Question 6 of 60

An Administrators will add a secondary host to an IBM Security QRadar SIEM V7.2.8 Console in a High Availability (HA) deployment scenario.

After checking the compatibility between primary and secondary HA pairs, what other prerequisite should the Administrator check within Managed Interfaces?

Answer

Suggested Answer

The suggested answer is D.

CP port 7789 must be open and allow communication between the primary and secondary for Distributed Replicated Block Device (DRBD) traffic.
DRBD traffic is responsible for disk replication and is bidirectional between the primary and secondary host.

Reference -
https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.7/com.ibm.qradar.doc/c_qradar_appliance_require.html
Question 7 of 60

An Administrator working with IBM Security QRadar SIEM V7.2.8 needs to delete a single value named User1 from a reference set with the name "Allowed Users" from the command line interface.

Which command will accomplish this?

Answer

Suggested Answer

The suggested answer is B.

The Referencesetutil.sh purge is the correct syntax of the command. It deletes the specific user when you mention it within the reference set.

Reference -
https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014967953
Question 8 of 60

When it comes to licensing, what is the difference between Events and Flows and how they are licensed?

Answer

Suggested Answer

The suggested answer is A.

A significant difference between event and flow data is that an event, which typically is a log of a specific action such as a user login, or a VPN connection, occurs at a specific time and the event is logged at that time. A flow is a record of network activity that can last for seconds, minutes, hours, or days, depending on the activity within the session. For example, a web request might download multiple files such as images, ads, video, and last for 5 to 10 seconds, or a user who watches a Netflix movie might be in a network session that lasts up to a few hours. The flow is a record of network activity between two hosts.

Reference -
https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_deploy_event_and_flow_pipeline.html
Question 9 of 60

When an IBM Security QRadar SIEM V7.2.8 distributed deployment requires scaling horizontally to achieve Event per Second (EPS) requirements, what QRadar

Component needs to be added to meet the EPS demands?

Answer

Suggested Answer

The suggested answer is D.

The QRadar SIEM Event Processor Virtual 1699 appliance supports the following items:
✑ Up to 10,000 events per second
✑ 2 TB or larger dedicated event storage

Reference -
https://www.ibm.com/support/knowledgecenter/SS42VS_7.2.4/com.ibm.qradar.doc_7.2.4/c_siem_vrt_ap_ov.html
Question 10 of 60

The event data collected by IBM Security QRadar SIEM V7.2.8 is being deleted after one month. The legal department required the data be kept for two months.

What can the administrator do to accommodate this requirement?

Answer

Suggested Answer

The suggested answer is C.

When storage space is required - Select this option if you want events or flows that match the Keep data placed in this bucket for parameter to remain in storage until the disk monitoring system detects that storage is required. If used disk space reaches 85% for records and 83% for payloads, data will be deleted. Deletion continues until the used disk space reaches 82% for records and 81% for payloads.
When storage is required, only events or flows that match the Keep data placed in this bucket for parameter are deleted.

Reference -
https://www.ibm.com/developerworks/community/forums/atom/download/Event_Flow_Retention_QRadar_72_AdminGuide.pdf?nodeId=593f2b31- a858-4210-b380-4674894a6ad9