4.3: Given an incident, utilize appropriate data sources to support an investigation. Flashcards

1
Q

Topics

A
Vulnerability Scan Output
SIEM Dashboards
Sensor
Sensitivity
Trends
Alerts
Correlation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Log Files

A
Network
System
Application
Security
Web
DNS
Authentication
Dump Files
Syslog/Rsyslog/Syslog-ng
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

EXAM TIP

A

The Windows Event Viewer is used to look at Windows logs. The System log displays information related to the operating system. The Application log provides data related to applications that are run on the system. The Security log provides information regarding the success and failure of attempted logins as well as security-related audit events. Be ready to identify specific log file output on the exam!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Journalctl

A

On Linux systems, the initial daemon that launches the system is called systemd. When systemd creates log files, it does so through the systemd-journald service. Journalctl is the command that is used to view these logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

EXAM TIP

A

Understand the differences between journalctl and syslog. Journalctl is the command to examine logs on a server. Syslog (and the variants rsyslog and syslog-ng) is used to move logs to a log server and sometimes to manipulate the log file entries in transit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

NXLog

A

NXLog is a multiplatform log management tool designed to assist in the use of log data during investigations. This tool suite is capable of handling syslog-type data as well as other log formats, including Microsoft Windows. It has advanced capabilities to enrich log files through context-based lookups, correlations, and rule-based enrichments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NetFlow/sFlow

A

NetFlow and sFlow are protocols designed to capture information about packet flows (that is, a sequence of related packets) as they traverse a network. NetFlow is a proprietary standard from Cisco. Flow data is generated by the network devices themselves, including routers and switches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IPFIX

A

Internet Protocol Flow Information Export (IPFIX) is an IETF protocol that’s the answer to the proprietary Cisco NetFlow standard. IPFIX is based on NetFlow version 9 and is highly configurable using a series of templates. The primary purpose of IPFIX is to provide a central monitoring station with information about the state of the network. IPFIX is a push-based protocol, where the sender sends the reports and receives no response from the receiver.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly