Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. IBM
  5. C1000-018

IBM C1000-018 Exam
IBM QRadar SIEM V7.3.2 Fundamental Analysis (Page 3 )

Updated On: 26-Jan-2026
Page 3 of 22
PDF with 103 Questions

An analyst is investigating an Offense and has found that the issue is that a firewall appears to be misconfigured and has permitted traffic that should be prevented to pass.
As part of the firewall rule change process, the analyst needs to send the offense details to the firewall team to demonstrate that the firewall permitted traffic that should have been blocked.
How would the analyst send the Offense summary to an email mailbox?

  1. Find the CRE Event in the Log Activity tab, open the event detail and select ‘Email linked Offense details’ from the ‘Action’ menu.
  2. Search for the events linked to the Offense in the Log Activity tab; Select all events and copy them using CTRL-C then paste into an email client.
  3. Open the Offense in the Offenses tab, select ‘Email’ from the ‘Action’ menu item and, optionally, add some extra information.
  4. Identify the Offense in the Offense list, right click on the Offense and select ‘Custom Action Script’; ‘Offense Mailer’

Answer(s): B



An analyst investigates an Offense that will need more research to outline what has occurred. The analyst marks a ‘Follow up’ flag on the Offense.
What happens to the Offense after it is tagged with a ‘Follow up’ flag?

  1. Only the analyst issuing the follow up flag can now close the Offense.
  2. New events or flows will not be applied to the Offense.
  3. A flag icon is displayed for the Offense in the Offense view.
  4. Other analysts in QRadar get an email to look at the Offense.

Answer(s): C

Explanation:

The offense now displays the follow-up icon in the Flag column.


Reference:

https://www.ibm.com/docs/en/qsip/7.4?topic=actions-marking-offense-follow-up



What event information within an offense would provide the analyst with a deep insight as to how it was created?

  1. Event Category
  2. Event QID
  3. Event Payload
  4. Event Magnitude

Answer(s): D



An analyst needs to create a new custom dashboard to view dashboard items that meet a particular requirement.
What are the main steps in the process?

  1. Select New Dashboard and enter unique name, description, add items and save.
  2. Select New Dashboard and copy name, add description, items and save.
  3. Request the administrator to create the custom dashboard with required items.
  4. Locate existing dashboard and modify to include indexed items required and save.

Answer(s): C

Explanation:

To create or edit your dashboards, log in as an administrator, click the Dashboards tab, and then click the gear icon. In edit mode, you can create new dashboards, add and remove widgets, edit display values in existing widgets, and reorder tabs.


Reference:

https://documentation.solarwinds.com/en/success_center/tm/content/threatmonitor/tm- editdashboards.htm



What is the maximum time period for 3 subsequent events to be coalesced?

  1. 10 minutes
  2. 10 seconds
  3. 5 minutes
  4. 60 seconds

Answer(s): B

Explanation:

Event coalescing starts after three events have been found with matching properties within a 10 second window.


Reference:

https://www.ibm.com/support/pages/qradar-how-does-coalescing-work-qradar



Viewing page 3 of 22
Viewing questions 11 - 15 out of 103 questions



Post your Comments and Discuss IBM C1000-018 exam prep with other Community members:

Join the C1000-018 Discussion