When ordering these tests in an event rule, which of them is the best test to place at the top of the list for rule performance?

A. When the source is [local or remote]

B. When the destination is [local or remote]

C. When the event(s) were detected by one or more of [these log sources]

D. When an event matches all of the following [Rules or Building Blocks]

What is the reason for this system notification?

A. Deny ntpdate communication on port 423.

B. Deny ntpdate communication on port 223.

C. Deny ntpdate communication on port 323.

D. Deny ntpdate communication on port 123.

When an analyst sees the system notification “The appliance exceeded the EPS or FPM allocation within the last hour”, how does the analyst resolve this issue? (Choose two.)

A. Delete the volume of events and flows received in the last hour.

B. Adjust the license pool allocations to increase the EPS and FPM capacity for the appliance.

C. Tune the system to reduce the volume of events and flows that enter the event pipeline.

D. Adjust the resource pool allocations to increase the EPS and FPM capacity for the appliance.

E. Tune the system to reduce the time window from 60 minutes to 30 minutes.

What is the maximum time period for 3 subsequent events to be coalesced?

A. 10 minutes

B. 10 seconds

C. 5 minutes

D. 60 seconds

An analyst needs to investigate an Offense and navigates to the attached rule(s).

Where in the rule details would the analyst investigate the reason for why the rule was triggered?

A. Rule response limiter

B. List of test conditions

C. Rule actions

D. Rule responses

An analyst is performing an investigation regarding an Offense. The analyst is uncertain to whom some of the external destination IP addresses in List of Events are registered.

How can the analyst verify to whom the IP addresses are registered?

A. Right-click on the destination address, More Options, then Navigate, and then Destination Summary

B. Right-click on the destination address, More Options, then IP Owner

C. Right-click on the destination address, More Options, then Information, and then WHOIS Lookup

D. Right-click on the destination address, More Options, then Information, and then DNS Lookup

Which filter would an analyst apply in the Log Activity tab to get a list of log sources not reporting to QRadar?

A. Log source status does not equal active

B. Custom rule equals device stopped sending events

C. Log source type does not equal active

D. Log source status does not equal error

While creating a new custom property, which is a valid property type selection?

A. Flow Based

B. Event Based

C. AQL Based

D. Regular Expressions Based

There are 5 authentication servers that report to different Event Processors. There is a requirement to generate an Offense if there are 5 consecutive failed logins detected across any of the 5 Event Processors.

Which type of rule should the analyst create?

A. Global Rule

B. Persistent Rule

C. Local Rule

D. Offense Rule

How does an analyst view the base64 encoded string of an event's raw payload that contains unprintable characters?

A. Copy the raw payload and use an external tool to view base64 data

B. Right click on the event –andgt; view base64 data

C. Log Activity –andgt; Under Payload Information, click base64 tab

D. Admin –andgt; Under Payload Information, click base64 tab