IBM Security QRadar SIEM V7.4.3 Administration — Question 12

What approach does QRadar take when it imposes EPS license (not hardware) limits on events that temporarily spike above that limit?

Answer options

• A. Excessive events in a spike cause a System Notification that advises the customer to increase their EPS license allocation.
• B. QRadar EPS license allocation is implemented with a hard cutoff to ensure resources are not saturated.
• C. During the spike, excess events are written to a queue, and they are processed after the EPS rate drops.
• D. QRadar EPS licensing is measured as an average over a 24-hour period, which allows spikes to be handled gracefully.

Correct answer: D

Explanation

The correct answer is D because QRadar's EPS licensing is designed to accommodate temporary spikes by averaging the event rates over a 24-hour period. This allows the system to handle occasional increases without immediate penalties. Options A and B incorrectly suggest notifications or hard cutoffs, while C misrepresents the mechanism by indicating that excess events are queued instead of being averaged.