Home » IBM » C2150-624 » An IBM Security QRadar SIEM V7.2.8 Administrator needs to retain authentication failure data tA. specific domain, for a longer period than the rest of the event data being collected How is this task completed?
An IBM Security QRadar SIEM V7.2.8 Administrator needs to retain authentication failure data tA. specific domain, for a longer period than the rest of the event data being collected How is this task completed?
A. The administrator will need to create a custom rule with the appropriate filters and retention period.
B. The administrator will need to create a new Event Retention Bucket with the appropriate filters and retention period.
C. The administrator will need to create a custom filter in the log activity tab with the appropriate parameters and retention period.
D. The administrator will need to create a custom report with the appropriate parameters and use the report format TAR (Tape archive).
Correct Answer: B
Explanation/Reference:
Explanation:
In current versions of QRadar you can set custom retention buckets for Events and Flows. The 10 non-default retention buckets are processed sequentially from top to bottom. Any event that do not match the retention buckets are automatically placed in the default retention bucket, located at the bottom of the list.
Custom retention buckets allow the ability to add a time period and filters. If you enable a retention bucket with a defined criteria it will start deleting data from the time is was created. Any data that matches the custom retention bucket before was created is subject to the criteria of the default retention bucket setting. If you need to delete data from before the Custom retention bucket was created you can shorten the default retention bucket so data is deleted immediately.
Reference: http://www-01.ibm.com/support/docview.wss?uid=swq21622758
Download Printable PDF. VALID exam to help you PASS.
|
|