2017 Nov IBM Official New Released C2150-614
100% Free Download! 100% Pass Guaranteed!

IBM Security QRadar SIEM V7.2.7 Deployment

Question No: 1

How can a Deployment Professional fix rules that are not distinguishing between remote and local hosts?

  1. Configure the NetFlow

  2. Create a Reference Set

  3. Configure the VA Scanners

  4. Create the Network Hierarchy

Answer: D Explanation:

IBM Security QRadar uses the network hierarchy to understand your network traffic and provide you with the ability to view activity for your entire deployment.

IBM Security QRadar considers all networks in the network hierarchy as local.

Question No: 2

A Deployment Professional was asked to investigate the following error:

Custom Rule Engine has detected a total of 20487 dropped event(s). 20487 event(s) were dropped in the last 62 seconds. Queue is at 99 percent capacity

The Deployment Professional needs to run the command

鈥?opt/qradar/bin/findExpensiveCustomRules.sh鈥?to gather the necessary troubleshooting logs.

When should this command be run?

  1. Right after a reboot

  2. Run 鈥渟ervice hostcontext restart鈥?first

  3. While the system is dropping events

  4. Restart ECS, then run command

Answer: C Explanation:

The script quot;findExpensiveCustomRules.shquot; script is designed to query the QRadar data

pipeline and report on the processing statistics from the Custom Rules Engine (CRE). The script monitors metrics and collecting statistics on how many events hit each rule, how long it takes to process a rule, total execution time and average execution time. When the script completes it turns off these performance metrics. The findExpensiveCustomRules script is a useful tool for creating on demand reports for rule performance, it is not a tool for tracking historical rule data in QRadar. The core functionality of this script is often run when users begin to see drops in events or events routed to storage between components in QRadar.

References: http://www- 01.ibm.com/support/docview.wss?uid=swg21985252amp;myns=swgotheramp;mynp=OCSSBQA Camp;mync=Ramp;cm_sp=swgother-_-OCSSBQAC-_-R

Question No: 3

A Deployment Professional is reviewing a custom rule that is supposed to be catching internal users that might be leaking information. The customer has requested that events that are being used for this rule have the email address of the sender.

This information is in the payload in the format 鈥渆mail from: fred@example.com subject:鈥?Which regular expression should be used to create a custom property to fulfill this request? A. \d(. @[藛\.].*\.[a-z]{2,})\d

B. \b(. @[藛\.].*\.[a-z]{2,})\b

C. C. 藛[A-Z0-9._% -] @[A-Z0-9.-] \.[A-Z]{2,}

D. D. [A-Z0-9._% -] @[A-Z0-9.-] \.[A-Z]{2,}$

Answer: B Explanation:

Example of a requglar expression for emails: Email: (. @[^\.].*\.[a-z]{2,}$)

\b means boundary, so the capture group is looking for word characters until a boundary. Incorrect:

A: \d matches against a digit [0-9].

C, D: (. @[^\.](. @[^\.].*\.[a-z]{2,}$).*\.[a-z]{2,}$) is the correct regular expression for emails.

References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/t_qradar_rege x_cus_prop.html http://www.websense.com/content/support/library/email/hosted/admin_guide/regex.aspx

Question No: 4

A Deployment Professional is working with a customer running an IBM Security QRadar SIEM V7.2.7 installation that is currently running into performance issues. The customer is noticing that searches are taking a long time to finish and there are performance degradation system notifications in the Console.

Which two steps will lead to a performance increase for this customer? (Choose two.)

  1. Disable indexes that don#39;t have a % of searches using this index of 20% or higher for the last seven days

  2. Disable indexes that don#39;t have a % of searches using this property of 10% or higher for the last 24 hours

  3. Search for indexes which are enabled but have a % of searches using property that is zero, disable those indexes

  4. Enable indexes that have a % of searches using this property higher than 10% and also

    % of searches missing this index greater than 10%

  5. Search for indexes which are disabled but have a % of searches using property above 30% and also % of searches missing index is above 30% and enable them

Answer: C,E Explanation:

C: If the properties where the index is enabled and the % of Searches Using Property is zero, then you should disable this index.

If after 30 days the statistics show that an enabled index is used in zero % of searches, then consideration should be made to disable the indexed property.

This preserves resources for more important and actively used searches.

E: If the properties where the index is disabled and the % of Searches Using Property is above 30% and the % of Searches Missing Index is above 30%, then you should enable this index.

If administrators see search percentages above 30% across multiple time spans, then users are leveraging this search property often and consideration should be made to enable the index. These values indicate that enabling an index can improve performance for users who search specific properties frequently.

References: http://www-01.ibm.com/support/docview.wss?uid=swg21689802

Question No: 5

A current banking customer has just expanded by purchasing a small rural bank with a low bandwidth WAN connection.

The customer wants to expand its current QRadar SIEM 3105 all-in-one deployment to capture log events from the newly acquired branch and to forward them on a schedule, after hours during the trough of activity to the main branch. There is plenty of room for this additional EPS growth.

Which device will meet the requirements?

  1. 1202 QFlow Collector

  2. 1400 Data Node

  3. 1501 Event Collector

  4. 1605 Event Processor

Answer: D Explanation:

The IBM Security QRadar Event Processor 1605 (MTM 4380-Q1E) appliance is a dedicated event processor that you can scale your QRadar deployment to manage higher EPS rates. The QRadar Event Processor 1605 appliance includes an on-board event

collector, event processor, and internal storage for events.

With the Basic License the capacity is 2500 EPS, and with an upgrade license it is 20000 EPS.

Question No: 6

A Deployment Professional is working on configuring a deployment of IBM Security QRadar SIEM V7.2.7 and needs to determine how to configure FP, EP, FC, and EC. The customer has multiple different domains.

How can these managed devices be used, segmented and assigned to various domains?

  1. EC can be assigned to more than one domain, while FC can only be attached to a single domain.

  2. FC can be assigned to more than one domain, while EC can only be attached to a single domain.

  3. Both FC and EC can be assigned to a domain as a whole, while log sources and flow sources can be tagged to individual domains.

  4. Both FC and EC can be assigned to a domain as a whole, thus making their respective log sources and flow sources attached to that same domain.

Answer: D Explanation:

Domains are defined based on IBM Security QRadar input sources. When events and flows come into QRadar, the domain definitions are evaluated and the events and flows are tagged with the domain information.

Flow collectors

You can assign specific QFlow collectors to a domain.

All flow sources that arrive at that flow collector belong to the domain; therefore, any new auto-detected flow sources are automatically added to the domain.

Event collectors

If an event collector is dedicated to a specific network segment or IP address range, you can flag that entire event collector as part of that domain.

All log sources that arrive at that event collector belong to the domain; therefore, any new auto-detected log sources are automatically added to the domain.

Log sources

You can configure specific log sources to belong to a domain.

This method of tagging domains is an option for deployments in which an event collector can receive events from multiple domains.

Flow sources

You can designate specific flow sources to a domain.

This option is useful when a single QFlow collector is collecting flows from multiple network segments or routers that contain overlapping IP address ranges.


Flow Processor (FP) Event Processor (EP) Flow Collector (FC) Event Collector (EC)

References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc/c_domain_def ining.html

Question No: 7

A Deployment Professional is asked to schedule the forwarding of events when the network is quiet, usually around 2 to 3 a.m. console time. The customer states that there is no restriction to bandwidth on the available 1 Gbp/s WAM connection during this time.

Which value should be used for the forward transfer rate?

  1. 0

  2. 1

C. 1,000,000

D. 10,000,000

Answer: A


For the forward transfer rate, a value of 0 means that the transfer rate is unlimited.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/t_qradar


Question No: 8

Which task can be completed by using the Historical Correlation feature?

  1. Generating weekly reports on a new offense rule

  2. Using a new custom rule to create a quick search

  3. Investigating previously closed offenses generated a custom rule

  4. Testing a new offense rule against data that was previously captured

Answer: C Explanation:

Use historical correlation to run past events and flows through the custom rules engine (CRE) to identify threats or security incidents that already occurred.

References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar


Question No: 9

A Deployment Professional is working with a new customer that wishes to deploy IBM Security QRadar SIEM V7.2.7 using a cloud solution.

Which two providers are officially supported for this functionality? (Choose two).

  1. IBM cloud

  2. SoftLayer

  3. Microsoft Azure

  4. Amazon Web Services

  5. DigitalOcean Droplets

Answer: A,B Explanation:

A: IBM QRadar on Cloud allows you to enjoy the benefits and customer support of IBM Security QRadar, but in a hosted deployment.

B: QRadar on Cloud has all the capabilities of IBM Security QRadar SIEM hosted in IBM SoftLayer.

References: http://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/c_qrad ar_hosted_overview.html

Question No: 10

Which CLI command should be used to change the default password from PASSWORD to S3cure for the username USERID?

  1. /opt/ibm/toolscenter/asu/asu set IMM. Password S3cure -ksu

  2. /opt/ibm/toolscenter/asu/asu set IMM. Password.1 S3cure -ksu

  3. /opt/ibm/toolscenter/asu/asu64 set IMM. Password S3cure – ksu

  4. /opt/ibm/toolscenter/asu/asu64 set IMM.Password.1 S3cure – ksu

Answer: D Explanation:

To reset the IMM password use the following command:

/opt/ibm/toolscenter/asu64 set IMM.Password.1 NewPassword -kcs References: http://www-01.ibm.com/support/docview.wss?uid=swg21964070

100% Free Download!
Download Free Demo:C2150-614 Demo PDF
100% Pass Guaranteed!
Download 2017 EnsurePass C2150-614 Full Exam PDF and VCE

EnsurePass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

2017 EnsurePass IT Certification PDF and VCE