What is indicated by an event on an existing log in QRadar that has a Low Level Category of "Unknown"?
A. That event could not be parsed
B. That event arrived out of order from the original device
C. That event was from a device that is not supported by QRadar
D. That the event was parsed, but not mapped to an existing QRadar category
Which file type is available for a report format?
A. TXT
B. DOC
C. PDF
D. PowerPoint
What is the key difference between Rules and Building Blocks in QRadar?
A. Rules have Actions and Responses; Building Blocks do not.
B. The Response Limiter is available on Building Blocks but not on Rules.
C. Building Blocks are built-in to the product; Rules are customized for each deployment.
D. Building Blocks are Rules which are evaluated on both Flows and Events; Rules are evaluated on Offenses of Flows or Events.
What is a primary goal with the use of building blocks?
A. A method to create reusable rule responses
B. A reusable test stack that can be used in other rules
C. A method to generate reference set updates without using a rule
D. A method to create new events back into the pipeline without using a rule
An event is happening regularly and frequently; each event indicates the same target username. There is a rule configured to test for this event which has a rule action to create an offense indexed on the username. What will QRadar do with the triggered rule assuming no offenses exist for the username and no offenses are closed during this time?
A. Each matching event will be tagged with the Rule name, but only one Offense will be created.
B. Each matching event will cause a new Offense to be created and will be tagged with the Rule name.
C. Events will be tagged with the rule name as long as the Rule Response limiter is satisfied. Only one offense will be created.
D. Each matching event will be tagged with the Rule name, and an Offense will be created if the event magnitude is greater than 6.
Which approach allows a rule to test for Active Directory (AD) group membership?
A. Import the AD membership information into the Asset Database using AXIS and use an asset rule test
B. Use the build-in LDAP integration to execute a search for each event as it is received by the Event Processor to test for group membership
C. Maintain reference data for the AD group(s) of interest containing lists of usernames and then add rule tests to see if the normalized username is in the reference data
D. Export the AD group membership information to a CSV file and place it in the /store/AD_mapping.csv
file on the console, then use the `is a member of AD group' test in the rule
Given the following window:

What are the steps to get this window within an offense?
A. Right click on the IP > Information > DNS Lookup
B. Right click on the IP > Information > Reverse DNS
C. Right click on the IP > Information > WHOIS Lookup
D. Right click on the IP > Information > Asset Profile
What does the Network Hierarchy provide relating to the "whole picture" that is helpful during an investigation?
A. It allows hosts that are marked to be known to have vulnerabilities to be seen quickly.
B. It allows for the isolation of traffic between the hosts in question for more in depth analysis.
C. It allows for the removal of infected hosts from the network before being added back into the network.
D. It allows for the identification of known hosts on the network versus those that aren't members of the network.
What is the purpose of coalescing?
A. To reduce the number of events which count against EPS licenses
B. To reduce the amount of data received by QRadar event collectors
C. To reduce the amount of data going through the pipeline and stored onto disk
D. To reduce the number of offenses generated by QRadar as part of the tuning process
Which three options are available on the New Search on the My Offenses and All Offenses pages? (Choose three.)
A. Notes
B. Source IP
C. Magnitude
D. Attack Name
E. Malware Name
F. Specific Interval