Sample Questions for

Exam C1000-139 IBM Security QRadar SIEM V7.4.3 Analysis

Please note: These questions were developed at the same time and by the
same QRadar SIEM subject matter experts as the real exam questions.
While these sample questions will give you a good idea of the nature of the
questions on the real exam, this is not a thorough representation of the
material covered by the real exam, so success with these sample questions
should not be considered predictive of success on the real exam.

For a realistic idea of your readiness for the real certification exam, we
suggest you take the full-length Assessment Test available from Pearson
VUE.

Section 1: Offense Analysis

1. For a Source IP based offense, which field helps determine relative

importance of the targets to the business?

A. Last Event/Flow
B. Total number of Events
C. Duration of the offense
D. Relative importance of Destination IP(s)

2. What is a difference between a flow and an event?

A. A flow occurs at a moment in time while events have a duration from a

log source.
B. An event occur at a moment in time while flows have a duration from
the flow source.
C. An event is a record from a log source, such as a firewall or router
device, that describes an action on a network. A flow record provides
visibility into layer 7 for applications such as web browsers, NFS, SNMP,
Telnet, and FTP.
D. A flow is a record from a log source, such as a firewall or router device,
that describes an action on a network. An event analysis provides visibility
into layer 7 for applications such as web browsers, NFS, SNMP, Telnet,
and FTP.

3. At the Offense Summary window, the first row of data shows the
level of importance that QRadar assigned to the offense.

Which statement is the correct description for Magnitude?

A. QRadar determines it by the weight that the administrator assigned to

the networks and assets.
B. It indicates the threat that an attack poses in relation to how prepared
the destination is for the attack.
C. It indicates the relative importance of the offense, calculated based on
the relevance, severity, and credibility ratings.
D. It indicates the integrity of the offense as determined by the credibility
rating that is configured in the log source. It increases as multiple sources
report the same event.

4. What information is provided by using the Sharing MITRE-mapping

files in Use Case Manager?

A. Mapping directly to rules

B. Mapping directly to dependencies
C. Mapping to the customize template
D. Mapping to the Use Case Explorer page

5. Which parameter determines the impact of the offense on the

network?

A. Impact
B. Severity
C. Relevance
D. Credibility
6. When prioritizing offenses to investigate, what metric is provided
on the Offenses tab specifically to help influence which offenses to
investigate first?

A. Severity
B. Magnitude
C. Relevance
D. Credibility

7. Several counts of the system notification message 38750088 -

Performance degradation that were detected in the Event pipeline
showed in a report.

In this case, what does the Event collection system do?

A. Queues events in RAM

B. Routes data to storage
C. Bypasses EPS Licensing
D. Drops events from the pipeline

8. From which tabs can a QRadar custom rule be created?

A. Offenses or Admin tabs

B. Offenses or Log Activity tabs
C. Log Activity or Network Activity tabs
D. Offenses, Log Activity or Network Activity tabs

9. An analyst needs to preserve the data from a search to view later.

Which option should they select?

A. Save Data
B. Save Search
C. Save Results
D. Save Criteria
Section 2: Rules and Building Block Design

10. QRadar uses rules to monitor the events and flows in your
network to detect security threats. When the events and flows meet
the test criteria that is defined in the rules, an offense is created to
show that a security attack or policy breach is suspected. Knowing
that an offense occurred is only the first step; identifying the root
cause of the offense requires analysis.

These statements refer to what kind of Offense Management?

A. Offense actions
B. Offense indexing
C. Offense retention
D. Offense investigations

11. What are the types of reference data collections in QRadar?

A. Reference set, Reference data and Reference rule

B. Reference data, Reference table and Reference event
C. Reference set, Reference map and Reference map of maps
D. Reference event, Reference map of sets and Reference data

12. Which two options does a QRadar analyst need to configure in the
False Positive window of the QRadar Console to mark an event or
flow as False Positive?

A. Asset and traffic direction

B. Event or flow property and username
C. Event or flow property and port number
D. Event or flow property and traffic direction
13. Which three (3) statements are capabilities of the Network
Hierarchy in QRadar?

A. Determine and identify local and remote hosts.

B. Search users based on different network zones.
C. Move users from local to remote network segments.
D. Generate offenses based on different network zones.
E. Monitor traffic and profile the behavior of each group and host within the
group.
F. Monitor specific logical groups or services in the network, such as
marketing, DMZ, or VoIP.

14. A security analyst using Use Case Manager > Active Rules detected
which TOP Rule generating offenses were triggered due to Inbound
traffic that was dropped by the Firewall. The company decides that
the Rule should only trigger when there are Firewall Permit Events.

Which of these should the analyst implement to meet the above

requirement?

A. Open Rule Wizard add a test condition > and when the context is Local
to Local, Local to Remote
B. Open Rule Wizard add a test condition > and when an event matches
any of the following BB:CategoryDefinition: Firewall or ACL Accept
C. Open Rule Wizard add a test condition > and NOT when an event
matches any of the following BB:CategoryDefinition: Firewall or ACL
Accept
D. Open Rule Wizard add a test condition > and when the event category
for the event is one of the following Access.Misc Application Action Denied
15. QRadar rules can utilize reference data to further correlate results.

Which term is a valid reference data type?

A. Reference map
B. Reference graph
C. Reference table of sets
D. Reference table of maps

Section 3: Threat Hunting

16. How are Events that are associated with an offense listed?

A. Offense Summary window > Destination IPs

B. Offense Summary window > click Source IPs
C. Offense Summary window > click Display > Destination IPs
D. Offense Summary window > click Events from Event/Flow count column

17. Which are the time criteria in AQL queries?

A. START, STOP, BETWEEN, LAST

B. START, STOP, BETWEEN, FIRST
C. START, STOP, LAST, NOW, PARSEDATETIME
D. START, BETWEEN, LAST, NOW, PARSEDATETIME

18. If a security analyst needs to filter Events according to when they

occurred, which parameter should be used?

A. Start Date
B. Start Time
C. Storage Time
D. Log Source Time

19. Which QRadar app displays time series graphs for queries?
A. Pulse
B. Log Management App
C. Threat Intelligence
D. Assistant for Watson

20. What can an analyst use in QRadar to quickly find information

about IP addresses and URLs while analyzing an offense or event?

A. Use the X-Force Exchange lookup plugin.

B. Export the Event to CSV and upload it to reputation sites.
C. Verify if the IP address of URL is in any of your reference sets.
D. Copy the IP address or URL and paste it in any external reputation site.

21. What does it mean when a custom rule is partially matched in

QRadar?

A. The rule is not fully enabled.

B. All the tests in the rule were fully matched.
C. Not all the the tests in the rule were fully matched.
D. The AND NOT operator is set incorrectly in the first test.

22. Which direction value means that an undefined local Source IP

accesses an external resource?

A. R2L
B. L2L
C. L2R
D. R2R
23. An analyst reviewed an active offense that was many attackers,
generating many events in the same category, targeting many
systems. Upon further analysis, the analyst determined that the traffic
from the attackers is legitimate and should not contribute to the
offenses.

Which tuning methodology guideline can the analyst use to tune out
this traffic?

A. Use the False Positive Wizard to tune the specific event.

B. Use the Log Source Management app to tune the category.
C. Edit building blocks by using the Custom Rules Editor to tune the
category.
D. Edit the building blocks by using the Custom Rules Editor to tune the
specific event.

24. What file format is supported to perform a bulk load of data into a
reference set?

A. CSV
B. XML
C. JSON
D. TAXII

25. Which regex statement extracts the DNS host from the cs-host
value from the payload?

A. cs-host=.?www.(.*.?)
B. cs-host=www.?([^\|]*)\
C. cs-
host=(?:www\.)?([^\|]*)\|(?:http|ftp|tcp|https)\s+(?:ww
w\.)?([^\s]+)
D. cs-
host=(?:www\.)?([^\|]*)\|(?:add|get|query|delete)\s+(?:
www\.)?([^\s]+)
Section 4: Dashboard Management

26. An analyst views a dashboard in Pulse, which is not working as

expected.

Which aggregation type should be selected to ensure the correct

configuration for a Pie Chart?

A. Last
B. First
C. Total
D. Middle

Section 5: Reporting

27. How can an analyst search for all events that include the keyword
'access'?

A. Go to the Offenses tab and run a quick search with the 'access'
keyword.
B. Go to the Log Activity tab and run a quick search with the 'access'
keyword.
C. Go to the Network Activity tab and run a quick search with the 'access'
keyword.
D. Go to the Log Activity tab and run this AQL: select * from events
where eventname like 'access'.

28. What are the search options available for searching offense data
on the By Networks page?

A. Source IP, Magnitude, VA Risk, and Domain

B. Network, Magnitude, VA Risk, and Events/Flows
C. Domain, Destination IP, Magnitude, and Events/Flows
D. Source IP, Destination IP, Events/Flows, and Magnitude
29. Analysts can filter searches in QRadar from which three (3) of
these locations?

A. Add Filter dialog

B. Log Activity toolbar
C. Admin search pages
D. Reports search pages
E. Network Activity toolbar
F. Dashboard Activity toolbar

30. Which of these procedures duplicates a report from the Reports

tab?

A. Right-click the report to duplicate.

Click Duplicate and type a new name for the report.
B. Click Action > Duplicate Report.
Select the report to duplicate and click Finish.
C. Select the report to duplicate.
From the Actions list, click Duplicate and type a new name for the report.
D. Click Actions, then select the report to duplicate from the pop-up
window.
Click Duplicate and type a new name for the report.

31. A QRadar analyst was asked to provide a selection of events for

further investigation by somebody who does not have access to the
QRadar system.

Which of these approaches provides an accurate copy of the required

data in a readable format?

A. By using the Advanced Search option in the Log Activity tab, run an
AQL command: COPY(SELECT * FROM events LAST 2 HOURS) TO
'output_events.csv' WITH CSV.
B. Log in to the Command Line Interface and use the ACP tool
(/opt/qradar/bin/runjava.sh com.q1labs.ariel.io.ACP) with
the necessary AQL filters and destination directory.
C. By using the "Event Export (with AQL)" option in the Log Activity tab,
test your query with the Test button. Then, to run the export, click Export to
CSV.
D. By using the Log Activity tab, filter the events until only those that you
require are shown. Then, from the Actions list, select Export to CSV > Full
Export (All Columns) to download a ZIP file.

32. Which two (2) file formats are available for exporting offenses?

A. CSV
B. XML
C. PDF
D. TXT
E. XLSX

33. What demarcation is added to a custom event property to let you

know that this value is held in memory for a set amount of time?

A. Stored
B. Indexed
C. Tabulated
D. Catalogued

34. Reports can be organized into groups for efficient utilization. What
report groups are available by default in QRadar?

A. Compliance, Content, Log Sources, Network Management, Security,

VoIP, Other
B. Compliance, Container, Log Sources, Network Management, Security,
VoIP, Other
C. Compliance, Executive, Log Sources, Network Management, Security,
VoIP, Other
D. Compliance, Chart type, Log Sources, Network Management, Security,
VoIP, Other
Answer key
1. D
2. C
3. C
4. A
5. C
6. B
7. B
8. D
9. C
10. D
11. C
12. D
13. A, E, F
14. B
15. A
16. D
17. C
18. D
19. A
20. A
21. C
22. D
23. C
24. A
25. C
26. B
27. B
28. D
29. A, B, E
30. C
31. D
32. A, B
33. B
34. C