EMT Practice Test

1. Question Content...


Question List

Question1: The administrator had set up several scheduled reports that can be executed by analysts every Monday, and the first day of each month. On Thursday, an executive requests one of the weekly reports.
If the analyst executes the report on Thursday, what information will the report contain?

Question2: How would an analyst Interpret this QRadar notification: "SAR Sentinel: threshold crossed?"

Question3: Which are the supported protocol configurations for Check Point integration with QRadar? (Choose two.)

Question4: An analyst working with QRadar SIEM has been assigned a new Offense and is preparing a custom report on the Offense summary page. From this page, the analyst wants to navigate to the Log Activity or Network Activity page to export the Event/Flow data (Action -> export to CSV).
How can the analyst do this? (Choose two)

Question5: When looking at Common rules, the parameters available to the tests refer to attributes of events and flows.
Which attributes are available?
Common rule tests can operate on:

Question6: Which QRadar component stores Event data?

Question7: What is required to create an anomaly rule?

Question8: An analyst is performing an investigation regarding an Offense. The analyst is uncertain to whom some of the external destination IP addresses in List of Events are registered.
How can the analyst verify to whom the IP addresses are registered?

Question9: What is a valid offense naming mechanism?
This information should:

Question10: An analyst is reviewing a rule that is configured to create an Offense indexed by a uri domain name. But even after validating all the rule conditions, an Offense is not generated.
What could be the reason for this kind of behaviour?

Question11: What does the Assets tab provide?
A unified view of the information that is kwon about:

Question12: How does an analyst view the base64 encoded string of an event's raw payload that contains unprintable characters?

Question13: An analyst needs to use a new custom property in a rule.
What must be the mandatory characteristic of the custom property?

Question14: An analyst wants to analyze the long-term trending of data from a search.
Which chart would be used to display this data on a dashboard?

Question15: How can an analyst search for all events that include the keyword 'vims'?

Question16: What could be a reason that an Event Rule is not triggering as expected?

Question17: Which consideration should be given to the position of rule tests that evaluate regular expressions (Regex tests)?

Question18: When an Offense is triggered, it only shows the events that triggered the Offense. The analyst wants to investigate further to see more events around the incident, not only those that triggered the Offense. The analyst clicks on the event count and sees the events belonging to the Offense.
How can the analyst processed to see a more detailed picture of what occurred?

Question19: An analyst needs to investigate why an Offense was created.
How can the analyst investigate?

Question20: An auditor has requested a report for all Offenses that have happened in the past month. This report generates at the end of every month but the auditor needs to have it for a meeting that is in the middle of the month.
What will happen to the scheduled report if the analyst manually generates this report?

Question21: QRadar collects information from numerous log sources and other agents. Sometimes these agents stop reporting to QRadar for a variety of reasons. There is a default rule in QRadar to help identify these cases called the Device Stopped Sending Events (DSSE) Rule.
What does the DSSE Rule do?

Question22: An analyst needs to perform Offense management.
In QRadar SIEM, what is the significance of "Protecting" an offense?

Question23: What is the reason for this system notification?
"Time synchronization to primary or Console has failed"

Question24: An analyst for a particular offense needs to investigate to understand the breakdown of the offense details.
How can the analyst do this?

Question25: An analyst has observed that for a particular user, authentication to an organization's critical server is different than the normal access pattern.
How can the analyst verify that all the authentications initiated from the user are valid?

Question26: When an Offense is triggered, it only shows the events that triggered the Offense. The analyst wants to investigate further to see more events around the incident, not only those that triggered the Offense. The analyst clicks on the event count and sees the events belonging to the Offense.
How can the analyst processed to see a more detailed picture of what occurred?

Question27: An analyst observed a port scan attack on an internal network asset from a remote network.
Which filter would be useful to determine the compromised host?

Question28: What information is displayed in the default "Log Activity" page? (Choose two.)

Question29: Which QRadar timestamp specifies when the event was received from the log source?

Question30: An analyst needs to review additional information about the Offense top contributors, including notes and annotations that are collected about the Offense.
Where can the analyst review this information?

Question31: An analyst is searching for a list of events that meet specific search criteria and wants to display only the source IP and destination IP information for the events.
To get the required information, the analyst can open the Log Activity tab and then:

Question32: An analyst wants to analyze the long-term trending of data from a search.
Which chart would be used to display this data on a dashboard?

Question33: When is the rating of an Offense magnitude re-evaluated?

Question34: How can an analyst verify if any host in the deployment is vulnerable to CVE ID; CVE-2010-000?

Question35: An analyst for a particular offense needs to investigate to understand the breakdown of the offense details.
How can the analyst do this?

Question36: An analyst needs to find all events that are creating offenses that are triggered by rules that contain the word suspicious in the rule name.
Which query can the analyst use as a working sample?

Question37: When ordering these tests in an event rule, which of them is the best test to place at the top of the list for rule performance?

Question38: How many normalized timestamp field(s) does an event contain?

Question39: After working with an Offense, an analyst set the Offense as hidden. What does the analyst need to do to view the Offense at a later time?

Question40: Which QRadar component stored Offenses?

Question41: An analyst needs to investigate an Offense and navigates to the attached rule(s).
Where in the rule details would the analyst investigate the reason for why the rule was triggered?

Question42: What could be a possible reason that events are routed directly to storage by the custom rule engine (CRE)?

Question43: While creating a new custom property, which is a valid property types selection?

Question44: There are 5 authentication servers that report to different Event Processors. There is a requirement to generate an Offense if there are 5 consecutive failed logins detected across any of the 5 Event Processors.
Which type of rule should the analyst create?

Question45: The administrator had set up several scheduled reports that can be executed by analysts every Monday, and the first day of each month. On Thursday, an executive requests one of the weekly reports.
If the analyst executes the report on Thursday, what information will the report contain?