What needs to be done to complete this task?

– by 1

From the given event payload format:


You are tasked with creating a Reference Set of the second IPs in the payload.
What needs to be done to complete this task?
A. Create a Custom Event Property to parse the second IP in the payload. From the Log Source config for the above event, choose "add to reference set" and select your reference set.
B. From the Reference Set Management screen, select "create reference set from Log Source Event". Pick the Log Source from the drop down. Pick the Event Name from the drop down.
C. From the Reference Set Management screen, select "create reference set from Log Source Event". Pick the Log Source from the drop down. Pick the Custom Event Property from the drop down.
D. Create a Custom Event Property to parse the second IP in the payload. Create a rule that tests for events from the Log Source that is collecting the above event, and for Rule Response add the Custom Event Property to the Reference Set.

Download Printable PDF. VALID exam to help you PASS.

One thought on “What needs to be done to complete this task?

  1. The answer should be D.
    I’m not aware of anywhere in the QRadar Users Guide where it says you can add to a reference set while in the Log Source configuration. This is a feature of the rules.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.