Sample Questions for

Exam C1000-140 IBM Security QRadar SIEM V7.4.3 Deployment

Please note: These questions were developed at the same time and by the
same QRadar SIEM subject matter experts as the real exam questions.
While these sample questions will give you a good idea of the nature of the
questions on the real exam, this is not a thorough representation of the
material covered by the real exam, so success with these sample questions
should not be considered predictive of success on the real exam.
For a realistic idea of your readiness for the real certification exam, we
suggest you take the full-length Assessment Test available from Pearson
VUE.

Section 1: Deployment Objectives and Use Cases

1. Which data is processed by the IBM Security QRadar Network

Threat Analytics app?

A. User data
B. Flow data
C. Asset data
D. Event data

2. An organization wants QRadar to have rules, dashboards, and

reports to detect and report on cryptocurrency mining activity.

What can be installed in QRadar to meet this requirement?

A. Latest autoupdates from IBM Security Fix Central

B. Latest MITRE content from IBM Security Fix Central
C. Content extension from IBM Security App Exchange
D. User Behavior Analytics from IBM Security App Exchange
Section 2: Architecture and Sizing

3. While reviewing the performance of a QRadar distributed

environment, you notice an abnormal number of events that were
generated in the past 24 hours:

38750088 - Performance degradation has been detected

in the event pipeline. Event(s) were routed directly
to storage.

As a deployment professional, you ensure that your events per

second (EPS) license is adequate and verify that no changes to
rules or custom properties were made in the past week.

Which of these issues can cause QRadar to generate performance

degradation events?

A. Too many users log in to QRadar on a daily basis.

B. An abnormal number of reports are generated daily.
C. QRadar Vulnerability Manager license is set to only 256 assets.
D. DSM parsing issues can cause the event data to route to storage.

4. There are frequent network interruptions from a particular network

zone called “Underground” to the network where QRadar
components are installed. Some important applications, though not
time critical, are running in the “Underground” network zone. The
log data from these applications needs to be sent to QRadar Event
Processor for compliance.

How can QRadar receive the logs from the applications in the
"Underground" network zone?

A. Using an App Host

B. Using Disconnected Log Collector configured with TLS
C. Using Data Node installed in the “Underground” network
D. Installing an Event Processor secondary node in the “Underground”
network
5. What is the default data retention period for a retention bucket?

A. 7 days
B. 14 days
C. 1 month
D. 1 year

6. An organization's QRadar deployment was reviewed. It was

determined that more storage is needed.

Which appliance should be deployed to meet this need?

A. App Host
B. Data Node
C. Flow Collector
D. Event Collector

7. To install the 7.x WinCollect Configuration Console, which of these

actions is a prerequisite?

A. Install .net framework version 3.5

B. Install the WinCollect Agent SF bundle on QRadar
C. Add multiple destinations for the WinCollect agent
D. Generate an authentication token for the WinCollect agent

Section 3: Installation and Configuration

8. How do you log in to a managed host command line after you

install QRadar?

A. Connect with SSH to the managed host IP address.

B. Connect with SSH to the host through the QRadar Console.
C. Log in to the managed host, rather than the QRadar Console.
D. A managed host is not accessible after it is added to a QRadar
Console.
9. What happens to events and flows when data bursts exceed the
license?

A. All data beyond the license is lost.

B. QRadar allows a 35-day grace period to update the license.
C. The backlog is processed from a temporary queue when the license
allows.
D. QRadar automatically enables the License Pool app, which finds
allocations for the extra traffic.

10. In the Backup Recovery Configuration section, what is the default

retention period?

A. 1 day
B. 4 days
C. 7 days
D. 15 days

11. Which of these is a valid CIDR length value to use when

configuring the network hierarchy in QRadar?

A. /16
B. /38
C. /124
D. /256

12. What does authorization in the LDAP authentication module do?

A. Establishes proof of identity for any user

B. Provides visibility to the QRadar environment
C. Determines the access permissions a user has
D. Establishes an SSL handshake between the LDAP Server and QRadar
Section 4: Event and Flow Integration

13. Where do you select a custom property in an event?

A. Event payload
B. Event protocol
C. Log source test output
D. Use Case Manager app

14. Which item is an internal flow source?

A. IPFIX
B. Netflow
C. JFLOW/SFLOW
D. QRadar Flow Collector

15. How are extensions added to a QRadar deployment?

A. Import extensions by CSV file

B. Use the Extensions Management tool
C. Use Import Extensions under Admin tab
D. Download extensions from IBM X-Force App Exchange

Section 5: Environment and XFE Integration

16. While reviewing apps in QRadar Assistant, an analyst wants to

view the apps that work properly.

What sort option should the analyst choose?

A. Running
B. Installed
C. Error/Stopped
D. Install Failed
17. How can a QRadar user visualize the rules for MITRE ATT&CK
coverage in Use Case Manager?

A. Use Case Manager > Active Rules

B. Use Case Manager > Settings > Sync QID Records
C. Use Case Explorer > ATT&CK Actions > Coverage map and report
D. Use Case Explorer > under Rule and Building Block Filter, select Rule
> click Apply Filter

18. Which type of information is considered as identity data for

QRadar Assets?

A. Rule Name
B. Source Port
C. MAC Address
D. Destination Port

Section 6: System Performance and Troubleshooting

19. Which command can be used to check the amount of available

physical and swap memory?

A. free
B. topmem
C. ramstat
D. memoryfree

20. Where are audit logs located?

A. /var/audit
B. /var/log/audit
C. /opt/audit/logs
D. /opt/var/log/audit
21. Which are stored events?

A. All events in QRadar

B. Events which cannot be coalesced
C. Events that cannot be understood or parsed by QRadar
D. Events that do not have the storage time in the payload

Section 7: Initial Offense Tuning

22. Which is a sign that the QRadar Network Hierarchy requires

tuning?

A. MITRE tactics are blue.

B. Dashboards are not updating.
C. The Use Case Manager does not load.
D. There are many Remote-to-Remote events.

23. Where can Building Blocks be updated in QRadar?

A. The Pulse app

B. The Assets tab, under Network Objects
C. The Tuning Interface in the Use Case Manager app
D. The Network Hierarchy icon on the QRadar Admin Console

24. The Server Discovery function can update which system building
block?

A. BB:HostReference: Mail Servers

B. BB:HostDefinition: Mail Servers
C. BB:NetworkReference: DMZ Addresses
D. BB:NetworkDefinition: DMZ Addresses
25. Consider this description:
Edit the and when either the source or destination IP is one of the
following test to include the broadcast addresses of the network.
This change removes false positive events that might be caused by
the use of broadcast messages.

What type of editable building blocks is described?

A. BB:NetworkDefinition: DLP Addresses

B. BB:NetworkDefinition: Server Networks
C. BB:NetworkDefinition: Darknet Addresses
D. BB:NetworkDefinition: Broadcast Address Space

26. A QRadar deployment professional wants to add entries from a

.csv file to the Reference Set.

Which script that is included in QRadar can be used?

A. all_servers.sh
B. ReferenceImport.sh
C. ReferenceDataUtil.sh
D. validate_deployment.sh

Section 8: Migration and Upgrades

27. Which step is required for the migration of Ariel data from an old
appliance to a new appliance?

A. Remove all the data located on the old appliance.

B. Remove all searches created on the old appliance.
C. Ensure that the destination appliance has internet connectivity.
D. Ensure that the destination appliance has enough space to move the
data to it.
28. All appliances must be on the same version and patch level prior
to an upgrade.

How are the patch levels verified for all systems in a deployment?

A. Run qradarver -v
B. Run /opt/qradar/bin/applianceVer -v
C. Under the Dashboard tab > System Monitoring > System Summary
item
D. Run /opt/qradar/support/all_servers.sh -C -k /opt/qradar/bin/myver -v

29. A QRadar deployment professional is asked to plan a hardware

migration for an Event Processor in HA. Two new appliances are
ready to be used, and they use the same IP addresses.

Which approach can be used to migrate the systems?

A. Use the QRadar config backup and restore process to transfer all
configurations.
B. Use rsync to transfer the contents of the /store/postgres partition to the
new system.
C. Remove HA on the EPs, migrate to the new primary, then add the new
secondary back in.
D. Ensure both systems are built as appliance type 500 and add them into
the deployment as replacements.

30. On a Console migration, after the config backup restoration, what

is required to ensure that the required configuration is migrated to
the new appliance?

A. Restore Data Backup

B. Restore application data
C. Recreate users and roles
D. Deploy Full Configuration
31. A QRadar deployment professional has been asked to merge two
QRadar deployments (AIO_A and AIO_B) into one new
environment (AIO_C). Each environment consists of an All-in-One
appliance. There is no requirement to migrate the Ariel data.

What is the way to approach the migration?

A. Take configuration backups of AIO_A and AIO_B. Restore AIO_A onto

AIO_C, then restore AIO_B onto AIO_C.
B. Take a configuration backup of AIO_A and restore it onto AIO_B. Then
take a configuration backup of AIO_B and restore it onto AIO_C.
C. Take configuration backups of AIO_A and AIO_B. Merge the backup
files with the UNIX merge command, then restore the merged file onto
AIO_C.
D. Take a configuration backup of AIO_A and a CMT export of AIO_B.
Restore AIO_A onto AIO_C, then import the config export from AIO_B
onto AIO_C.

32.

This partial Network diagram was provided to a QRadar

deployment professional who is trying to determine if the
deployment requires the definition of multiple domains.
 How many domains are required, and why?

A. Three domains are required, one for each network: HR-A, HR-B, and
FIN.
B. At least two domains are required to handle overlapping address
spaces for the HR-B and FIN networks.
C. Three domains are required: one for each of the event processors, plus
the default domain for the console.
D. No domains are required, but they might be useful to separate stored
events and flows between the HR and Finance teams.
Answer key

1. B
2. C
3. D
4. B
5. C
6. B
7. A
8. B
9. C
10. C
11. A
12. C
13. A
14. D
15. B
16. A
17. C
18. C
19. A
20. B
21. C
22. D
23. C
24. B
25. D
26. C
27. D
28. D
29. C
30. D
31. D
32. B