C1000-162: IBM Security QRadar SIEM V7.5 Analysis

Full Name: IBM Security QRadar SIEM V7.5 Analysis

Exam Code: C1000-162

Certification Overview

This intermediate level certification is intended for security analysts who wish to validate their comprehensive knowledge of IBM Security QRadar SIEM V7.5. These security analysts will understand basic networking, basic IT security, SIEM and QRadar concepts.

They will also understand how to log in to, navigate within, and explain capabilities of the product using the graphical user interface. Additionally, they will also be able to identify causes of offenses, and access, interpret, and report security information in a QRadar deployment.

Try Sample Exam »

Note: This exam includes the apps installed with the product: Use Case Manager, QRadar Assistant, Log Source Manager, and Pulse. The function of specific apps, apart from these, is out of scope, but the concept of extending the capability of using apps is in scope. This does not include the SaaS offering of QRadar on Cloud (QRoC).

IBM Security QRadar SIEM Analysis Exam Summary:

Exam Name	IBM Certified Analyst - Security QRadar SIEM V7.5
Exam Code	C1000-162
Exam Price	$200 (USD)
Duration	90 mins
Number of Questions	64
Passing Score	64%
Books / Training	IBM Certified Analyst: Security QRadar SIEM V7.5 - Exam C1000-162 Preparation Guide QRadar SIEM Analyst learning plan
Sample Questions	IBM Security QRadar SIEM Analysis Sample Questions
Practice Exam	IBM C1000-162 Certification Practice Exam

IBM C1000-162 Exam Syllabus Topics:

Topic	Details	Weights
Offense Analysis	- QRadar uses rules to monitor the events and flows in your network to detect security threats. When the events and flows meet the test criteria that is defined in the rules, an offense is created to show that a security attack or policy breach is suspected. But knowing that an offense occurred is only the first step. Offense Analysis is all about initially identifying how it happened, where it happened, and who are the players involved in the offense. ◉ Triage initial offense ◉ Analyze fully matched and partially matched rules ◉ Analyze an offense and associated IP addresses ◉ Recognize MITRE threat groups and actors ◉ Perform offense management ◉ Describe the use of the magnitude within an offense ◉ Identify Stored and Unknown events and their source ◉ Outline simple offense naming mechanisms ◉ Create customized searches	23%
Rules and Building Block Design	- QRadar rules are applied to all incoming events, flows, or offenses to search for or detect anomalies. If all the conditions of a test are met, the rule generates a response. A building block is a collection of tests that don't result in a response or an action. A building block groups commonly used tests to build complex logic so that it can be reused in rules. As an Analyst you need to fully understand how rules and building blocks are designed and used, and although you are not responsible for implementing new or tuning existing rules and building blocks, you can and should make recommendations on updating QRadar components that may improve rules and building block design based on your daily exposure to them. ◉ Interpret rules that test for regular expressions ◉ Create and manage reference sets and populate them with data ◉ Identify the need for QRadar Content Packs ◉ Analyze rules that use Event and Flow data ◉ Analyze Building Blocks Host definition, category definition, Port definition ◉ Review and understand the network hierarchy ◉ Review and recommend updates to building blocks and rules ◉ Describe the different types of rules, including behavioral, anomaly and threshold rules	18%
Threat Hunting	- After the initial Offense Analysis and based on technical skills in understanding QRadar rules and building block design, it is time to focus on the Analyst's main task of Threat Hunting. Starting with the results presented in an offense, the Analyst will investigate the evidence inside an offense, such as event and flow details, triggered rules, payloads, and more. Utilizing filters and advanced searches the Analyst will be able to distinguish real threats from false positives. ◉ Investigate Event and Flow parameters ◉ Perform AQL query ◉ Search & filter logs ◉ Configure a search to utilize time series ◉ Analyze potential IoCs ◉ Break down triggered rules to identify the reason for the offense ◉ Distinguish potential threats from probable false positives ◉ Add a reference set based filter in log analysis ◉ Investigate the payload for additional details on the offense ◉ Recommend adding new custom properties based on payload data ◉ Perform "right-click Investigations" on offense data	24%
Dashboard Management	- Use the QRadar Dashboard tab to focus on specific areas of your network security. The workspace supports multiple dashboards on which you can display your views of network security, activity, or data that is collected. You can use the QRadar Pulse app for an enhanced dashboard experience. ◉ Use the default QRadar dashboard to create, view, and maintain a dashboard based on common searches ◉ Use Pulse to create, view, and maintain a dashboard based on common searches	14%
Searching and Reporting	- Effectively utilizing QRadar's search capability represents one of the foundational skills for an Analyst. These capabilities include filtering event, flow, and asset related data as well as creating quick and advanced searches, including the Ariel Query Language. Filters and searches can be used in various parts of the QRadar UI. - The Analyst can create, edit, distribute, and manage reports, including flexible options to satisfy your organization's various regulatory standards, such as PCI compliance, and offense and threat related reports. ◉ Explain the different uses and benefits for each Ariel search type ◉ Explain the different uses of each search type ◉ Perform an advanced search ◉ Filter search results ◉ Build threat reports ◉ Perform a quick search ◉ View the most commonly triggered rules ◉ Report events correlated in the offense ◉ Export Search results in CSV or XML ◉ Create reports and advanced reports out of offenses ◉ Share reports with users ◉ Search using indexed and non-indexed properties ◉ Create and generate scheduled and manual reports	21%