a key to a value. Which type of data collection must the administrator create?

C. Reference map Reference map :A collection of data that maps a unique key to a value. How to use:Use a reference map to verify a unique combination of two property values. Examples:To correlate user activity on your network, create a reference map that uses the LoginID parameter as a key, and the Username as a valu (C) Signup and view all the answers

Study Notes