EMT Practice Test

1. Question Content...


Question List

Question1: What is a Device Support Module (DSM) function within QRadar?

Question2: While on the Offense Summary page, a specific Category of Events associated with the Offense can be investigated.
Where should a Security Analyst click to view them?

Question3: Which pair of options are available in the left column on the Reports Tab?

Question4: What is a capability of the Network Hierarchy in QRadar?

Question5: Which type of search uses a structured query language to retrieve specified fields from the events, flows, and simarc tables?

Question6: When reviewing Network Activity, a flow shows a communication between a local server on port 443, and a random, remote port. The bytes from the local destination host are 2 GB, and the bytes from the remote, source host address are 40KB.
What is the flow bias of this session?

Question7: What is the default reason for closing an Offense within QRadar?

Question8: What is indicated by an event on an existing log in QRadar that has a Low Level Category of "Unknown"?

Question9: Which QRadar component is designed to help increase the search speed in a deployment by allowing more data to remain uncompressed?

Question10: An event is happening regularly and frequently; each event indicates the same target username. There is a rule configured to test for this event which has a rule action to create an offense indexed on the username.
What will QRadar do with the triggered rule assuming no offenses exist for the username and no offenses are closed during this time?

Question11: When QRadar processes an event it extracts normalized properties and custom properties.
Which list includes only Normalized properties?

Question12: Which QRadar rule could detect a possible potential data loss?

Question13: Where are events related to a specific offense found?

Question14: A Security Analyst found multiple connection attempts from suspicious remote IP addresses to a local host on the DMZ over port 80. After checking related events no successful exploits were detected.
Upon checking international documentation, this activity was part of an expected penetration test which requires no immediate investigation.
How can the Security Analyst ensure results of the penetration test are retained?

Question15: What is accessible from the Offenses Tab but is not used to present a sorted list of offenses?

Question16: Which file type is available for a report format?

Question17: What is the largest differentiator between a flow and event?

Question18: What is the default view when a user first logs in to QRadar?

Question19: What is a main function of a Cisco Adaptive Security Appliance (ASA)?

Question20: What are the two available formats for exporting event and flow data for external analysis? (Choose two.)

Question21: How does flow data contribute to the Asset Database?

Question22: Which device uses signatures for traffic analysis when deployed in a network environment to detect, allow, block, or simulated-block traffic?

Question23: When using the right click event filtering functionality on a Source IP, one can filter by "Source IP is not [*]".
Which two other filters can be shown using the right click event filtering functionality? (Choose two.)

Question24: Which list is only Rule Actions?

Question25: What is the difference between TCP and UDP?

Question26: What is the maximum number of supported dashboards for a single user?

Question27: What set of Key fields can trigger coalescing?

Question28: Which information can be found under the Network Activity tab?

Question29: Which type of tests are recommended to be placed first in a rule to increase efficiency?

Question30: Which two are top level options when right clicking on an IP Address within the Offense Summary page?
(Choose two.)