Question No. 1

An administrator is about to integrate logs from a custom firewall in a QRadar deployment using syslog. The SIEM has two domains, namely Domain A and Domain B. While reviewing the following sample logs, the

administrator notices a ''context'' keyword:

May 14 11:05:01 192.168.1.23 20190514 11:05:00 context=contextA permit 192.168.1.24 source:

10.10.1.15; source_port: 64094; destination: 10.10.13.34; service: 53; protocol: udp;

May 13 12:07:01 192.168.1.23 20190513 11:07:00 context=contextB permit 192.168.1.25 source:

10.10.1.15; source_port: 64094; destination: 10.10.13.34; service: 53; protocol: udp;

Which options assign the ''contextA'' logs to DomainA and the ''contextB'' logs to domain B? (Choose two.)

ACreate a single log source, create a ''Context'' custom event property, and assign the log to both domains
using a custom rule.

BCreate two individual log sources by configuring a separated logging instance for each context on the
firewall and assign each log source to the correct domain.

CCreate a single log source, create a ''Context'' custom event property, and assign the log to the correct
domain using custom event property value.

DCreate two individual log sources using the context value as log source identifier and assign each log
source to the correct domain.

ECreate a single log source, create a ''Context'' custom event property, and assign the log to the correct
domain using a custom rule.

Show Answer

Correct Answer: B, D

Question No. 2

An administrator needs to extract a property from an intrusion detection system (IDS) log. Using a regular

expression, the administrator wants to extract a specific part of the log showing the matching ''policy ID'' of the

IDS.

Which type of property must the administrator create?

ACustom event property

BCustom flow property

CCustom asset property

DNormalized event property

Show Answer

Correct Answer: D

Question No. 3

An administrator has been tasked to run all health checks at once using the DrQ command before a major

event happens, such as an upgrade.

What does the DrQ command do?

AIt runs all available checks in /opt/ibm/si/diagnostiq with the checkup mode and with the summary output
mode.

BIt shows all the available drives on the QRadar managed host.

CIt runs all available checks in /opt/ibm/si/diagnostiq and writes the results in a txt file.

DIt checks all the available drives on the QRadar managed host and writes the results on a txt file.

Show Answer

Correct Answer: A

t_drq_running_health_checks.html

Question No. 4

What should an administrator do to successfully upgrade an IBM Security QRadar system from an older

AVerify the upgrade path, and review the software, hardware and high availability requirements.

BVerify the upgrade path and update the QRadar apps.

CReview the release notes and review the architecture.

DReview the software, hardware and high availability requirements, and consider to update the firmware on
IBM Security QRadar appliances.

Show Answer

Correct Answer: A

b_qradar_upgrade.pdf (9)

Question No. 5

An administrator installed a new App Host and would like to move the existing applications from the Console to the App Host.

What steps should be performed?

AAdmin Tab > Extension Management > Click to change where apps are run

BAdmin Tab > System Settings > Move apps

CAdmin Tab > Extension Management > Move apps

DAdmin Tab > System and License Management > Click to change where apps are run

Show Answer

Correct Answer: D

Free IBM C1000-026 Exam Actual Questions

The questions for C1000-026 were last updated On Nov 22, 2024