4A. Configure Log Review and SIEM tools obj 3.1

Question 1

SIEM use cases should capture the five Ws…

Answer 1

1) When the event started (and ended)
2) who was involved
3) what happened
4) where it happened (e.g., which hosts, network, file systems, etc)
5) where it originated (e.g., outside IP addresses over VPN connection)

Question 2

Agent-based data (SIEM)

Answer 2

agent service installed on each host. As events occur on the host, logging data is filtered, aggregated, and normalised at the host and then sent to the SIEM for analysis

Question 3

Listener/collector data (SIEM)

Answer 3

Hosts configured to push updates to the SIEM server using protocol (e.g., syslog, SNMP). Management server parses and normalises each log/monitoring source

Question 4

Sensor (SIEM)

Answer 4

SIEM collects traffic flow data from sniffers

Question 5

TAP vs SPAN

Answer 5

SPAN copies traffic passing through one or more ports and sends it to another port for analysis. It is useful for monitoring traffic on individual switches or specific VLANs or ports. A TAP is a physical device that sits between two network devices and monitors all traffic that passes through, regardless of the type of traffic or network devices involved.

Question 6

syslog

Answer 6

A protocol enabling different appliances and software applications to transmit logs or event records to a central server.