Question 1

A QRadar analyst wants to limit the time period for which an AOL query is evaluated. Which functions and clauses could be used for this?

ASTART, BETWEEN. LAST. NOW. PARSEDATETIME

BSTART, STOP. LAST, NOW, PARSEDATETIME

CSTART. STOP. BETWEEN, FIRST

DSTART, STOP. BETWEEN, LAST

Answer : B

In QRadar, to limit the time period for which an AQL (Ariel Query Language) query is evaluated, the functions and clauses that can be used include START, STOP, LAST, NOW, and PARSEDATETIME. Specifically, the LAST function is used to define a relative time range for the query, such as 'LAST 2 DAYS'.

Question 2

After how much time will QRadar mark an Event offense dormant if no new events or flows occur?

A2 hours

B30 minutes

C24 hours

D5 minutes

Answer : B

QRadar will mark an Event offense as dormant if no new events or flows occur within 30 minutes. However, if QRadar did not process any events within 4 hours, this also triggers the offense to become dormant. Once dormant, the offense remains in this state for 5 days unless new events or flows are added.

Question 3

What Is the result of the following AQL statement?

AReturns all fields where the username contains the ERS string and is case-sensitive

BReturns all fields where the username contains the ERS string and is case-insensitive

CReturns all fields where the username is different from the ERS string and is case-insensitive

DReturns all fields where the username is different from the ERS string and is case-sensitive

Answer : B

The AQL (Ariel Query Language) statement provided would return all fields from the 'events' table where the 'username' column contains the string 'ERS', regardless of case. The 'ILIKE' operator in AQL is used for case-insensitive pattern matching, which means that it will match 'ers', 'Ers', 'ErS', etc.

Question 4

Which two (2) types of data can be displayed by default in the Application Overview dashboard?

ALogin Failures by User {real-time)

BFlow Rate (Flows per Second - Peak 1 Min)

CTop Applications (Total Bytes)

DOutbound Traffic by Country (Total Bytes)

EICMP Type/Code (Total Packets)

Answer : C, D

The Application Overview dashboard in QRadar includes various default items1.Two of these items areTop Applications (Total Bytes)andOutbound Traffic by Country (Total Bytes)1.

Default dashboards - IBM Documentation

According to the IBM Security QRadar SIEM V7.5 documentation, the Application Overview dashboard by default includes items such as 'Inbound Traffic by Country (Total Bytes),' 'Outbound Traffic by Country (Total Bytes),' and 'Top Applications (Total Bytes)' among others. This confirms that options C and D are displayed by default on the Application Overview dashboard.

Question 5

What process is used to perform an IP address X-Force Exchange Lookup in QRadar?

AOffense summary tab > right-click IP address > Plugin Option > X-Force Exchange Lookup

BCopy the IP address and go to X-Force Exchange to perform the lookup

CRun Autoupdate

DRun a query on maxmind db

Answer : A

To perform an IP address X-Force Exchange Lookup in QRadar, you can follow these steps2:

Select the Log Activity or the Network Activity tab.

Right-click the IP address that you want to view in X-Force Exchange.

Select More Options > Plugin Options > X-Force Exchange Lookup to open the X-Force Exchange interface2.

The procedure to perform an IP address X-Force Exchange Lookup in QRadar involves selecting either the Log Activity or the Network Activity tab, right-clicking the IP address of interest, and then navigating through More Options > Plugin Options > X-Force Exchange Lookup to access the X-Force Exchange interface.

Free Practice Questions for IBM C1000-162 Exam

Question 1

Question 2

Question 3

Question 4

Question 5