When an analyst sees the system notification “The appliance exceeded the EPS or FPM allocation within the last hour”, how does the analyst resolve this issue? (Choose two.)
A. Delete the volume of events and flows received in the last hour.
B. Adjust the license pool allocations to increase the EPS and FPM capacity for the appliance.
C. Tune the system to reduce the volume of events and flows that enter the event pipeline.
D. Adjust the resource pool allocations to increase the EPS and FPM capacity for the appliance.
E. Tune the system to reduce the time window from 60 minutes to 30 minutes.
An analyst is performing an investigation regarding an Offense. The analyst is uncertain to whom some of the external destination IP addresses in List of Events are registered.
How can the analyst verify to whom the IP addresses are registered?
A. Right-click on the destination address, More Options, then Navigate, and then Destination Summary
B. Right-click on the destination address, More Options, then IP Owner
C. Right-click on the destination address, More Options, then Information, and then WHOIS Lookup
D. Right-click on the destination address, More Options, then Information, and then DNS Lookup
When an Offense is triggered, it only shows the events that triggered the Offense. The analyst wants to investigate further to see more events around the incident, not only those that triggered the Offense. The analyst clicks on the event count and sees the events belonging to the Offense.
How can the analyst proceed to see a more detailed picture of what occurred?
A. Right-click on the source IP, and choose More Options, then Information, and then Search Events.
B. Right-click on the destination IP, and choose More Options, then Raw Events.
C. Right-click on the source IP, and choose View in DSM Editor.
D. Right-click and filter on the Destination IP.
An analyst needs to perform Offense management.
In QRadar SIEM, what is the significance of “Protecting” an offense?
A. Escalate the Offense to the QRadar administrator for investigation.
B. Hide the Offense in the Offense tab to prevent other analysts to see it.
C. Prevent the Offense from being automatically removed from QRadar.
D. Create an Action Incident response plan for a specific type of cyber attack.
An analyst aims to improve the detection capabilities on all the Offense rules. QRadar SIEM has a tool that allows the analyst to update all the Building Blocks related to Host and Port Definition in a single page.
How is this accomplished?
A. Admin –andgt; Reference Set management
B. Assets –andgt; Asset Profiles
C. Assets –andgt; Server Discovery
D. Admin –andgt; Asset Profile Configuration
There are 5 authentication servers that report to different Event Processors. There is a requirement to generate an Offense if there are 5 consecutive failed logins detected across any of the 5 Event Processors.
Which type of rule should the analyst create?
A. Global Rule
B. Persistent Rule
C. Local Rule
D. Offense Rule
What does the Assets tab provide?
A unified view of the information that is known about:
A. network devices.
B. triggered Offenses.
C. log sources.
D. events and flows.
An analyst wants to view information about repeated offenders and IP addresses that generate many attacks or are subject to many attacks.
What should the analyst choose from the navigation options in the Offense tab?
A. By Event Category or By Event Source
B. By Source IP or By Destination IP
C. By Log Source IP or By Event Source
D. By Event or By Flows
What is a valid offense naming mechanism? This information should:
A. set the naming of the associated offense(s).
B. set or replace the naming of the associated offense(s).
C. replace the naming of the associated offense(s).
D. be included in the naming of the associated offense(s).
An analyst needs to investigate why an Offense was created. How can the analyst investigate?
A. Review the Offense summary to investigate the flow and event details.
B. Review the X-Force rules to investigate the Offense flow and event details.
C. Review pages of the Asset tab to investigate Offense details.
D. Review the Vulnerability Assessment tab to investigate Offense details.