989 お客様のコメント
質問 1:
A QRadar customer has a custom log source. The deployment professional has already created a custom DSM for the log source and all incoming events are correctly parsed and mapped to a QID. Now, in addition to the currently parsed properties, the customer requires that the information about the last logged in user is recorded in the asset database.
How can the deployment professional fulfill the requirement?
A. Use the DSM editor to ensure that the Username property is correctly parsed. Create an expression for any available identity property and ensure it is correctly parsed. Also, in the DSM editor, enable the identity data for the login success event type.
B. Use the DSM editor to create an expression for the Username property so it is correctly parsed. Create an expression for any available identity property and make sure it is correctly parsed. It is automatically applied to all events with low level category "User login success".
C. Use the DSM editor to ensure that the Identity Username property is correctly parsed. Create an expression for any available identity property and ensure it is correctly parsed. Also, in the DSM editor enable identity data for the login success event type.
D. Use the DSM editor to create an expression for the Identity Username property and make sure it parses correctly. It is automatically applied to all events with low level category "User login success".
正解:D
質問 2:
A deployment professional needs to add a new log source using Log File protocol. Which option is valid for retrieving files?
A. SFTP
B. TFTP
C. SNMP
D. Syslog
正解:A
質問 3:
High availability (HA) has been configured for an event processor in a deployment. The end user gets the notification "Disk Usage Exceeded max Threshold" for the /store partition on primary host. The retention settings are "Delete data in this bucket: immediately after the retention period has expired".
What will be the behavior of the primary at this stage?
A. Primary will stop HA disk replication and failover to Secondary
B. Primary will stop HA disk replication and No failover to Secondary
C. Primary will keep running HA disk replication and failover to Secondary
D. Primary will keep running HA disk replication and No failover to Secondary
正解:A
質問 4:
A deployment professional needs to configure the IBM QRadar systems so that data is forwarded to one or more vendor systems, such as ticketing or alerting systems.
Which event format options can the deployment professional use for forwarding destination configuration?
A. payioad, normalized and json
B. json, cef and payload
C. normalized, json and cef
D. leef, json and cef
正解:C
質問 5:
A deployment professional is redesigning the existing deployment to add a event processor due to an increased event rate. The deployment professional observes the events per second (EPS) to be a collective 30,000 EPS from two event collectors (EC1 and EC2) and sometimes exceeds the EPS capacity. EC1 and EC2 are in same network segment.
Considering there are more licenses available than needed in the license pool, which processor should the deployment professional replace the event collector(s) with?
A. Replace EC1 and EC2 with one QRadar Event Processor 1629
B. Replace EC1 and EC2 with one QRadar Event Processor 1605
C. Replace EC1 with one QRadar Event Processor 1605
D. Replace EC1 with one QRadar Event Processor 1648
正解:A
A QRadar customer has a custom log source. The deployment professional has already created a custom DSM for the log source and all incoming events are correctly parsed and mapped to a QID. Now, in addition to the currently parsed properties, the customer requires that the information about the last logged in user is recorded in the asset database.
How can the deployment professional fulfill the requirement?
A. Use the DSM editor to ensure that the Username property is correctly parsed. Create an expression for any available identity property and ensure it is correctly parsed. Also, in the DSM editor, enable the identity data for the login success event type.
B. Use the DSM editor to create an expression for the Username property so it is correctly parsed. Create an expression for any available identity property and make sure it is correctly parsed. It is automatically applied to all events with low level category "User login success".
C. Use the DSM editor to ensure that the Identity Username property is correctly parsed. Create an expression for any available identity property and ensure it is correctly parsed. Also, in the DSM editor enable identity data for the login success event type.
D. Use the DSM editor to create an expression for the Identity Username property and make sure it parses correctly. It is automatically applied to all events with low level category "User login success".
正解:D
質問 2:
A deployment professional needs to add a new log source using Log File protocol. Which option is valid for retrieving files?
A. SFTP
B. TFTP
C. SNMP
D. Syslog
正解:A
質問 3:
High availability (HA) has been configured for an event processor in a deployment. The end user gets the notification "Disk Usage Exceeded max Threshold" for the /store partition on primary host. The retention settings are "Delete data in this bucket: immediately after the retention period has expired".
What will be the behavior of the primary at this stage?
A. Primary will stop HA disk replication and failover to Secondary
B. Primary will stop HA disk replication and No failover to Secondary
C. Primary will keep running HA disk replication and failover to Secondary
D. Primary will keep running HA disk replication and No failover to Secondary
正解:A
質問 4:
A deployment professional needs to configure the IBM QRadar systems so that data is forwarded to one or more vendor systems, such as ticketing or alerting systems.
Which event format options can the deployment professional use for forwarding destination configuration?
A. payioad, normalized and json
B. json, cef and payload
C. normalized, json and cef
D. leef, json and cef
正解:C
質問 5:
A deployment professional is redesigning the existing deployment to add a event processor due to an increased event rate. The deployment professional observes the events per second (EPS) to be a collective 30,000 EPS from two event collectors (EC1 and EC2) and sometimes exceeds the EPS capacity. EC1 and EC2 are in same network segment.
Considering there are more licenses available than needed in the license pool, which processor should the deployment professional replace the event collector(s) with?
A. Replace EC1 and EC2 with one QRadar Event Processor 1629
B. Replace EC1 and EC2 with one QRadar Event Processor 1605
C. Replace EC1 with one QRadar Event Processor 1605
D. Replace EC1 with one QRadar Event Processor 1648
正解:A
Tanaka -
IBMは試験出題見直に対応しているC1000-055問題集が素晴らしい