IBM Security QRadar SIEM Interview Questions

1
IBM Security QRadar SIEM Interview Questions
www.infosectrain.com sales_at_infosectrain.com
2
www.infosectrain.com sales_at_infosectrain.com
3

• 1.What is Index?
• The index is a set of items describing the data
  in a file and its location in the system.
  Indexing of data is done in real-time or on
  request after data is collected. It facilitates
  easy and efficient search optimization.
• 2. What is index management?
• Index management is used to control the indexing
  of the database on event and flow properties. The
  index management window in IBM QRadar contains
  some properties. Indexing can be enabled on these
  properties. The indexed properties provide better
  search optimization.
• The index management feature also provides the
  following statistics 
• The percentage of saved searches
• The volume of data stored in the disk by the
  index within the selected time frame

www.infosectrain.com sales_at_infosectrain.com
4

• 3.What is the function of the index management
  toolbar?
• With the help of the index management toolbar,
  one can perform the following functions
• Enabling the index choose the property you want
  to index in the index management toolbar and
  click on enable the index icon.
• Disabling the index choose the property in the
  index management list and disable it by clicking
  on the icon of disabling the index.
• Quick search one can search the property in the
  index management list by typing the keyword
  related to that property in the quick search
  field.
• 4.What is the reference set?
• In IBM Security QRadar, Reference sets are used
  to store the data in a listed format. The
  Reference set store the business data such as IP
  addresses and usernames collected through the
  events and flows occurring in the network. It
  contains unique values while searching,
  filtering, and testing rule conditions.

www.infosectrain.com sales_at_infosectrain.com
5

• 5. How can we add elements to a reference set?
• Before adding elements to a reference set, it is
  essential to ensure that the .csv file stored in
  the system. The procedure of adding elements to a
  reference set is as follows
• Open the navigation menu and click on Admin.
• Select the System configuration section click
  reference set management.
• Select the reference set in which you want to add
  elements.
• Click on view content and select the content tab.
• Click Select File and browse the .csv file that
  you want to import.
• Click on the Domain in which you want to add
  reference set data.
• Click on import.

www.infosectrain.com sales_at_infosectrain.com
6

• 6. What is the function of the QRadar Qflow
  collector?
• QRadar Qflow collects the network flows from all
  the devices connected in a network. It also
  collects live and recorded feeds such as Network
  taps, Netflow, QRadar flow logs.
• 7. How can we schedule the updates?
• IBM Security QRadar updates automatically on a
  recurring schedule as per settings on the update
  configuration page. Users can schedule a large
  update to run during off-hours, so that systems
  performance is not affected.
• The procedure for scheduling the updates is as
  follows
• Open the navigation menu and click on Admin to
  open the admin tab.
• In the system configuration section, click on
  Auto-update.
• From the schedule, the list selects the type of
  updates that you want to schedule.
• Use the calendar to choose the day and time when
  you want to begin the update.

www.infosectrain.com sales_at_infosectrain.com
7

• 8. How can we view the pending updates?
• The pending updates can be viewed in the updates
  window. The system is preconfigured for weekly
  automatic updates. If it is not showing any
  updates, that means the system has not been
  operational for too long. In which, you have to
  check for updates manually.
• To check for updates, follow the below-mentioned
  procedure
• Click on the navigation menu and select Admin.
• In the system configuration section, select
  auto-update.
• To view details on an update, select the update.
• 9. What is a retention bucket?
• Retention buckets determine for how long the
  event data and flow data will remain in IBM
  Security QRadar. Each event or flow data received
  by QRadar is compared and stored in the retention
  bucket following the retention bucket filter
  criteria. The data is automatically deleted after
  the deletion time period is ever. By default,
  this period is set to 30 days.

www.infosectrain.com sales_at_infosectrain.com
8

• 10. How to manage the sequence of the retention
  bucket?
• Retention buckets are sequenced in order from top
  to bottom row. The order of the retention bucket
  can be changed as required. The data is stored in
  the retention bucket if it matches the criteria
  of that bucket. The sequence of retention bucket
  can be changed in the following order
• Open the navigation menu and select Admin to
  the admin tab.
• In the Data sources section, click on the
  Event retention or Flow retention.
• In the Tenant list, select Tenant for the
  retention bucket.
• Select the row of the retention bucket and click
  Up or Down to move the bucket.
• Click Save.

www.infosectrain.com sales_at_infosectrain.com
9

• 11. How can we define our Network hierarchy in
  IBM Security QRadar?
• Network hierarchy in IBM Security QRadar monitors
  the activity and monitor groups or services in
  the network. A well-configured network hierarchy
  is essential for building a reliable database or
  determining flow direction. QRadar has a default
  network hierarchy that contains predefined
  network groups and objects. We can edit the
  objects and groups or add a new group of objects
  by following the procedure mentioned below
• Open the admin tab in the navigation menu, click
  System Configuration and select Network
  Hierarchy.
• On the network view window, select the part of
  the network in which you want to work.
• To add network objects
• Add the name and description for the object.
• From the group-list, select the group.
• Type a CIDR range for the object and click Add.
• Repeat the above steps for all group objects.
• Click Edit or Delete to manipulate already
  existing network objects.

www.infosectrain.com sales_at_infosectrain.com
10
12. What is an event processor? The Event
processor in IBM QRadar processes the event data
collected from various event collectors. Event
processors are assigned with local storage. The
events are compared with the predefined rules on
the QRadar console. In case, If any event matches
a rule, the event processor acts according to the
rule response. 13. What is Custom offense close
reasons? Whenever a user close an offense on the
offenses tab, a close offense window appears.
User has to select a reason from the reason for
closing the offense box. There are three default
reasons mentioned False-positive Non-issue Polic
y violation




www.infosectrain.com sales_at_infosectrain.com
11

• The Admin can delete, add, edit the custom
  offense close-reasons from the admin tab. 
• 14. How to create an on-demand backup archive?
• IBM QRadar SIEM automatically creates a backup of
  the configured information at midnight. The user
  can schedule the timing of backing up the archive
  as per his convenience.
• To create an on-demand backup archive, follows
  the procedure mentioned below
• Open the Admin tab.
• Select the System Configuration section. Click on
  backup recovery.
• Select On-demand Backup.
• Enter the values for name and description.
• Click on run backup.

www.infosectrain.com sales_at_infosectrain.com
12
15. What is the use of remote networks and
service groups in QRadar SIEM? Remote network and
service groups represent traffic activity on the
network. All remote networks and services have
group levels and leaf object levels. Remote
network groups show the user traffic coming from
the specific remote network. Users can edit the
remote network and service groups by adding
objects to the existing group or by making the
changes in the predefined properties.




www.infosectrain.com sales_at_infosectrain.com
13
About InfosecTrain

• Established in 2016, we are one of the finest
  Security and Technology Training and Consulting
  company
• Wide range of professional training programs,
  certifications consulting services in the IT
  and Cyber Security domain
• High-quality technical services, certifications
  or customized training programs curated with
  professionals of over 15 years of combined
  experience in the domain

www.infosectrain.com sales_at_infosectrain.com
14
Our Endorsements
www.infosectrain.com sales_at_infosectrain.com
15
Why InfosecTrain
Global Learning Partners
Access to the recorded sessions
Certified and Experienced Instructors
Flexible modes of Training
Tailor Made Training
Post training completion
www.infosectrain.com sales_at_infosectrain.com
16
Our Trusted Clients
www.infosectrain.com sales_at_infosectrain.com
17
(No Transcript)
18
Contact us
Get your workforce reskilled by our certified and
experienced instructors!
IND 1800-843-7890 (Toll Free) / US 1
657-221-1127 / UK 44 7451 208413
sales_at_infosectrain.com
www.infosectrain.com