Unit 6 - Module 4 - IDS & SIEM Tools

Question 1

What is a record of events that occur within an organization’s systems?

Answer 1

A Log

Question 2

What is the process of examining logs to identify events of interest?

Answer 2

Log Analysis

Question 3

What is the process of examining logs to idenify events of interest?

Answer 3

Log Analysis

Question 4

What are the 5 most common log types?

Answer 4

1) Network
2) System
3) Application
4) Security
5) Authentication

Question 5

What is the process of collecting, storing, analyzing, and disposing of log data?

Answer 5

Log Management

Question 6

What is a set of data that presents two linked itmes?

ie) a key and it’s corresponding value. “Alert” : “Malware”

Answer 6

Key-Value Pair

Question 7

What is a data type that stores data in a comma-seperated list of key-value pairs?

ie ) “User”
{
“id”: “1234”,
“name”: “user”,
“role”: “engineer”
}

Answer 7

Object

Question 8

What is a data type that stores data in a comma-separated ordered list?

Answer 8

Array

Question 9

What log format that uses key-value pairs to structure data and identify fields and their corresponding values?

ie) CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Answer 9

Common Event Format (CEF)

Question 10

What 3 capabilities can syslog be used for?

Answer 10

Service
Protocol
Log Format

Question 11

What is the collection and transmission of data for analysis?

Answer 11

Telemetry

Question 12

What’s an application that monitors activity and alerts on possible intrusions?

Answer 12

Intrusion Detection System (IDS)

Question 13

What is it called when any device connected on a network?

Answer 13

Endpoint

Question 14

What is an application that monitors the acitivty of the host on which it’s installed?

Answer 14

Host-Based Intrusion Detection System (HIDS)

Question 15

What application collects and monitors network traffic and network data?

Answer 15

Network-based intrusion detection system (NIDS)

Question 16

What is a detection method used to find events of interest?

Answer 16

Signature analysis

Question 17

When monitoring activity, what specifies the rules used by an intrusion detection system (IDS)?

Answer 17

A signature

Question 18

What specifies the rules that an IDS uses to monitor activity. Signature analysis is one of the most common methods of detection used by IDS tools.

Answer 18

A Signature

Question 19

What’s an advantage of using signatures?

Answer 19

Low rate of false positives - It’s very efficient at detecting known threats because it is simly compairing acitivity to signatures.

Question 20

What are 3 disadvantages of using signatures?

Answer 20

They can be evaded- Signatures are unique, and attackers can modify their attack behaviours to bypass the signatures.

Signatures require updates - Signature-based analysis rilies on database of signatures to detect threats.

Inabliity to detect unknown threats - Signature-based analysis relies on detecting known threats through signatures.

Question 21

What do you call a pattern that is associated with malicious activity?

Answer 21

A Signature

Question 22

What is a detection method that identies abnormal behaviour?

Answer 22

Anomaly-based Analysis

Question 23

What’s the one advantage of anomaly-based analysis?

Answer 23

Ability to detect new and evolving threats.

Question 24

What are two disadvantages of anomaly-based analysis?

Answer 24

High rate of false positives

Pre-existing compromise

Question 25

What is the edtection methods used to find events of interest?

Answer 25

Signature Analysis

Question 26

What is a file used to configure the settings of an application?

Answer 26

Configuration File

Question 27

In these 3 steps, what tool follows these?

Collect and aggregate data

Normalize Data

Analyze Data

Answer 27

**Security Information and Event Management (SIEM Tool) **

Question 28

What search language is “Search Processing Language (SPL)”?

Answer 28

Splunk’s Query Language

Question 29

What is a computer language used to create rules for searching through ingested log data?

Answer 29

YARA-L

Question 30

Chronicle uses What search language to normalize data?

Answer 30

Unified Data Model

Question 31

What is a special character that can be substituted with any other character?

Answer 31

a Wildcard