The purpose of this Sample Question Set is to provide you with information about the IBM Security QRadar SIEM V7.3.2 Fundamental Administration exam. These sample questions will make you very familiar with both the type and the difficulty level of the questions on the C1000-026 certification test. To get familiar with real exam environment, we suggest you try our Sample IBM QRadar SIEM Fundamental Administration Certification Practice Exam. This sample practice exam gives you the feeling of reality and is a clue to the questions asked in the actual IBM Certified Associate Administrator - IBM QRadar SIEM V7.3.2 certification exam.
These sample questions are simple and basic questions that represent likeness to the real IBM C1000-026 exam questions. To assess your readiness and performance with real time scenario based questions, we suggest you prepare with our Premium IBM QRadar SIEM Fundamental Administration Certification Practice Exam. When you solve real time scenario based questions practically, you come across many difficulties that give you an opportunity to improve.
IBM C1000-026 Sample Questions:
01. An administrator receives a system notification stating: 'Performance degradation was detected in the event pipeline. Expensive Device Support Module (DSM) extensions were found'. Which QRadar service is having this pipeline issue?
a) ariel
b) ecs-ec
c) ecs-ep
d) hostcontext
02. An administrator has a rule that populates a reference set with Source IPs. The administrator wants this reference set to contain just Source IPs seen in the last 30 days. How does the administrator configure the reference set?
a) Admin > Reference Set Management > Select Reference set > Edit > Time to Live of elements > uncheck lives forever > select since last seen > set 30 days
b) Admin > Reference Set Management > Select Reference set > Edit > Time to Live of elements > uncheck lives forever > select since first seen > set 30 days
c) Admin > Reference Set Management > Select Reference set > Edit > Time to Live of elements > check lives forever > select since first seen > set 30 days
d) Admin > Reference Set Management > Select Reference set > Edit > Time to Live of elements > check lives forever > select since last seen > set 30 days
03. What are two valid user responses for the following QRadar notification?
38750109 - A store and forward schedule finished while events were left on disk. These events will be stored on the local event collector until the next forwarding sessions begins
(Choose two.)
a) Wait until the next store and forward interval occurs
b) Decrease the event forwarding rate from the event collector
c) Increase the event forwarding rate from the event collector
d) Increase the time interval for the store and forward process
e) Increase the time interval that is configured for forwarding events
04. An administrator has found an error in the QRadar logs, and has identified a particular classpath connected with the error. To further troubleshoot this error, the administrator needs to put it into debug mode. Which script should the administrator use to toggle debug mode for QRadar logging?
a) /opt/qradar/support/jmx.sh
b) /opt/qradar/support/threadtop.sh|
c) /opt/qradar/support/mod_log4j.pl
d) /opt/qradar/support/qapp_utils.py
05. An administrator reviews a newsflash from IBM Support. It informs that the QRadar deployment has been security tested and is vulnerable against several known attacks, and that the vulnerabilities have been fixed in the latest patch. The administrator decides to update their QRadar installation.
In a distributed environment, which QRadar appliance must be updated first?
a) QRadar Console
b) QRadar Data Node
c) QRadar HA Console
d) QRadar Event/Flow Processor
06. An administrator is seeing large number of assets related to service accounts/automated services in the Assets tab. The administrator wants to minimize asset creation related to service accounts to enhance product performance. What should the administrator do to stop this asset growth deviation?
a) 1. Create a saved search where ‘Identity Username’ + ‘Is Any Of’ + ‘Anonymous logon’.
2. Add the search using Admin tab > Asset Profile Configuration > Manage Identity Exclusion > Add Saved Search
b) 1. Create a saved search where ‘Identity Username’ + ‘Is Any Of’ + ‘Anonymous logon’.
2. Add the search using Admin tab > Asset Database Configuration > Manage Database Exclusion > Add Saved Search
c) 1. Create a saved search where ‘Identity Services’ + ‘Is Any Of’ + ‘Administrator logon’.
2. Add the search using Admin tab > Asset Database Configuration > Manage Service Exclusion > Add Saved Search
d) 1. Create a saved search where ‘Identity Username’ + ‘Is Any Of’ + ‘Anonymous logon’.
2. Add the search using Admin tab > Asset Profile Configuration > Manage Asset Blacklist Exclusion > Add Saved Search
07. An administrator wants to add a new Cisco ASA log source. What are the two protocols that Cisco ASA supports for collecting events?
(Choose two)
a) JDBC
b) SNMP
c) Syslog
d) Rest API
e) Cisco NSEL
08. An administrator wants to be notified when, during office hours, the number of connected users to a VPN is more than the 250 licensed VPN clients. The administrator wants to receive an email and see a corresponding event generated in the Log Activity tab. How can the administrator monitor this event?
a) From the Offenses tab select Rules and then click Actions, Create Common Rule and in the rule wizard setup select the test to count events showing successful logins to the VPN server during office opening hours. In the Rule Response dispatch a new event and then send an email entering the email of the analyst.
b) From the Log Activity tab select Rules and then click Actions, Create Event Rule and in the rule wizard setup select the test to count events showing successful logins to the VPN server during office opening hours. In the Rule Response dispatch a new event and then send an email entering the email of the analyst.
c) From the Network Activity tab select Rules and then click Actions, Create Flow Rule and in the rule wizard setup select the test to count events showing successful logins to the VPN server during office opening hours. In the Rule Response dispatch a new event and then send an email entering the email of the analyst.
d) From the Log Activity tab create and save a search filtered and grouped by the VPN log source successful connection events showing the Count Column, click Rules and select Add Threshold Rule, configure the test stack to trigger the rule when the counted properties is over 250 and it happens between the specified hours. In the Rule Response dispatch a new event and then send an email entering the email of the analyst.
09. What is the recommended order of the directories to copy the SFS file in an upgrade process?
a) /storetmp, /store, /tmp
b) /storetmp, /store/transient, /tmp
c) /storetmp, /tmp/, /store/transient
d) /tmp, /store/transient. /storetmp
10. To increase the search performance and storage capabilities of an existing distributed QRadar deployment, an administrator decided to install a QRadar Data Node appliance. Before the installation and deployment of the Data Node, what should the administrator check?
(Choose two)
a) Ensure the Event Processor and the Data Node are using the same hardware.
b) Ensure port 32006 between the Data Node and the Event Processor appliance is opened.
c) Ensure port 32011 between the Data Nodes and the Console's Event Processor is opened.
d) Ensure the existence of an IP Tables rule to permit the traffic between the Data Node and the QRadar Console
e) Ensure the SSH keys are available on both the Event Processor and the Data Node for the encryption tunnel to be configured.
Answers:
|
Question: 01 Answer: b |
Question: 02 Answer: a |
Question: 03 Answer: c, e |
Question: 04 Answer: c |
Question: 05 Answer: a |
|
Question: 06 Answer: a |
Question: 07 Answer: c, e |
Question: 08 Answer: d |
Question: 09 Answer: c |
Question: 10 Answer: b, c |
Note: For any error in IBM Certified Associate Administrator - IBM QRadar SIEM V7.3.2 (C1000-026) certification exam sample questions, please update us by writing an email on feedback@edusum.com.