C2150-612 Online Practice Questions and Answers

Which QRadar rule could detect a possible potential data loss?

A. Apply "Potential data loss" on event of flows which are detected by the local system and when any IP is part of any of the following XForce premium Premium_Malware

B. Apply "Potential data loss" on flows which are detected by the local system and when at least 1000 flows are seen with the same Destination IP and different Source IP in 2 minutes

C. Apply "Potential data loss" on events which are detected by the local system and when the event category for the event is one of the following Authentication and when any of Username are contained in any of Terminated_User

D. Apply "Potential data loss" on flows which are detected by the local system and when the source bytes is greater than 200000 and when at least 5 flows are seen with the same Source IP, Destination IP, Destination Port in 12 minutes

How does flow data contribute to the Asset Database?

A. Correlated Flows are used to populate the Asset Database.

B. It provides administrators visibility on how systems are communicating on the network.

C. Flows are used to enrich the Asset Database except for the assets that were discovered by scanners.

D. It delivers vulnerability and ports information collected from scanners responsible for evaluating network assets.

While on the Offense Summary page, a specific Category of Events associated with the Offense can be

investigated.

Where should a Security Analyst click to view them?

A. Click on Events, then filter on Flows

B. Highlight the Category and click the Events icon

C. Scroll down to Categories and view Top 10 Source IPs

D. Right Click on Categories and choose Filter on Network Activity

An event is happening regularly and frequently; each event indicates the same target username. There is a rule configured to test for this event which has a rule action to create an offense indexed on the username. What will QRadar do with the triggered rule assuming no offenses exist for the username and no offenses are closed during this time?

A. Each matching event will be tagged with the Rule name, but only one Offense will be created.

B. Each matching event will cause a new Offense to be created and will be tagged with the Rule name.

C. Events will be tagged with the rule name as long as the Rule Response limiter is satisfied. Only one offense will be created.

D. Each matching event will be tagged with the Rule name, and an Offense will be created if the event magnitude is greater than 6.

What is the difference between TCP and UDP?

A. They use different port number ranges

B. UDP is connectionless, whereas TCP is connection based

C. TCP is connectionless, whereas UDP is connection based

D. TCP runs on the application layer and UDP uses the Transport layer

What is the maximum number of supported dashboards for a single user?

A. 10

B. 25

C. 255

D. 1023

How does a Device Support Module (DSM) function?

A. A DSM is a configuration file that combines received events from multiple log sources and displays them as offenses in QRadar.

B. A DSM is a background service running on the QRadar appliance that reaches out to devices deployed in a network for configuration data.

C. A DSM is a configuration file that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as outputs.

D. A DSM is an installed appliance that parses received events from multiple log sources and converts them to a standard taxonomy format that can be displayed as outputs.

Which column shows information as icons on the Reports tab?

A. Owner

B. Formats

C. Schedule

D. Report Name

What is one of the major differences between event and network data (flow)?

A. Flows can replay a whole packet by packet sessions, while events are just a snapshot.

B. A flow can have a life span that can last seconds, minutes, hours or days, while events are only a snapshot.

C. An event can have a life span that can last seconds, minutes, hours or days, while flows can only span 1 minute.

D. Events represent network activity by normalizing IP addresses, ports, byte and packet counts, while flows do not.

In a distributed QRadar deployment with multiple Event Collectors, from where can syslog and JDBC log sources collected?

A. Syslog log sources and JDBC log sources may be collected by any Event Collector.

B. One Event Collector must collect ALL syslog events and another Event Collector must collect ALL JDBC events.

C. Syslog log sources and JDBC log sources are always collected by the collector assigned in the log source definition.

D. Syslog log sources may be collected by any Event Collector, but JDBC log sources will always be collected by the collector assigned in the log source definition.