SAMPLE QUESTIONS for:

Test C1000-026, IBM QRadar SIEM V7.3.2 Fundamental Administration

Note: The bolded response option is the correct answer.

------------------------------------
Question C1000-026.1.2.7
To increase the search performance and storage capabilities of an existing distributed QRadar
deployment, an administrator decided to install a QRadar Data Node appliance.

Before the installation and deployment of the Data Node, what should the administrator check?
(Choose two)

A. Ensure the Event Processor and the Data Node are using the same hardware.
B. Ensure port 32006 between the Data Node and the Event Processor appliance is
opened.
C. Ensure port 32011 between the Data Nodes and the Console's Event Processor is
opened.
D. Ensure the existence of an IP Tables rule to permit the traffic between the Data Node and the
QRadar Console.
E. Ensure the SSH keys are available on both the Event Processor and the Data Node for the
encryption tunnel to be configured.

------------------------------------
Question C1000-026.2.2.2
What is the recommended order of the directories to copy the SFS file in an upgrade process?

A. /storetmp, /store, /tmp

------------------------------------
Question C1000-026.2.3.1
An administrator reviews a newsflash from IBM Support. It informs that the QRadar
deployment has been security tested and is vulnerable against several known attacks, and that
the vulnerabilities have been fixed in the latest patch. The administrator decides to update their
QRadar installation.

In a distributed environment, which QRadar appliance must be updated first?

A. QRadar Console
B. QRadar Data Node
C. QRadar HA Console
D. QRadar Event/Flow Processor

------------------------------------
Question C1000-026.3.1.2
An administrator wants to add a new Cisco ASA log source.
What are the two protocols that Cisco ASA supports for collecting events? (Choose two)

A. JDBC
B. SNMP
C. Syslog
D. Rest API
E. Cisco NSEL

--------------------------------------
Question C1000-026.3.5.10
An administrator has a rule that populates a reference set with Source IPs. The administrator
wants this reference set to contain just Source IPs seen in the last 30 days.

How does the administrator configure the reference set?

A. Admin > Reference Set Management > Select Reference set > Edit > Time to Live of
elements > uncheck lives forever > select since last seen > set 30 days
B. Admin > Reference Set Management > Select Reference set > Edit > Time to Live of
elements > uncheck lives forever > select since first seen > set 30 days
C. Admin > Reference Set Management > Select Reference set > Edit > Time to Live of
elements > check lives forever > select since first seen > set 30 days
D. Admin > Reference Set Management > Select Reference set > Edit > Time to Live of
elements > check lives forever > select since last seen > set 30 days

--------------------------------------
Question C1000-026.3.12.3
An administrator is seeing large number of assets related to service accounts/automated
services in the Assets tab. The administrator wants to minimize asset creation related to service
accounts to enhance product performance.

What should the administrator do to stop this asset growth deviation?

A.
1. Create a saved search where ‘Identity Username’ + ‘Is Any Of’ + ‘Anonymous
logon’.
2. Add the search using Admin tab > Asset Profile Configuration > Manage Identity
Exclusion > Add Saved Search
B.
1. Create a saved search where ‘Identity Username’ + ‘Is Any Of’ + ‘Anonymous logon’.
2. Add the search using Admin tab > Asset Database Configuration > Manage Database
Exclusion > Add Saved Search
C.
1. Create a saved search where ‘Identity Services’ + ‘Is Any Of’ + ‘Administrator logon’.
2. Add the search using Admin tab > Asset Database Configuration > Manage Service
Exclusion > Add Saved Search
D.
1. Create a saved search where ‘Identity Username’ + ‘Is Any Of’ + ‘Anonymous logon’.
2. Add the search using Admin tab > Asset Profile Configuration > Manage Asset
Blacklist Exclusion > Add Saved Search
------------------------------------
Question C1000-026.4.1.2
What are two valid user responses for the following QRadar notification? (Choose two.)

38750109 - A store and forward schedule finished while events were left on disk.
These events will be stored on the local event collector until the next forwarding
sessions begins

A. Wait until the next store and forward interval occurs

------------------------------------
Question C1000-026.4.4.4
An administrator receives a system notification stating: 'Performance degradation was
detected in the event pipeline. Expensive Device Support Module (DSM) extensions were
found'.

Which QRadar service is having this pipeline issue?

A. ariel
B. ecs-ec
C. ecs-ep
D. hostcontext

------------------------------------
Question C1000-026.4.7.7
An administrator wants to be notified when, during office hours, the number of connected users
to a VPN is more than the 250 licensed VPN clients. The administrator wants to receive an
email and see a corresponding event generated in the Log Activity tab.

How can the administrator monitor this event?

A. From the Offenses tab select Rules and then click Actions, Create Common Rule and in the
rule wizard setup select the test to count events showing successful logins to the VPN server
during office opening hours. In the Rule Response dispatch a new event and then send an
email entering the email of the analyst.
B. From the Log Activity tab select Rules and then click Actions, Create Event Rule and in the
rule wizard setup select the test to count events showing successful logins to the VPN server
during office opening hours. In the Rule Response dispatch a new event and then send an
email entering the email of the analyst.
C. From the Network Activity tab select Rules and then click Actions, Create Flow Rule and in
the rule wizard setup select the test to count events showing successful logins to the VPN
server during office opening hours. In the Rule Response dispatch a new event and then
send an email entering the email of the analyst.
D. From the Log Activity tab create and save a search filtered and grouped by the VPN
log source successful connection events showing the Count Column, click Rules and
select Add Threshold Rule, configure the test stack to trigger the rule when the
 counted properties is over 250 and it happens between the specified hours. In the
Rule Response dispatch a new event and then send an email entering the email of the
analyst.

------------------------------------
Question C1000-026.5.4.4
An administrator has found an error in the QRadar logs, and has identified a particular classpath
connected with the error. To further troubleshoot this error, the administrator needs to put it into
debug mode.

Which script should the administrator use to toggle debug mode for QRadar logging?

A. /opt/qradar/support/jmx.sh
B. /opt/qradar/support/threadtop.sh
C. /opt/qradar/support/mod_log4j.pl
D. /opt/qradar/support/qapp_utils.py