C1000-018 Online Practice Questions and Answers

Which use case type is appropriate for VPN log sources? (Choose two.)

A. Advanced Persistent Threat (APT)

B. Insider Threat

C. Critical Data Protection

D. Securing the Cloud

After working with an Offense, an analyst set the Offense as hidden. What does the analyst need to do to view the Offense at a later time?

A. In the all Offenses view, at the top of the view, select “Show hidden” from the “Select an option” drop-down.

B. Search for all Offenses owned by the analyst.

C. Click Clear Filter next to the “Exclude Hidden Offenses”.

D. In the all Offenses view, select Actions, then select show hidden Offenses.

What is the maximum time period for 3 subsequent events to be coalesced?

A. 10 minutes

B. 10 seconds

C. 5 minutes

D. 60 seconds

What event information within an offense would provide the analyst with a deep insight as to how it was created?

A. Event Category

B. Event QID

C. Event Payload

D. Event Magnitude

An analyst investigates an Offense that will need more research to outline what has occurred. The analyst marks a ‘Follow up’ flag on the Offense.

What happens to the Offense after it is tagged with a ‘Follow up’ flag?

A. Only the analyst issuing the follow up flag can now close the Offense.

B. New events or flows will not be applied to the Offense.

C. A flag icon is displayed for the Offense in the Offense view.

D. Other analysts in QRadar get an email to look at the Offense.

Which statement about False Positive Building Blocks applies?

Using False Positive Building Blocks:

A. helps to prevent unwanted alerts, but there is no effect on performance.

B. helps to prevent unwanted alerts, and reduces the performance impact of testing rules that do not need to be tested.

C. has no impact on unwanted alerts, but it does reduce the performance impact of testing rules that do not need to be tested.

D. has no impact on unwanted alerts, or performance.

What is the intent of the magnitude of an offense?

A. It measures the age of the event attached to the offense.

B. It measures the age of the offense.

C. It measures the importance of the offense.

D. It measures the importance of the event attached to the offense.

An analyst for a particular offense needs to investigate to understand the breakdown of the offense details.

How can the analyst do this?

A. Look at the magnitude information and its breakdown.

B. Look at all the event QIDs attached to the offense.

C. View the attack path of the offense.

D. Look at the list of categories, event low level categories and the events attached.

An analyst aims to improve the detection capabilities on all the Offense rules. QRadar SIEM has a tool that allows the analyst to update all the Building Blocks related to Host and Port Definition in a single page.

How is this accomplished?

A. Admin –andgt; Reference Set management

B. Assets –andgt; Asset Profiles

C. Assets –andgt; Server Discovery

D. Admin –andgt; Asset Profile Configuration

An analyst needs to find events coming from unparsed log sources in the Log Activity tab. What is the log source type of unparsed events?

A. SIM Generic

B. SIM Unparsed

C. SIM Error

D. SIM Unknown