CVA/H Operator
One instance of a Lucene index
An Elasticsearch shard is the same as what?
4
Analyzing PCAP is a memory intensive task. What is the general memory usage multiplier?
No, GET is an http.method not http.uri
Given the following rule: content: "GET"; http_uri; Will this match the following payload? GET /index.html HTTP/1.0/r/n
BPF filters
How do you exclude traffic when utilizing Zeek?
[10.0.0.0/24, ![.11,.12]]
In the signature header, how can you describe 10.0.0.0/24 and exclude 10.0.0.11 and 10.0.0.12?
go
Stenographer is written in what language?
True
True or False: BPF is more efficient than text filtering tools, like grep.
False
True or False: Endgame would be considered an "agentless" endpoint solution.
False
True or False: Given that x00eA is equivalent to a colon (:), the string EVIL:stuff will match for content: "evil |3A| stuff";
True
True or False: Given the following Suricata rule: content: "/index"; http_uri; content: "html"; http_uri; within:5; This will match the following payload: GET /index.html HTTP/1.0\r\n
True
True or False: Kibana Dashboards are capable of updating dynamically and in real time.
False
True or False: Meta-settings in a rule affect Suricata's inspection.
True
True or False: One of the differences between Suricata and Snort is that Suricata is multi threaded.
False
True or False: Replaying PCAP through Zeek rewrites the timestamps.
True
True or False: Snort rules can be used in Suricata.
True
True or False: Stenographers indexed packets on disk are not in tcpdump format because they have an additional 4 byte header.
True
True or False: The MITRE ATT&CK framework shows the data source you'd need to collect to identify specific techniques.
True
True or False: When querying Stenographer for packets, you can use tcpdump filters.
True
True or False: When using the "PROXIMITY" search in Kibana the order you specify your terms matters.
True
True or False: Zeek is an event driven language.
False
True or False: Zeek logs are larger and more verbose than a PCAP file.
False
True or False: Zeek uses file extensions to determine the file type.
False
True or False: Zeek's File Framework IS NOT capable of tracking files even if they are over multiple connections like torrent
True
True or False: Zeek's Intel Framework works differently than Suricata's alerts by allowing us to search for an indicator across multiple locations instead of a specific location/pattern.
False
True or False: in Kibana when using parentheses with multiple terms inside of them implies the "AND" operator. (Example: @meta.resp_port: (443 80)
ECS
What Global Schema does Elastic use?
ossem
What Global Schema does the Hunting Elk (HELK) use?
Shell
What allows for interaction with a unix-based computer?
Master, data, ingest, machine learning
What are the four node types available when creating an Elasticsearch cluster?
Trigger, Input, Action, Condition
What are the four pieces required to build a Watcher alert in Kibana?
WEF
What built-in solution allows you to forward Windows logs?
!3
What command can be used to "replay" the third entry in your shell history?i
zeek-cut
What command line utility is available to display Zeek logs in a more readable way?
sudo kill -9 (process id)
What command uses systemd to stop the sshd service (logged in as a user)?
tail -f
What command will live-follow any updates of a (log) file?
select*
What command would return all properties from a PowerShell object?
/etc
What directory is used to store system and application configuration files?
Berkeley Packet Filter
What does BPF stand for?
.yaml
What format does Elasticsearch store its configuration files? (ex. /etc/elasticsearch/elasticsearch.yaml
Ignore checksums
What function does the "-C" flag serve in the following command? zeek -Cr path/to/pcap
It extracts the files.
What happens when Zeek sees a file and "file extraction" script is enabled?
It extracts the files.
What happens when Zeek sees a file and the "file extraction" script is enabled?
The rest API for Stenographer
What is Docket?
9200
What is the default port used to communicate with Elasticsearch via its RESTFUL API?
1 Hour
What is the default time interval for Zeek log file rotation (how often a new file is started)?
/usr/share/zeek
What is the default top level directory that Zeek utilizes for scripts on CENTOS?
Elasticsearch
What is the foundation of Elastic Stack?
Workflow
What is the name of the PowerShell function that allows parallel (or multi-threaded) operations?
Not SQL
What protocol options are available for inspection when referring to Suricata?
Identify known bad
What purpose does a "Intrusion Detection System" like Suricata serve? a. Identify things that are normally missed by analysts b. Identify unknown anomalies c. Identify known bad. d. Utilizes signatures to identify known good
Action, header, role options
What three parts make up a Suricata signature?
Point in time
What type of host-based detection technique would PowerShell be classified under? a. Point in time b. Historical c. Real time
Line Chart/ Bar Chart
What visualization in Kibana is best utilized for displaying data over time?
Metric
When building a visualization in Kibana, if you wanted to use the "SUM" option, this would be located under what option?
Conn log
Every log will correlate to a unique ID (UUID). Which log is this ID generated in?
Record certs, record ciphers used, and record encryption software used.
Choose all that apply: Zeek can do which of the following for encrypted connections? a. Record certificates b. Record ciphers used c. Full decryption if keys are available d. Record encryption software used e. Nothing - Zeek is blind to encrypted traffic
Conn log
Even when Zeek observes a connection that it doesn't know how to categorize, it is still recorded in which log?
__load__zeek
When utilizing Zeek, if you used a load statement to load a directory, what is required for Zeek to accomplish this?
WinLogBeat
Which "beat" is used to interact with Microsoft OS log files?
Filebeat
Which Elastic Beat would you use to collect Linux system logs?
Data
Which Elasticsearch node role allows for storage of indices?
Graph
Which Kibana application doesn't consider time?
xml
Which filetype is most commonly used, in exports/imports, to retain PowerShell object properties?
700
Which numeric permissions value allows only the user (owner) to execute the file? a. 644 b. 700 c. 755
File extensions are required
Which of the below statements about the unix environment are FALSE? a. Naming is case sensitive b. File extensions are required c. Everything is a file d. Hierarchical tree structure
NOT _exists_:dns_answers
Which of the following Kibana queries shows logs that are missing the dns.answers field? a. dns.answers: NULL b. _MISSING_FIELD_: dns.answers c. NOT _exists_: dns.answers d. dns.answers: ()
Looks for any single character to replace the question mark in the supplied query.
Which of the following best describes what happen when using the "?" wildcard in a Kibana query? a. Looks for zero or one of the previous characters. b. Looks for any single character to replace the question mark in the supplied query. c. Looks for any number of characters to replace the question mark as long as it's the same character. d. None - the question mark can only by used in REGEX queries.
cp /home/admin/file1 ./Desktop/working
Which of the following commands utilizes a relative file path in the last argument? a. cp /home/admin/file1 /home/user/Desktop/working b. cp/home/admin/file1 ./Desktop/working
PCAP scales well... the more the better!
Which of the following is NOT true about PCAP? a. allows the analyst to reconstruct what actually happened. b. PCAP scales well... the more the better! c. contains all the raw data.
~
Which of the following is a valid bash navigation shortcut? a. \ b. ~ c. // d. ....
before 2012-11-03T11:05:00Z
Which of the following is an additional query option that is available in Stenographer but not available in tcpdump? a. before 2012-11-03T11:05:00Z b. host 1.1.1.1 c. tcp[tcpflags] & (tcp-syn|tcp-fin) d. net 2.2.2.2/24
/REGEX QUERY HERE/
Which of the following is the correct way to write "REGEX" queries? a. /REGEX QUERY HERE/ b. dns.answers: "REGEX QUERY HERE" c. _regex_: "REGEX QUERY HERE" d. dns.answers: \REGEX QUERY HERE\
All of the above
Which of the following places can you utilize search? a. Kibana Discover Tab b. When building a new visualization c. Graph d. Kibana Dashboards e. Watcher (Alerting)
Host
Which of these is NOT a type of zeek log? a. Network b. File c. Detection d. Host e. Diagnostic f. Miscellaneous
Bash
Which shell is most commonly used today?
stenoread
Which tool allows you to query Stenographer's indexed packets?
Kibana
Which tool allows you to visualize data inside Elasticsearch?
Logstash
Which tool from the Elastic Stack allows you to modify and enrich data?
Network Protocol Analyzer
Zeek is a powerful NSM tool. Which of the following best describes what Bro is? a. Message Queue b. Tapping Interface c. Network Protocol Analyzer
Tab
Zeek's Intel Framework utilizes ".dat" files for indicators. These files are extremely picky about whitespace. What whitespace delimiter is required in these files?
