Approved C2150-612 Practice 2021

NEW QUESTION 1
Which QRadar rule could detect a possible potential data loss?

• A. Apply “Potential data loss” on event of flows which are detected by the local system and when any IP is part of any of the following XForce premium Premium_Malware


• B. Apply “Potential data loss” on flows which are detected by the local system and when at least 1000 flows are seen with the same Destination IP and different source in 2 minutes


• C. Apply “Potential data loss” on events which are detected by the local system and when the event category for the event is one of the following Authentication and when any of Username are contained in any of Terminated_User


• D. Apply “Potential data loss” on flows which are detected by the local system and when the source bytes is greater than 200000 and when at least 5 flows are seen with the same Source IP, Destination PortDestination IP in 12 minutes

Answer: D

NEW QUESTION 2
What is a primary benefit of building blocks?

• A. They can notify users of strange behavior.


• B. They allow the execution of its test within all rules.


• C. They generate new events into the pipeline before rules fire.


• D. They allow for report results to be used in custom rules tests.

Answer: B

NEW QUESTION 3
A Security Analyst found multiple connection attempts from suspicious remote IP addresses to a local host on the DMZ over port 80. After checking related events no successful exploits were detected.
Upon checking international documentation, this activity was part of an expected penetration test which requires no immediate investigation.
How can the Security Analyst ensure results of the penetration test are retained?

• A. Hide the offense and add a note with a reference to the penetration test findings


• B. Protect the offense to not allow it to delete automatically after the offense retention period has elapsed


• C. Close the offense and mark the source IP for Follow-Up to check if there are future events from the host


• D. Email the Offense Summary to the penetration team so they have the offense id, add a note, and close the Offense

Answer: B

Explanation:
References:
http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_qradar_Off_Retention.html

NEW QUESTION 4
What are two common uses for a SI EM? (Choose two.)

• A. Managing and normalizing log source data


• B. Identifying viruses based on payload MD5s


• C. Blocking network traffic based on rules matched


• D. Enforcing governmental compliance auditing and remediation


• E. Performing near real-time analysis and observation of a network and its devices

Answer: AC

NEW QUESTION 5
What is a main function of a Cisco Adaptive Security Appliance (ASA)?

• A. A Proxy


• B. A Switch


• C. A Firewall


• D. An Authentication device

Answer: C

NEW QUESTION 6
What does the Network Hierachy provide relating to the "whole picture" that is helpful durin an investigation?

• A. It allows hosts that are marked to be known to have vulnerabilities to be seen quickly.


• B. It allows for the isolation of traffic between the hosts in question for more in depth analysis.


• C. It allows for the removal of infected hosts from the network before being added back into the network.


• D. It allows for the identification of known hosts on the network versus those that aren't members of the network.

Answer: D

NEW QUESTION 7
What are the various timestamps related to a flow?

• A. First Packet Time, Storage Time, Log Source Time


• B. First Packet Time, Storage Time, Last Packet Time


• C. First Packet Time, Log Source Time, Last Packet Time


• D. First Packet Time, Storage Time, Log Source Time, End Time

Answer: B

Explanation:
References:
IBM Security QRadar SIEM Users Guide. Page: 101

NEW QUESTION 8
What set of Key fields can trigger coalescing?

• A. Source IP address, Source port, Severity, Username, and Event ID


• B. Source IP address, Destination IP address, Destination port, Direction, and Event ID


• C. Source IP address, Destination IP address, Destination port, Username, and Event ID


• D. Destination IP address, Destination port, Relevance, Username, and Low Level Category

Answer: C

Explanation:
References:
http://www-01.ibm.com/support/docview.wss?uid=swg21622709

NEW QUESTION 9
Which Anomaly Detection Rule type can test events or flows for volume changes that occur in regular patterns to detect outliers?

• A. Outlier Rule


• B. Anomaly Rule


• C. Threshold Rule


• D. Behavioral Rule

Answer: D

Explanation:
References:
http://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_rul_anomaly_de

NEW QUESTION 10
What is the correct procedure for closing an offense?

• A. From the Offenses Ta


• B. select the offense(s). click on Actions, select Close


• C. From the Dashboard, select the offense(s) in question, right click and select Close


• D. From the Offense Summary Page, click Display and select Close and select the reason


• E. From the Offenses Ta


• F. select the offense(s). right click on selection, select Close

Answer: A

NEW QUESTION 11
What is the key difference between Rules and Building Blocks in QRadar?

• A. Rules have Actions and Responses; Building Blocks do not.


• B. The Response Limiter is available on Building Blocks but not on Rules.


• C. Building Blocks are built-in to the product; Rules are customized for each deployment.


• D. Building Blocks are Rules which are evaluated on both Flows and Events; Rules are evaluated on Offenses of Flows or Events.

Answer: A

NEW QUESTION 12
Which two pieces of information can be found under the Log Activity tab? (Choose two )

• A. Offenses


• B. Vulnerabilities


• C. Firewall events


• D. Destination Bytes


• E. Internal QRadar messages

Answer: CD

NEW QUESTION 13
Which set of information is provided on the asset profile page on the assets tab in addition to ID?

• A. Asset Name, MAC Address, Magnitude, Last user


• B. IP Address, Asset Name, Vulnerabilities, Services


• C. IP Address, Operating System, MAC Address, Services


• D. Vulnerabilities, Operative System, Asset Name, Magnitude

Answer: C

Explanation:
References:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_ug_asset_su

NEW QUESTION 14
Which approach allows a rule to test for Active Directory (AD) group membership?

• A. Import the AD membership information into the Asset Database using AXIS and use an asset rule test


• B. Use the built-in LDAP integration to execute a search for each event as it is received by the EventProcessor to test for group membership


• C. Maintain reference data for the AD group(s) of interest containing lists of usernames and then add rule tests to see if the normalized username is in the reference data


• D. Export the AD group membership information to a CSV file and place it inthe /store/AD_mapping.csv file on the console, then use the "is a member of AD group' test in the rule

Answer: B

NEW QUESTION 15
Which type of tests are recommended to be placed first in a rule to increase efficiency?

• A. Custom property tests


• B. Normalized property tests


• C. Preference set lookup tests


• D. Payload contains regex tests

Answer: B

NEW QUESTION 16
What is the correct procedure to both assign and add a note to an offense from the Graphical User Interface (GUI)?

• A. Both tasks must be done independently and can only be done on the Offenses Tab


• B. With the new release of 7.2.6 this can now be done in one step from the Offenses Tab only.


• C. Both tasks must be done independently but can be completed from both the Offenses Tab and the Offense Summary Page.


• D. With the new release of 7.2.6 this can now be done in one step, both from the Offenses Tab and the Offense Summary Page.

Answer: D

NEW QUESTION 17
In a distribution QReader deployment with multiple Event Collectors, from where can syslog and JDBC log sources collected?

• A. Syslog log sources and JDBC log sources may be collected by any Event Collector.


• B. One Event Collector must collect ALL syslog events and another Event Collector must collect All JDBC events.


• C. Syslog log sources and JDBC log sources are always collected by the collector assigned in the log source definition.


• D. Syslog log sources may be collected by any Event Collector, but JDBC log sources will always be collected by collector assigned in the log source definition.

Answer: C

NEW QUESTION 18
What is the definition of asset profile on QRadar?

• A. It is any network endpoint that sends or receives data across a network infrastructure.


• B. It is all the information that IBM Security QRadar SIEM collected over time about a specific asset.


• C. It is the information servers and hosts in a network provide to assist users when resolving security issues.


• D. It is an application used to configure and distribute settings to devices and computers in an organization, school, or business.

Answer: B

NEW QUESTION 19
When reviewing Network Activity, a flow shows a communication between a local server on port 443, and a random, remote port. The bytes from the local destination host are 2 GB, and the bytes from the remote, source host address are 40KB.
What is the flow bias of this session?

• A. Other


• B. Mostly in


• C. Near-same


• D. Mostly out

Answer: D

NEW QUESTION 20
Which port does HTTP traffic commonly use?

• A. Port 22


• B. Port 53


• C. Port 80


• D. Port 443

Answer: C

NEW QUESTION 21
What is a key difference between the magnitude of an event and the magnitude of an offense?

• A. The magnitude of an event is derived when the event is received and does not vary, the magnitude of an offense can only increase.


• B. The magnitude of an event is derived when the event is received and does not vary, the magnitude of an offense can increase or decrease over time.


• C. The magnitude of an event is derived from the current magnitude of the offense it creates, the magnitude of an offense can increase or decrease overtime.


• D. The magnitude of an event is derived when the event is received and does not vary, the magnitude of an offense is derived when the offense is created and does not vary.

Answer: B

NEW QUESTION 22
......