Lesson 4: Collecting and Querying Security Monitoring Data
An IT firm provides security services for many business clients. As part of an overall security monitoring package, the firm provides trend analysis as it relates to systems behavior. Which area does staff use to create a baseline and regular measurements?
Host metrics Most networks change considerably over a period of time for genuine business reasons. With network and host metrics, it is possible to measure any number of network metrics (volume of internal and external traffic, numbers of logons/logon failures, and more).
In Unix-like operating systems, the grep command invokes simple string matching or regex syntax to search text files for specific strings. Which command option returns data that does not match the given string?
-v In Unix-like operating systems, the grep command invokes simple string matching or regex syntax to search text files for specific strings. The -v option reverses the command's default behavior, returning only lines that do not match the given string.
A network infrastructure utilizes syslog to communicate logs to a central point. Analysts determine that communication is not happening for some systems due to a UDP port misconfiguration. Considering standard port use, which current port did a junior engineer misconfigure?
514 Syslog is a TCP/IP protocol and can run on most operating systems. It usually uses UDP port 514. Newer implementations have the ability to use TCP (port 1468) for acknowledged delivery, instead of unacknowledged delivery over UDP (port 514).
An IT analyst utilizes software to visualize the incidence of types of events and show how the number or frequency of those events changes over time. For reporting purposes, the analyst focuses on statistical deviation. Review the possibilities and conclude which approach the analyst employs?
Acquire the sum of all values, divided by the number of samples Statistical deviation analysis can show when an analyst should treat a data point as suspicious. Statistical analysis uses the concept of the mean (the sum of all values divided by the number of samples) and the standard deviation.
A systems administrator creates scripts in a Linux subsystem on a Windows 10 system to automate system log collecting and information extraction for security auditing. Which command processor does the administrator likely use?
Bash Bash is a scripting language and command shell for Unix-like systems. It is the default shell for Linux and macOS. Bash is accessible when using the Linux subsystem in Windows 10.
Which of the following Security Information and Event Management (SIEM) tools is a visualization tool?
Kibana The ELK Stack, also known as the Elastic Stack and Elastic SIEM, is a collection of tools providing SIEM functionality. Kibana is a data visualization tool that is part of the suite.
A security engineer deploys a Security Information and Event Management (SIEM) solution in an organization. A variety of approaches are available to the engineer. Evaluate the methods and determine which the engineer uses to push updates via the syslog protocol.
Listener/collector Rather than installing an agent, the engineer can configure a listener/collector on hosts, pushing updates to the SIEM server using a protocol, such as syslog or Simple Network Management Protocol (SNMP).
A Windows server is performing poorly. IT staff suspect malicious activity has impacted the operating system. An administrator utilizes event logs to research any irregular activity. Which log identifies events created by services?
System The Windows system event logs are generated by the operating system (OS) and its services, for events such as storage volume health checks. These events may point to poor performance causes.
An IT engineer looks to deploy a Security Information and Event Management (SIEM) program. The effective deployment of a SIEM program involves which of the following considerations when it comes to tracking flagged events?
Ticketing process The engineer can implement SIEM solutions as software, hardware appliances, or outsourced managed services. When deploying a SIEM program, establishing a robust ticketing process is useful in tracking all flagged events.
An IT engineer writes a Security Information and Event Management (SIEM) correlation rule that uses regular expression (regex) syntax. The engineer needs to specify a specific number of matches. Which syntax elements does the engineer use to accomplish this goal?
{} Filtering a log to discover data points of interest or writing an SIEM correlation rule usually involves some sort of string search, typically invoking regular expression (regex) syntax. To find matches a number of times (quantifier), the engineer will use {} brackets. For example, {2} matches two times.