C1000-163 Free Sample Questions

A financial services company is planning a multi-site QRadar V7.5 deployment. The primary data center will host the Console, an Event Processor, and a Flow Processor. A secondary disaster recovery (DR) site is required with a 4-hour Recovery Time Objective (RTO). The company wants to ensure that event and flow data collection is not interrupted at remote branch offices if the primary data center's WAN link fails. Each of the 10 branch offices generates approximately 1,500 EPS and 25,000 FPM. Which architectural component should be placed at each branch office to meet these requirements for resilient data collection?

A deployment professional is upgrading a distributed QRadar V7.3.3 environment running on RHEL 7 to V7.5.0, which requires a migration to RHEL 8. The environment consists of a Console, two Event Processors, and one Flow Processor. The upgrade plan involves a phased approach to minimize downtime. According to IBM's recommended upgrade path, what is the correct sequence for upgrading the appliances?

A Managed Security Service Provider (MSSP) is configuring a new multi-tenant QRadar V7.5 deployment. They need to ensure strict data segregation between two clients, Client A and Client B. Client A has a dedicated Event Collector on their premises, while Client B's logs are received by an Event Collector at the MSSP's data center. The MSSP needs to ensure that analysts for Client A can only see data originating from their dedicated collector and that this data is processed by a specific set of rules. Which TWO of the following QRadar features must be configured to achieve this level of segregation? (Select TWO).

During a new QRadar deployment, a consultant observes that events from a custom, in-house application are being incorrectly parsed. The logs are sent via syslog, but QRadar categorizes them as 'SIM Generic Log DSM' and most of the valuable payload data is not extracted into normalized fields. The goal is to create custom properties for 'TransactionID' and 'UserID' from the event payload. What is the first step the consultant should take to resolve the parsing issue before creating custom properties?

A deployment specialist is configuring a QRadar All-in-One (AIO) appliance for a small enterprise. The security policy mandates that all administrative access to the QRadar Console must be authenticated against the company's central Active Directory. Standard user accounts should not be used for QRadar authentication. Which authentication module must be configured in QRadar to meet this requirement?

**Case Study** A mid-sized regional hospital is deploying QRadar SIEM V7.5 to meet compliance requirements and enhance its security posture. The hospital's network is strictly segmented, with critical patient data systems residing in a high-security zone. All other systems, including clinical workstations and administrative servers, are in a general corporate zone. The CISO has mandated that network traffic between these zones must be monitored for anomalous behavior, but installing agents on the critical systems is strictly forbidden. The initial deployment consists of a QRadar Console and a combined Event/Flow Processor located in the main data center, which is part of the general corporate zone. The network team has configured the core network switch, which handles all inter-zone traffic, to export NetFlow v9 records. The goal is to capture and analyze all traffic flowing between the high-security and general corporate zones. To achieve this, the deployment professional plans to add a new QRadar appliance. The appliance must be able to receive the NetFlow data directly from the core switch without requiring an additional network tap or span port. The solution should be cost-effective and specifically designed for this purpose. Which QRadar appliance should be deployed to collect and process the NetFlow v9 data from the core switch?

After a successful QRadar deployment, the security team reports a high volume of offenses related to 'SSH Brute Force Login Attempts' originating from the internal vulnerability scanner. This is expected and accepted behavior, but it is generating significant noise and distracting analysts from real threats. The team wants to prevent these specific events from generating offenses, but still needs to log the scanner's activity for audit purposes. Which is the most efficient method to achieve this without globally disabling the rule?

True or False: When deploying a QRadar High Availability (HA) pair, both the primary and secondary appliances must be the same appliance type, have identical hardware, and be running the same QRadar software version and patch level.

A deployment professional is using the QRadar Assistant App to manage applications in a new V7.5 environment. They need to find an application that provides visualizations for MITRE ATT&CK framework mappings. After installing the app, they want to ensure it is running correctly. Which section of the QRadar Assistant App should be used to check the status of installed applications and their resource consumption?

A system administrator is reviewing QRadar system notifications and frequently sees 'Asset Profile Changed' messages. Upon investigation, they find that asset profiles are being updated with new services and ports based on flow data, which is the desired behavior. However, the sheer volume of these informational notifications is making it difficult to spot more critical system health warnings. What is the most appropriate action to reduce the noise from these specific notifications while ensuring other system health messages are still delivered?