Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IBM
  5. C1000-018

IBM C1000-018 Exam
IBM QRadar SIEM V7.3.2 Fundamental Analysis (Page 2 )

Updated On: 26-Jan-2026
Page 2 of 22
PDF with 103 Questions

An analyst is noticing false positives from a single IP on a specific offense. How can the analyst tune the event rule to eliminate these false positives?

  1. Add the rule test "AND when IP address equals" to the bottom of the test list of the rule.
  2. Add the rule test "AND NOT when the offense is indexed by one of the following IP addresses".
  3. Add the rule test "AND NOT when IP address equals" to the bottom of the test list of the rule,
  4. Add the rule test "AND when IP address equals" to the top of the test list of the rule.

Answer(s): C



The graph below shows a time series of a value. A rule has been created which will trigger at the indicated point.

Which type of QRadar rule has been used?

  1. Common Rule
  2. Threshold Rule
  3. Behavioral Rule
  4. Anomaly Rule

Answer(s): B



Which filter would an analyst apply in the Log Activity tab to get a list of log sources not reporting to QRadar?

  1. Log source status does not equal active
  2. Custom rule equals device stopped sending events
  3. Log source type does not equal active
  4. Log source status does not equal error

Answer(s): A



An auditor has requested a report for all Offenses that have happened in the past month. This report generates at the end of every month but the auditor needs to have it for a meeting that is in the middle of the month.
What will happen to the scheduled report if the analyst manually generates this report?

  1. The scheduled report needs to be reconfigured.
  2. The analyst needs to delete the scheduled report and create a new one.
  3. The report will get duplicated so the analyst can then run one manually.
  4. The report still generates on the schedule initially configured.

Answer(s): B

Explanation:

Shared schedules must be deleted manually using the Schedules page in the web portal or the Shared Schedules folder in Management Studio. If you delete a shared schedule that is in use, all references to it are replaced with report-specific schedules.

If you delete a shared schedule that is used by multiple reports and subscriptions, the report server will create individual schedules for each report and subscription that previously used the shared schedule. Each new individual schedule will contain the date, time, and recurrence pattern that was specified in the shared schedule. Note that Reporting Services does not provide central management of individual schedules. If you delete a shared schedule, you will now have to maintain the schedule information for each individual item.


Reference:

https://docs.microsoft.com/en-us/sql/reporting-services/subscriptions/create-modify-and-delete-schedules?view=sql-server-ver15



Which statement about False Positive Building Blocks applies? Using False Positive Building Blocks:

  1. helps to prevent unwanted alerts, but there is no effect on performance.
  2. helps to prevent unwanted alerts, and reduces the performance impact of testing rules that do not need to be tested.
  3. has no impact on unwanted alerts, but it does reduce the performance impact of testing rules that do not need to be tested.
  4. has no impact on unwanted alerts, or performance.

Answer(s): A


Reference:

https://community.carbonblack.com/t5/Knowledge-Base/Cb-Defense-Understanding- Eliminating-Unwanted-Alerts/ta-p/44924



Viewing page 2 of 22
Viewing questions 6 - 10 out of 103 questions



Post your Comments and Discuss IBM C1000-018 exam prep with other Community members:

Join the C1000-018 Discussion