C1000-018 Online Practice Questions and Answers

When ordering these tests in an event rule, which of them is the best test to place at the top of the list for rule performance?

A. When the source is [local or remote]

B. When the destination is [local or remote]

C. When the event(s) were detected by one or more of [these log sources]

D. When an event matches all of the following [Rules or Building Blocks]

After working with an Offense, an analyst set the Offense as hidden. What does the analyst need to do to view the Offense at a later time?

A. In the all Offenses view, at the top of the view, select “Show hidden” from the “Select an option” drop-down.

B. Search for all Offenses owned by the analyst.

C. Click Clear Filter next to the “Exclude Hidden Offenses”.

D. In the all Offenses view, select Actions, then select show hidden Offenses.

An analyst needs to create a new custom dashboard to view dashboard items that meet a particular requirement.

What are the main steps in the process?

A. Select New Dashboard and enter unique name, description, add items and save.

B. Select New Dashboard and copy name, add description, items and save.

C. Request the administrator to create the custom dashboard with required items.

D. Locate existing dashboard and modify to include indexed items required and save.

The graph below shows a time series of a value. A rule has been created which will trigger at the indicated point.

Which type of QRadar rule has been used?

A. Common Rule

B. Threshold Rule

C. Behavioral Rule

D. Anomaly Rule

An analyst needs to map a geographic location on all the internal IP addresses.

Which option defines the functions where the analyst can-setup a geographic location of the network object in Network Hierarchy?

A. GPS location and Map

B. Group and IP address

C. Log Activity and Network Activity

D. Longitude and Latitude

An analyst needs to review additional information about the Offense top contributors, including notes and annotations that are collected about the Offense.

Where can the analyst review this information?

A. In the top portion of the Offense Summary window

B. In the bottom portion of the Offense main view

C. In the bottom portion of the Offense Summary window

D. In the top portion of the Offense main view

What does the Assets tab provide?

A unified view of the information that is known about:

A. network devices.

B. triggered Offenses.

C. log sources.

D. events and flows.

An analyst needs to perform a Quick search to find events under the Log Activity tab that contains an ‘exe’ file during a certain time period.

How can the analyst do this?

A. On the Search bar select Quick Filter, then insert filter criteria for ‘/*.exe/’ and then select a time interval from the view option's drop down.

B. Select Search – New Search from the menu bar, then select all the search criteria required from the UI options provided.

C. Select Quick Searches on the menu bar, then go through the list of saved searches available to see if one already exists, that can be altered.

D. On the Search bar select Quick Filter, insert: ‘exe, last 1 hour’ into the filter criteria, then click Search.

What are the different flow types in QRadar?

A. L2L, L2R, R2R, R2L

B. Standard, Type A, Type B, Type C

C. Standard, Type 1, Type2, Type 3

D. Type 1, Type 2, Type 3, Type 4

An analyst needs to investigate why an Offense was created. How can the analyst investigate?

A. Review the Offense summary to investigate the flow and event details.

B. Review the X-Force rules to investigate the Offense flow and event details.

C. Review pages of the Asset tab to investigate Offense details.

D. Review the Vulnerability Assessment tab to investigate Offense details.