Test information:
Number of questions: 54
Time allowed in minutes: 90
Required passing score: 66%
Languages: English, Japanese
Related certifications:
IBM Certified Associate Analyst - Security QRadar SIEM V7.2.6
The test consists of 5 sections containing a total of approximately 54 multiple-choice questions. The percentages after each section title reflect the approximate distribution of the total question set across the sections.
Section 1 - General Networking and QRadar SIEM concepts (17%)
Compare different protocols, traffic types, and port numbers.
Describe and illustrate log source types.
Compare the different event log transport methods.
Discuss security device concepts (firewall, IDS/IPS, Proxy, Authentication devices, and antivirus software).
Explain how environment information can be used to enrich event and flow data intelligently.
Explain data normalization and categorization.
Enumerate the common characteristics of a SIEM.
Section 2 - QRadar basics (26%)
Explain the different types of correlations (CRE and ADE).
Illustrate the function of a DSM.
Explain how Log sources, flow sources, vulnerability scanners, and reference data are used in Qradar.
Compare flows to events.
Explain QRadar network hierarchy and how it aids in "seeing the whole picture" .
Describe additional QRadar add-on components (QVM, QRM, QRIF).
Distinguish offenses from triggered rules.
Distinguish search results from reports.
Distinguish rules from building blocks.
Compare rule responses and rule actions.
Explain the core system functionality of �Host Definition� building blocks.
Summarize QRadar Components; Console, Event Processor, Event Collector, Flow Processor, Data Nodes and Flow Collector.
Section 3 - QRadar login and navigation (13%)
Explain how to login to and navigate the GUI console.
Describe the types of information available on the DASHBOARD tab.
Describe the types of information available on the OFFENSES tab.
Describe the types of information available on the LOG ACTIVITY and NETWORK ACTIVITY tabs.
Describe the types of information available on the ASSETS tab.
Describe the types of information available on the REPORT tab.
Demonstrate the appropriate procedure to navigate to, from and within an offense.
Section 4 - QRadar functions and capabilities (18%)
Explain the different ways to assign offenses and add notation.
Summarize offense search functionalities.
Illustrate examples of dashboard customizations.
Distinguish right click functionality (plugins, information, navigate, other).
Demonstrate the use of right-click event filtering.
Explain how to explore the content of an event, review the normalized fields and the payload.
Show the Offense lifecycle.
Compare Event/Flow/Common/Offense/Anomaly/Behavioral/ Threshold Rules.
Demonstrate how to export Flow/Event data for external analysis.
Section 5 - QRadar data interpretation (26%)
Explain Offense details on offense details view.
Explain why payloads (raw data) may need to be reviewed.
Distinguish offenses from triggered rules.
Examine the differences between an offense magnitude and an event magnitude.
Describe how to run Reports and the formats in which they can be output.
Outline Offense Closing Procedures.
Discuss the Asset Database and how assets are profiled.
Outline simple Offense naming mechanisms (Removed: not testable).
Explain differences between various event/flow timestamps.
Understand the capabilities of different sources of flows.
Give examples of how QRadar can show different security concerns (i.e., Advanced Persistent Threat (APT), Brute Force, DDoS, etc.)
Describe coalescing.
Compare Standard Custom Properties, User-defined Custom Properties and Normalized properties.
Compare the different types of searches that can be performed (AQL, Quick Searches, and Searches via the Edit Search GUI panel).
Explain the information provided by flows.
Describe a use where flows provide more information than events.
IBM Certified Associate Analyst - Security QRadar SIEM V7.2.6
Job Role Description / Target Audience
This entry level certification is intended for security analysts who wish to validate their comprehensive knowledge of IBM Security QRadar SIEM V7.2.6.
These security analysts will understand basic networking, SIEM, and QRadar concepts, including how to login to, navigate within, explain capabilities of, and access, interpret, and report data in a QRadar deployment.
To attain the IBM Certified Associate Analyst - Security QRadar SIEM V7.2.6 certification, candidates must pass 1 test. To prepare for the test, it is recommended to refer to the job role description and recommended prerequisite skills, and click the link to the test below to refer to the test objectives and the test preparation tab.
Recommended Prerequisite Skills
Basic knowledge of:
SIEM concepts
TCP/IP networking and protocols
network security concepts
internet security attack types
compliance and audit requirements
incident management and response
Requirements
This certification requires 1 test(s).
Number of questions: 54
Time allowed in minutes: 90
Required passing score: 66%
Languages: English, Japanese
Related certifications:
IBM Certified Associate Analyst - Security QRadar SIEM V7.2.6
The test consists of 5 sections containing a total of approximately 54 multiple-choice questions. The percentages after each section title reflect the approximate distribution of the total question set across the sections.
Section 1 - General Networking and QRadar SIEM concepts (17%)
Compare different protocols, traffic types, and port numbers.
Describe and illustrate log source types.
Compare the different event log transport methods.
Discuss security device concepts (firewall, IDS/IPS, Proxy, Authentication devices, and antivirus software).
Explain how environment information can be used to enrich event and flow data intelligently.
Explain data normalization and categorization.
Enumerate the common characteristics of a SIEM.
Section 2 - QRadar basics (26%)
Explain the different types of correlations (CRE and ADE).
Illustrate the function of a DSM.
Explain how Log sources, flow sources, vulnerability scanners, and reference data are used in Qradar.
Compare flows to events.
Explain QRadar network hierarchy and how it aids in "seeing the whole picture" .
Describe additional QRadar add-on components (QVM, QRM, QRIF).
Distinguish offenses from triggered rules.
Distinguish search results from reports.
Distinguish rules from building blocks.
Compare rule responses and rule actions.
Explain the core system functionality of �Host Definition� building blocks.
Summarize QRadar Components; Console, Event Processor, Event Collector, Flow Processor, Data Nodes and Flow Collector.
Section 3 - QRadar login and navigation (13%)
Explain how to login to and navigate the GUI console.
Describe the types of information available on the DASHBOARD tab.
Describe the types of information available on the OFFENSES tab.
Describe the types of information available on the LOG ACTIVITY and NETWORK ACTIVITY tabs.
Describe the types of information available on the ASSETS tab.
Describe the types of information available on the REPORT tab.
Demonstrate the appropriate procedure to navigate to, from and within an offense.
Section 4 - QRadar functions and capabilities (18%)
Explain the different ways to assign offenses and add notation.
Summarize offense search functionalities.
Illustrate examples of dashboard customizations.
Distinguish right click functionality (plugins, information, navigate, other).
Demonstrate the use of right-click event filtering.
Explain how to explore the content of an event, review the normalized fields and the payload.
Show the Offense lifecycle.
Compare Event/Flow/Common/Offense/Anomaly/Behavioral/ Threshold Rules.
Demonstrate how to export Flow/Event data for external analysis.
Section 5 - QRadar data interpretation (26%)
Explain Offense details on offense details view.
Explain why payloads (raw data) may need to be reviewed.
Distinguish offenses from triggered rules.
Examine the differences between an offense magnitude and an event magnitude.
Describe how to run Reports and the formats in which they can be output.
Outline Offense Closing Procedures.
Discuss the Asset Database and how assets are profiled.
Outline simple Offense naming mechanisms (Removed: not testable).
Explain differences between various event/flow timestamps.
Understand the capabilities of different sources of flows.
Give examples of how QRadar can show different security concerns (i.e., Advanced Persistent Threat (APT), Brute Force, DDoS, etc.)
Describe coalescing.
Compare Standard Custom Properties, User-defined Custom Properties and Normalized properties.
Compare the different types of searches that can be performed (AQL, Quick Searches, and Searches via the Edit Search GUI panel).
Explain the information provided by flows.
Describe a use where flows provide more information than events.
IBM Certified Associate Analyst - Security QRadar SIEM V7.2.6
Job Role Description / Target Audience
This entry level certification is intended for security analysts who wish to validate their comprehensive knowledge of IBM Security QRadar SIEM V7.2.6.
These security analysts will understand basic networking, SIEM, and QRadar concepts, including how to login to, navigate within, explain capabilities of, and access, interpret, and report data in a QRadar deployment.
To attain the IBM Certified Associate Analyst - Security QRadar SIEM V7.2.6 certification, candidates must pass 1 test. To prepare for the test, it is recommended to refer to the job role description and recommended prerequisite skills, and click the link to the test below to refer to the test objectives and the test preparation tab.
Recommended Prerequisite Skills
Basic knowledge of:
SIEM concepts
TCP/IP networking and protocols
network security concepts
internet security attack types
compliance and audit requirements
incident management and response
Requirements
This certification requires 1 test(s).
QUESTION: No: 1
Where can a user add a note to an offense in the user interface?
A. Dashboard and Offenses Tab
B. Offenses Tab and Offense Detail Window
C. Offenses Detail Window, Dashboard, and Ad min Tab
D. Dashboard, Offenses Tab, and Offense Detail Window
Answer: B
Where can a user add a note to an offense in the user interface?
A. Dashboard and Offenses Tab
B. Offenses Tab and Offense Detail Window
C. Offenses Detail Window, Dashboard, and Ad min Tab
D. Dashboard, Offenses Tab, and Offense Detail Window
Answer: B
QUESTION: No: 2
When might a Security Analyst want to review the payload of an event?
A. When immediately after login, the dashboard notifies the analyst of payloads that must be investigated
B. When "Review payload" is added to the offense description automatically by the "System: Notification" rule
C. When the event is associated with an active offense, the payload may contain information that is not normalized or extracted fields
D. When the event is associated with an active offense with a magnitude greater than 5, the payload should be reviewed, otherwise it is not necessary
Answer: C
When might a Security Analyst want to review the payload of an event?
A. When immediately after login, the dashboard notifies the analyst of payloads that must be investigated
B. When "Review payload" is added to the offense description automatically by the "System: Notification" rule
C. When the event is associated with an active offense, the payload may contain information that is not normalized or extracted fields
D. When the event is associated with an active offense with a magnitude greater than 5, the payload should be reviewed, otherwise it is not necessary
Answer: C
QUESTION: No: 3
Which key elements does the Report Wizard use to help create a report?
A. Layout, Container, Content
B. Container, Orientation, Layout
C. Report Classification, Time, Date
D. Pagination Option, Orientation, Date
Answer: A
Which key elements does the Report Wizard use to help create a report?
A. Layout, Container, Content
B. Container, Orientation, Layout
C. Report Classification, Time, Date
D. Pagination Option, Orientation, Date
Answer: A
QUESTION: No: 4
How is an event magnitude calculated?
A. As the sum of the three properties Severity, Credibility and Relevance of the Event
B. As the sum of the three properties Severity, Credibility and Importance of the Event
C. As a weighted mean of the three properties Severity, Credibility and Relevance of the Event
D. As a weighted mean of the three properties Severity, Credibility and Importance of the Event
Answer: C
How is an event magnitude calculated?
A. As the sum of the three properties Severity, Credibility and Relevance of the Event
B. As the sum of the three properties Severity, Credibility and Importance of the Event
C. As a weighted mean of the three properties Severity, Credibility and Relevance of the Event
D. As a weighted mean of the three properties Severity, Credibility and Importance of the Event
Answer: C
QUESTION: No: 5
What is a benefit of using a span port, mirror port, or network tap as flow sources for QRadar?
A. These sources are marked with a current timestamp.
B. These sources show the ASN number of the remote system .
C. These sources show the username that generated the flow.
D. These sources include payload for layer 7 application analysis.
Answer: D
What is a benefit of using a span port, mirror port, or network tap as flow sources for QRadar?
A. These sources are marked with a current timestamp.
B. These sources show the ASN number of the remote system .
C. These sources show the username that generated the flow.
D. These sources include payload for layer 7 application analysis.
Answer: D
