EMT Practice Test

1. Question Content...


Question List

Question1: An analyst wants to create a report using the report wizard.
What are key elements used by the wizard to create the report?

Question2: What are anomaly detection rules used for?

Question3: An analyst needs to investigate an Offense and navigates to the attached rule(s).
Where in the rule details would the analyst investigate the reason for why the rule was triggered?

Question4: How can an analyst search for all events that include the keyword 'vims'?

Question5: Where can an analyst working with Offenses add a regular expression test into an existing rule?

Question6: An analyst needs to review additional information about the Offense top contributors, including notes and annotations that are collected about the Offense.
Where can the analyst review this information?

Question7: What is the reason for this system notification?
"Time synchronization to primary or Console has failed"

Question8: A new analyst is tasked to identify potential false positive Offenses, then send details of those Offenses to the Security Operations Center (SOC) manager for review by using the send email notification feature.

Question9: What information is included in flow details but is not in event details?

Question10: An analyst is searching for a list of events that meet specific search criteria and wants to display only the source IP and destination IP information for the events.
To get the required information, the analyst can open the Log Activity tab and then:

Question11: QRadar collects information from numerous log sources and other agents. Sometimes these agents stop reporting to QRadar for a variety of reasons. There is a default rule in QRadar to help identify these cases called the Device Stopped Sending Events (DSSE) Rule.
What does the DSSE Rule do?

Question12: An analyst has been assigned a task to modify a rule in such a manner that Source IP of the triggered Offense from this rule should be stored in a Reference set.
Under which section of the rule wizard can the analyst achieve this?

Question13: An analyst is noticing false positives from a single IP on a specific offense. How can the analyst tune the event rule to eliminate these false positives?

Question14: While creating a new custom property, which is a valid property types selection?

Question15: What happens to a Closed Offense after the offense retention period which defaults to 30 days7

Question16: An analyst needs to find all events that are creating offenses that are triggered by rules that contain the word suspicious in the rule name.
Which query can the analyst use as a working sample?

Question17: An analyst has been asked to present a report of all the incidents that have been detected by QRadar in the last
24 hours.
How can the analyst achieve this?

Question18: An analyst for a particular offense needs to investigate to understand the breakdown of the offense details.
How can the analyst do this?

Question19: Which graph types are available for QRadar SIEM reports? (Choose two)

Question20: When looking at Common rules, the parameters available to the tests refer to attributes of events and flows.
Which attributes are available?
Common rule tests can operate on:

Question21: An analyst has manually created a new log source in QRadar.
What is the Low Level Category that will be applied to all events sent from this log log source type is applied?