(3) Service and App Related Issue Investigations Flashcards
What common monitoring areas can app and service monitoring be broken down into?
App and Service monitoring can be broken down into a few different areas, such as:
-Is the service up or down?
-Performance test, is it doing its job properly?
-Transactional logging, information about what actually happens on the system is recorded
-App or Service logging, logs about the workings or status of a service
Explain where application logs fit into investigations regarding service and app related issues
App logs are very important, but they require knowledge and skill to use effectively
Linux logs can be found in /var/log
Windows app logs are in Windows logging systems
What does a security professional need to set up in before an incident happens in regards to services and apps?
Security professionals need to make sure that logging tasks are already set up and confirmed working before an incident happens so that the logs can help in the event of an investigation
How do security professionals need to handle new account creation to help keep services and apps safe?
Security pros need to focus on cloud hosted and on premise apps, but specifically need to focus on privileged accounts.
Additionally, monitoring of bulk accounts, or accounts that are created now and again or from non traditional locations are very important
Where can accounts be created on an org system?
Accounts can be created within specific apps or on Operating System levels too
What are some non security related problems that can occur in systems?
Application or service specific problems, such as authentication errors, service dependency issues, and permission problems
App or services that don’t start on boot, because of an error, or if the service is turned off
Service failure, which are a lot of times caused by updates, patches, or other changes
What additional tools can be used to help protect apps and services?
Additional tools that can be used to protect apps and services include:
-Antimalware, Anti-Malware, and Endpoint Detection and Response (EDR) tools
-File Integrity checking tools
-Allow List Tools
What tools can be used to check Windows service status?
Various tools can be used to check Windows Service Status. They include:
-Services administrative tool (services.msc)
-Command line tools like sc, the Service controller application (you can use command line flags that set the start type for service, specify the error level it should set if it fails during boot, and provide details of the service
-Powershell also has a Start-Service tool to help you interact with services on local and non local Windows hosts
How can Linux services be checked?
Linux services can be checked by using the service command. service[servicename] status will give many status updates on various services.
To list the state of all services, you would type in service –status-all
services that use init.d are checked by doing /etc/init.d/servicename status
How can Windows logs be checked for application errors?
Windows apps (most of them anyway) use the Windows Application log in Windows event viewer
They can be centralized by using SCOM (System Center Operations Manager)
Describe the process for checking Linux Application logs
To check Linux application logs, you’ll need to check the /var/log directory or the app log location for the app in question.
Using the tail command, logs can be examined while an app is tested
What is Behavior Analysis of Applications?
Behavior Analysis is all about knowing what apps are supposed to do and what to look for to help figure out what is wrong when they don’t do what they should do.
What are some important things to consider in the subject of application behavior analysis?
Conducting proper behavior analysis of applications involves:
Documenting the apps normal behavior. What apps should it connect to and how should those connections be established?
Logging the app activity
Behavior analysis using antimalware tools and security systems to flag when behaviors are not what they should be
