EMT Practice Test

1. Question Content...


Question List

Question1: An analyst working with QRadar SIEM has been assigned a new Offense and is preparing a custom report on the Offense summary page. From this page, the analyst wants to navigate to the Log Activity or Network Activity page to export the Event/Flow data (Action -> export to CSV).
How can the analyst do this? (Choose two)

Question2: An analyst for a particular offense needs to investigate to understand the breakdown of the offense details.
How can the analyst do this?

Question3: What information is included in flow details but is not in event details?

Question4: Where can an analyst working with Offenses add a regular expression test into an existing rule?

Question5: From which tab in QRadar SIEM can an analyst search vulnerability data and remediate vulnerabilities?

Question6: An analyst is searching for a list of events that meet specific search criteria and wants to display only the source IP and destination IP information for the events.
To get the required information, the analyst can open the Log Activity tab and then:

Question7: After working with an Offense, an analyst set the Offense as hidden. What does the analyst need to do to view the Offense at a later time?

Question8: An analyst is investigating access to sensitive data on a Linux system. Data is accessible from the /secret directory and can be viewed using the 'sudo oaf command. The specific file /secret/file_08-txt was known to be accessed in this way. After searching in the Log Activity Tab, the following results are shown.

When interpreting this, the analyst is having trouble locating events which show when the file was accessed.
Why could this be?

Question9: How can an analyst verify if any host in the deployment is vulnerable to CVE ID; CVE-2010-000?

Question10: An analyst is noticing false positives from a single IP on a specific offense. How can the analyst tune the event rule to eliminate these false positives?

Question11: How would an analyst efficiently include all the Antivirus logs integrated with QRadar for the last 24 hours?

Question12: How would an analyst Interpret this QRadar notification: "SAR Sentinel: threshold crossed?"

Question13: An analyst has been assigned a number of Offenses to review and a new event occurs, review and manage.
While reviewing an inactive offense, a new event occurs.
Which statement applies to the Offense?

Question14: Where can an analyst investigate a security incident to determine the root cause of an issue, and then work to resolve it?

Question15: Which QRadar component stores Event data?

Question16: What steps are needed to add an Annotation to an event or flow that triggered a Rule?

Question17: When an Offense is triggered, it only shows the events that triggered the Offense. The analyst wants to investigate further to see more events around the incident, not only those that triggered the Offense. The analyst clicks on the event count and sees the events belonging to the Offense.
How can the analyst processed to see a more detailed picture of what occurred?

Question18: When is the rating of an Offense magnitude re-evaluated?

Question19: An analyst is performing an investigation regarding an Offense. The analyst is uncertain to whom some of the external destination IP addresses in List of Events are registered.
How can the analyst verify to whom the IP addresses are registered?

Question20: How does an analyst view the base64 encoded string of an event's raw payload that contains unprintable characters?

Question21: An analyst is reviewing a rule that is configured to create an Offense indexed by a uri domain name. But even after validating all the rule conditions, an Offense is not generated.
What could be the reason for this kind of behaviour?