Number of questions: 60
Time allowed in minutes: 115
Required passing score: 60%
IBM Certified Deployment Professional – Security QRadar SIEM V7.2.7
The test consists of 6 sections containing a total of approximately 60 multiple-choice questions. The percentages after each section title reflect the approximate distribution of the total question set across the sections.
Section 1 – Planning (25%)
Select the different Security QRadar SIEM components required to make up a suitable distributed deployment (e.g. Cloud, hardware or virtual machine; using QRadar Consoles, event and flow collectors, event and flow processors, and data nodes; considering logical networks, security constraints, and bandwidth; etc.).
Determine the required sizing, encompassing current usage and projected growth, of the overall installation (e.g. number of devices, handle the required how many events per second, how many flows per interval, how much storage is required for the solution, how to handle different geographical locations within the deployment, etc.).
Describe the purpose and limitations of the QRadar SIEM V7.2.7 high availability design (e.g. HA bandwidth, which hosts should be HA pairs, latency constraints, and network stability).
Determine how log source locations and information gathering mechanisms can affect QRadar component architecture (e.g. Windows Collection options).
Determine the method for receiving flows based on the architecture (e.g. regenerative taps, port mirrors/SPAN (Switched Port Analyzer) ports, NetFlow, etc.).
Outline common environmental data used and compare how they can be integrated (e.g. CMDB, User Information Sources, threat feeds, vulnerability scanners, REST-API, and ticketing systems).
Describe how the SIEM product interacts with other Security Intelligence QRADAR Modules (i.e. Risk Manager, Vulnerability Manager, and Incident Forensics).
Section 2 – Installation (13%)
Implement the appropriate software, Cloud or appliance installation and initial network configuration tasks for a given situation (e.g. ISO, DVD, USB, and recovering an appliance from a USB storage device; set up IP addresses, set up network aggregation links/NIC bonding (management interface), configuring QRadar to use external storage (SAN, iSCSI)).
Use deployment actions under system and license management to add additional managed hosts (e.g. set up encryption, configure off site source/target (non-storage), set up network aggregation links/NIC bonding (non-management interfaces), etc.).
Perform configuration of auto update (e.g. DSM, protocols; with or without internet Connection, etc.) (Level 3- Applying)Perform configuration of auto update (e.g. DSM, protocols; with or without internet Connection, etc.).
Determine which version of QRadar should be used when adding managed hosts into an environment (e.g. patch software, latest build of QRadar, original version of QRadar in place, how it affects managed host, HA, etc.).
Implement and optimize HA pairing (e.g. adding HA cluster to the host, demonstrating a high availability installation, determining which hosts to HA, order of installation, patching, etc.).
Summarize IMM configuration and firmware update mechanisms (e.g. changing passwords, obtaining SSL certificates, setting IP addresses, etc.).
Section 3 – Configuration (20%)
Differentiate which information will need to be put into a network hierarchy, how it relates to rule tests, and whether domains are required.
Determine the appropriate authentication and access control method(s) to use for a given environment (i.e. using the local repository, active directory, LDAP, radius, TACACS, domains and multi-tenancy, etc.) (Level 4- Analyzing)Determine the appropriate authentication and access control method(s) to use for a given environment (i.e. using the local repository, active directory, LDAP, radius, TACACS, domains and multi-tenancy, etc.).
Summarize common system settings which need to be set for each specific environment (e.g. initial system settings; administrative e-mail address, e-mail locale, and database settings, etc.).
Demonstrate configuring log sources (e.g. wincollect, syslog, log source extensions, custom QID entries, event mapping, log source groups, etc.).
Demonstrate configuring flow sources (e.g. different types of flow sources, Jflow, Sflow, netflow, PACKETEER, NAPATECH, etc.).
Demonstrate configuring scanners (e.g. configure different types of scanners and schedules, etc.).
Demonstrate configuring common administrative settings (e.g. configuration and data backups/restore, retention policies and buckets, routing rules, etc.).
Section 4 – General Operational Tasks (17%)
Demonstrate basic event and flow investigation to assist rule development and troubleshooting (i.e. searches, quick filters and simple AQL).
Demonstrate Rule and Building Block creation and optimization to deliver basic use case logic and rule evaluation troubleshooting (e.g. Rule Tests, Rule Actions and Responses, Building Blocks, Test ordering, the False Positive Rule, etc.).
Understand Custom Event and Flow properties, where they are used, how to create them and troubleshooting issues involving them (e.g. simple regex, ‘optimization for rules and searches’, scoping to logs sources/events to minimize evaluation frequency, etc.).
Choose between the four types of reference data and illustrate how the data within them can be manipulated (Aging out, CLI, REST-API and rule responses), what each type would be used for (e.g. transient data storage, rule tests, AQL enrichment, etc.) and how to investigate issues with them.
Understand where historical correlation can be used to review old data or data received in ‘batch mode’.
Discuss the performance, storage and network impact of Local vs Global rule evaluation in a distributed environment.
Section 5 – Performance Optimization and Tuning (15%)
Explain which configuration actions should be taken to make default rule sets useful (e.g. network hierarchy, server discovery and host definition building blocks, host identification, tuning building blocks, etc.).
Perform SIEM performance optimization (e.g. performance limitations, network bandwidth, Disk IO, number of concurrent searches, rules for optimizing EPS, event and flow custom properties, backend scripts, etc.) .
Infer when expensive rules and properties are automatically managed and investigated (i.e. automatic versus manual investigation, reference data, etc.).
Administer aggregated data management (e.g. determining issues with report data, disable any unnecessary views/reports, etc.).
Analyze index management requirements for an environment (e.g. determine which properties to index; understand when to index, etc.).
Section 6 – Administration and Troubleshooting (10%)
Demonstrate the investigation of offenses that are not standardized (e.g. navigate through offenses, related events and flows, analyze offenses, state the difference between an Offense and a Triggered Rule, etc.).
Demonstrate how to monitor and investigate network and log activity search issues (e.g. filtering, searching, grouping and sorting, saving searches and creating reports, creating dashboard widgets from searches, viewing audit logs, indexed fields and quick filter, etc.).
Diagnose asset management and server discovery problems (e.g. vulnerabilities, filtering, searching, grouping, sorting, saving searches on assets, importing, exporting, populating asset databases, etc.).
Diagnose system notifications regarding performance problems or system failures (e.g. dropping events, HA System Failed, I/O error, how to get logs for support tickets, license restrictions, etc.).
IBM Certified Deployment Professional – Security QRadar SIEM V7.2.7
Job Role Description / Target Audience
This intermediate level certification is intended for deployment professionals who are responsible for the planning, installation, configuration, performance optimization, tuning, troubleshooting, and administration of an IBM Security QRadar SIEM V7.2.7 deployment. These individuals are able to complete these tasks with little to no assistance from documentation, peers or support.
To attain the IBM Certified Deployment Professional – Security QRadar SIEM V7.2.7 certification, candidates must pass 1 test. To prepare for the test, it is recommended to refer to the job role description and recommended prerequisite skills, and click the link to the test below to refer to the test objectives and the test preparation tab.
Recommended Prerequisite Skills
· basic system architecture design
· IBM Security QRadar SIEM V7.2.7 architecture and components
· vulnerability scanners
Working knowledge of:
· security technologies such as firewalls, encryption using keys, SSL, HTTPS,
· regular expressions
· building and managing IBM Security QRadar SIEM V7.2.7 rules and reports
· IBM Security QRadar SIEM V7.2.7 prerequisite software
· LINUX operating system such as vi, iptables, ssh, cat, tail, grep, etc.
QUESTION: No: 1
Which CLI command should be used to change the default password from PASSWORD to S3cure for the username USERID?
A. /opt/ibm/toolscenter/asu/asu set IMM. Password S3cure –ksu
B. /opt/ibm/toolscenter/asu/asu set IMM. Password.1 S3cure –ksu
C. /opt/ibm/toolscenter/asu/asu64 set IMM. Password S3cure — ksu
D. /opt/ibm/toolscenter/asu/asu64 set IMM.Password.1 S3cure — ksu
To reset the IMM password use the following command:
/opt/ibm/toolscenter/asu64 set |MM.Password.1 NewPassword –kcs
QUESTION: No: 2
A Deployment Professional is performing a new deployment, and the customer wants to monitor network
traffic by sending raw data packets from a network device to IBM Security QRadar SEAM V7.2.7.
Which method should be used?
A. AGP card
B. Napatech card
C. SFIow protocol
D. NetFIow protocol
You can monitor network traffic by sending raw data packets to a IBM QRadar QFIow Collector 1310
appliance. The QRadar QFIow Collector uses a dedicated Napatech monitoring card to copy incoming
packets from one port on the card to a second port that connects to a IBM Security QRadar Packet
QUESTION: No: 3
A Deployment Professional was asked to investigate the following error:
Custom Rule Engine has detected a total of 20487 dropped event(s).
20487 event(s) were dropped in the last 62 seconds. Queue is at 99 percent capacity
The Deployment Professional needs to run the command “/opt/qradar/bin/findExpensiveCustomRuIes.sh”
to gather the necessary troubleshooting logs.
When should this command be run?
A. Right after a reboot
B. Run “service hostcontext restart” first
C. While the system is dropping events
D. Restart ECS, then run command
The script “findExpensiveCustomRuIes.sh” script is designed to query the QRadar data pipeline and
report on the processing statistics from the Custom Rules Engine (CRE). The script monitors metrics and
collecting statistics on how many events hit each rule, how long it takes to process a rule, total execution
time and average execution time. When the script completes it turns off these performance metrics. The
findExpensiveCustomRuIes script is a useful tool for creating on demand reports for rule performance, it
is not a tool for tracking historical rule data in QRadar. The core functionality of this script is often run
when users begin to see drops in events or events routed to storage between components in QRadar.
QUESTION: No: 4
A current banking customer has just expanded by purchasing a small rural bank with a low bandwidth
The customer wants to expand its current QRadar SIEIVI 3105 all-in-one deployment to capture log events
from the newly acquired branch and to forward them on a schedule, after hours during the trough of
activity to the main branch. There is plenty of room for this additional EPS growth.
Which device will meet the requirements?
A. 1202 QFIow Collector
B. 1400 Data Node
C. 1501 Event Collector
D. 1605 Event Processor
The IBM Security QRadar Event Processor 1605 (MTM 4380-Q1E) appliance is a dedicated event
processor that you can scale your QRadar deployment to manage higher EPS rates. The QRadar Event
Processor 1605 appliance includes an on-board event collector, event processor, and internal storage for
With the Basic License the capacity is 2500 EPS, and with an upgrade license it is 20000 EPS.