EMT Practice Test

1. Question Content...


Question List

Question1: Which key elements does the Report Wizard use to help create a report?

Question2: What is the default view when a user first logs in to QRadar?

Question3: What is the key difference between Rules and Building Blocks in QRadar?

Question4: What is a capability of the Network Hierarchy in QRadar?

Question5: Which type of tests are recommended to be placed first in a rule to increase efficiency?

Question6: Which QRadar rule could detect a possible potential data loss?

Question7: What is the maximum number of supported dashboards for a single user?

Question8: What is accessible from the Offenses Tab but is not used to present a sorted list of offenses?

Question9: Where are events related to a specific offense found?

Question10: Which QRadar component provides the user interface that delivers real-time flow views?

Question11: When might a Security Analyst want to review the payload of an event?

Question12: Which QRadar component is designed to help increase the search speed in a deployment by allowing more data to remain uncompressed?

Question13: An event is happening regularly and frequently; each event indicates the same target username. There is a rule configured to test for this event which has a rule action to create an offense indexed on the username.
What will QRadar do with the triggered rule assuming no offenses exist for the username and no offenses are closed during this time?

Question14: What is the default reason for closing an Offense within QRadar?

Question15: Which QRadar add-on component can generate a list of the unencrypted protocols that can communicate from a DMZ to an internal network?

Question16: A mapping of a username to a user's manager can be stored in a Reference Table and output in a search or a report.
Which mechanism could be used to do this?

Question17: Which Anomaly Detection Rule type is designed to test event and flow traffic for changes in short term events when compared against a longer time frame?

Question18: Which Anomaly Detection Rule type can test events or flows for volume changes that occur in regular patterns to detect outliers?

Question19: What is a Device Support Module (DSM) function within QRadar?

Question20: What are the two available formats for exporting event and flow data for external analysis? (Choose two.)

Question21: While on the Offense Summary page, a specific Category of Events associated with the Offense can be investigated.
Where should a Security Analyst click to view them?

Question22: What is a main function of a Cisco Adaptive Security Appliance (ASA)?

Question23: Given these default options for dashboards on the QRadar Dashboard Tab:

Which will display a list of offenses?

Question24: What is an example of the use of a flow data that provides more information than an event data?

Question25: What set of Key fields can trigger coalescing?

Question26: Which type of search uses a structured query language to retrieve specified fields from the events, flows, and simarc tables?

Question27: Which kind of information do log sources provide?

Question28: What is a primary goal with the use of building blocks?

Question29: Which list is only Rule Actions?

Question30: How does flow data contribute to the Asset Database?

Question31: Which saved searches can be included on the Dashboard?

Question32: What are two characteristics of a SIEM? (Choose two.)

Question33: Which set of information is provided on the asset profile page on the assets tab in addition to ID?

Question34: A Security Analyst found multiple connection attempts from suspicious remote IP addresses to a local host on the DMZ over port 80. After checking related events no successful exploits were detected.
Upon checking international documentation, this activity was part of an expected penetration test which requires no immediate investigation.
How can the Security Analyst ensure results of the penetration test are retained?

Question35: Which pair of options are available in the left column on the Reports Tab?

Question36: Which file type is available for a report format?

Question37: Where can a user add a note to an offense in the user interface?

Question38: Which two are top level options when right clicking on an IP Address within the Offense Summary page?
(Choose two.)

Question39: What are the various timestamps related to a flow?

Question40: What is the largest differentiator between a flow and event?

Question41: What is a benefit of using a span port, mirror port, or network tap as flow sources for QRadar?

Question42: When QRadar processes an event it extracts normalized properties and custom properties.
Which list includes only Normalized properties?

Question43: When using the right click event filtering functionality on a Source IP, one can filter by "Source IP is not [*]".
Which two other filters can be shown using the right click event filtering functionality? (Choose two.)

Question44: Which information can be found under the Network Activity tab?

Question45: What is the primary goal of data categorization and normalization in QRadar?

Question46: What is indicated by an event on an existing log in QRadar that has a Low Level Category of "Unknown"?

Question47: What is the difference between TCP and UDP?

Question48: What is a common purpose for looking at flow data?

Question49: When reviewing Network Activity, a flow shows a communication between a local server on port 443, and a random, remote port. The bytes from the local destination host are 2 GB, and the bytes from the remote, source host address are 40KB.
What is the flow bias of this session?