What is the key difference between Rules and Building Blocks in QRadar?
A. Rules have Actions and Responses; Building Blocks do not.
B. The Response Limiter is available on Building Blocks but not on Rules.
C. Building Blocks are built-in to the product; Rules are customized for each deployment.
D. Building Blocks are Rules which are evaluated on both Flows and Events; Rules are
evaluated on Offenses of Flows or Events.
Answer: A
An event is happening regularly and frequently; each event indicates the same target username. There is a rule configured to test for this event which has a rule action to create an offense indexed on the username. What will QRadar do with the triggered rule assuming no offenses exist for the username and no offenses are closed during this time?
A. Each matching event will be tagged with the Rule name, but only one Offense will be created.
B. Each matching event will cause a new Offense to be created and will be tagged with the Rule name.
C. Events will be tagged with the rule name as long as the Rule Response limiter is satisfied. Only one offense will be created.
D. Each matching event will be tagged with the Rule name, and an Offense will be created if the event magnitude is greater than 6.
Answer: C
No comments:
Post a Comment
Note: only a member of this blog may post a comment.