EMT Practice Test

1. Question Content...


Question List

Question1: An analyst has been asked to search for a firewall device that was assigned to a specific address range in the past week.
What method can the analyst use to perform the search that uses simple words or phrases?

Question2: How would an analyst Interpret this QRadar notification: "SAR Sentinel: threshold crossed?"

Question3: An analyst needs to identify which rules are most active in generating Offenses.
In the Offense tab, on the rules section, which column must be reordered in descending order to find this information?

Question4: How does the Custom Rule Engine (CRE) evaluates rules?

Question5: How can an analyst verify if any host in the deployment is vulnerable to CVE ID; CVE-2010-000?

Question6: An analyst has been assigned a task to modify a rule in such a manner that Source IP of the triggered Offense from this rule should be stored in a Reference set.
Under which section of the rule wizard can the analyst achieve this?

Question7: Where can an analyst working with Offenses add a regular expression test into an existing rule?

Question8: How can an analyst search for all events that include the keyword 'vims'?

Question9: There are 5 authentication servers that report to different Event Processors. There is a requirement to generate an Offense if there are 5 consecutive failed logins detected across any of the 5 Event Processors.
Which type of rule should the analyst create?

Question10: How does an analyst view the base64 encoded string of an event's raw payload that contains unprintable characters?

Question11: An analyst is reviewing a rule that is configured to create an Offense indexed by a uri domain name. But even after validating all the rule conditions, an Offense is not generated.
What could be the reason for this kind of behaviour?

Question12: What is the intent of the magnitude of an offense?

Question13: From which tab in QRadar SIEM can an analyst search vulnerability data and remediate vulnerabilities?

Question14: How does an analyst view which rule triggered an Offense in the Offense summary page?

Question15: An analyst wants to analyze the long-term trending of data from a search.
Which chart would be used to display this data on a dashboard?

Question16: What information is displayed in the default "Log Activity" page? (Choose two.)

Question17: An analyst wants to find all events where Process name includes reference to exe files. Which quick search will return the expected result?

Question18: An analyst has been assigned a number of Offenses to review and a new event occurs, review and manage.
While reviewing an inactive offense, a new event occurs.
Which statement applies to the Offense?

Question19: What could be a possible reason that events are routed directly to storage by the custom rule engine (CRE)?

Question20: An analyst wants to view information about repeated offenders and IP addresses that generate many attacks or are subject to many attacks.
What should the analyst choose from the navigation options in the Offense tab?

Question21: An analyst aims to improve the detection capabilities on all the Offense rules. QRadar SIEM has a tool that allows the analyst to update all the Building Blocks related to Host and Port Definition in a single page.
How is this accomplished?

Question22: An analyst needs to create a rule that includes a building block definition that identifies a communication to a local SMTP server that then connects to an unapproved remote peer.
In which group will the analyst find this specified building block?

Question23: When is the rating of an Offense magnitude re-evaluated?

Question24: An analyst needs to perform Offense management.
In QRadar SIEM, what is the significance of "Protecting" an offense?

Question25: An analyst needs to map a geographic location on all the internal IP addresses.
Which option defines the functions where the analyst can-setup a geographic location of the network object in Network Hierarchy?

Question26: Which are the supported protocol configurations for Check Point integration with QRadar? (Choose two.)

Question27: An analyst has observed that for a particular user, authentication to an organization's critical server is different than the normal access pattern.
How can the analyst verify that all the authentications initiated from the user are valid?

Question28: An analyst investigates an Offense that will need more research to outline what has occurred. The analyst marks a 'Follow up' flag on the Offense.
What happens to the Offense after it is tagged with a 'Follow up' flag?

Question29: What steps are needed to add an Annotation to an event or flow that triggered a Rule?

Question30: Which QRadar timestamp specifies when the event was received from the log source?

Question31: An analyst working with QRadar SIEM has been assigned a new Offense and is preparing a custom report on the Offense summary page. From this page, the analyst wants to navigate to the Log Activity or Network Activity page to export the Event/Flow data (Action -> export to CSV).
How can the analyst do this? (Choose two)

Question32: An auditor has requested a report for all Offenses that have happened in the past month. This report generates at the end of every month but the auditor needs to have it for a meeting that is in the middle of the month.
What will happen to the scheduled report if the analyst manually generates this report?

Question33: An analyst needs to review additional information about the Offense top contributors, including notes and annotations that are collected about the Offense.
Where can the analyst review this information?

Question34: What is the difference between a Quick Search and an Advanced Search?

Question35: What is the purpose of Anomaly detection rules?

Question36: Which considering the ability to tune False Positives with the Confidence factor Setting, which statement applies?