C1000-018 Online Practice Questions and Answers
Which statement about False Positive Building Blocks applies?
Using False Positive Building Blocks:
A. helps to prevent unwanted alerts, but there is no effect on performance.
B. helps to prevent unwanted alerts, and reduces the performance impact of testing rules that do not need to be tested.
C. has no impact on unwanted alerts, but it does reduce the performance impact of testing rules that do not need to be tested.
D. has no impact on unwanted alerts, or performance.
Which filter would an analyst apply in the Log Activity tab to get a list of log sources not reporting to QRadar?
A. Log source status does not equal active
B. Custom rule equals device stopped sending events
C. Log source type does not equal active
D. Log source status does not equal error
Which consideration should be given to the position of rule tests that evaluate regular expressions (Regex tests)?
A. They can only be used in Building Blocks to ensure they are evaluated as infrequently as possible.
B. They are usually the most specific. As such, they should appear first in the order.
C. They are usually the most expensive. As such, they should appear last in the order.
D. They are stateful tests. As such QRadar automatically evaluates them last.
An analyst needs to find all events that are creating offenses that are triggered by rules that contain the word suspicious in the rule name.
Which query can the analyst use as a working sample?
A. SELECT LOGSOURCETYPE(logsourceid), “from log_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’
B. SELECT LOGSOURCERULES(logsourceid), “from rule_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’
C. SELECT LOGGEDOFFENSE(logsourceid), *from offense_events where RULENAME(creeventlist) ILIKE ‘%suspicious%’
D. SELECT LOGSOURCENAME(logsourceid), * from events where RULENAME(creeventlist) ILIKE ‘%suspicious%’
There are 5 authentication servers that report to different Event Processors. There is a requirement to generate an Offense if there are 5 consecutive failed logins detected across any of the 5 Event Processors.
Which type of rule should the analyst create?
A. Global Rule
B. Persistent Rule
C. Local Rule
D. Offense Rule
From which tab in QRadar SIEM can an analyst search vulnerability data and remediate vulnerabilities?
A. Log Activity
B. Dashboard
C. Assets
D. Admin
An analyst observed a port scan attack on an internal network asset from a remote network. Which filter would be useful to determine the compromised host?
A. Any IP
B. Destination IP [Indexed]
C. Source or Destination IP
D. Source IP [Indexed]
What information is displayed in the default “Log Activity” page? (Choose two.)
A. QID
B. Protocol
C. Qmap
D. Log Source
E. Event Name
What are the different flow types in QRadar?
A. L2L, L2R, R2R, R2L
B. Standard, Type A, Type B, Type C
C. Standard, Type 1, Type2, Type 3
D. Type 1, Type 2, Type 3, Type 4
An analyst needs to investigate why an Offense was created. How can the analyst investigate?
A. Review the Offense summary to investigate the flow and event details.
B. Review the X-Force rules to investigate the Offense flow and event details.
C. Review pages of the Asset tab to investigate Offense details.
D. Review the Vulnerability Assessment tab to investigate Offense details.
What Makes leads4pass.com Differ From Others?
There are tens of thousands of certification exam dumps provided on the internet. To keep the exam dumps valid, the exam questions latest and the exam answers accurate should be the first aim. Also, to make the exam PDF and exam VCE simulator easy to use is very important. Besides, leads4pass.com has 100% pass guarantee policy. Free exam demo is available. Customer support team is ready to help at any time when required.
All rights are reserved by leads4pass.com. Any changes, copy or trademarks abuse will be regarded as infringement. leads4pass.com will reserve the right to pursue accountability.
Copyright © 2004-2025 leads4pass.com.