Analyzing Your SIEM Flashcards
A console presenting selected information in an easily digestible format, such as a
visualization
Dashboards
A widget showing records or metrics in a visual format, such as a graph or table
Selecting the right metrics for the dashboard is critical
Visualizations
A quantifiable measure used to evaluate the success of an organization,
employee, or other element in meeting objectives for performance
▪ # of vulnerabilities
▪ # of failed log-ons
▪ # of vulnerable systems
▪ # of security incidents
▪ Average response time
▪ Average time to resolve tickets
▪ # of outstanding issues
▪ # of employees trained
▪ % of testing completed
Key Performance Indicators (KPIs)
An analyst needs to dismiss false positives while responding to true positives
Analysis and Detection
A simple form of correlation performed by a machine by using signature detection
and rules-based policies
Conditional Analysis
A method that uses feature comparisons and likenesses rather than specific
signature matching to identify whether the target of observation is malicious
Heuristic Analysis
A component of AI that enables a machine to develop strategies for solving a task
given a labeled dataset where features have been manually identified but without
further explicit instructions
Machine Learning
A network monitoring system that detects changes in normal operating data
sequences and identifies abnormal sequences
Behavioral Analysis
A network monitoring system that uses a baseline of acceptable outcomes or
event patterns to identify events that fall outside the acceptable range
Anomaly Analysis
The process of detecting patterns within a dataset over time, and using those
patterns to make predictions about future events or better understand past
events
Trend Analysis
Establishes a baseline for a metric and monitors the number of occurrences over
time
Frequency-based Analysis
Measures a metric based on the size of something, such as disk space used or log
file size
Volume-based Analysis
Uses the concept of mean and standard deviations to determine if a data point
should be treated as suspicious
Statistical Deviation Analysis
Interpreting the relationship between individual data points to diagnose incidents
of significance to the security team
Correlation
A statement that matches certain conditions as expressed using logical
expressions, such as AND and OR, and operators, such as == (matches), < (less
than), > (greater than), and in (contains)
SIEM Correlation Rule
Extracts records from among all the data stored for review or to show as a
visualization
SIEM Queries
A group of characters that describe how to execute a specific search pattern on a
given text
Regular Expression (regex)
Matches a single instance of a character within the brackets, such as [a-z], [A-Z],
[0-9], [a-zA-Z0-9], [\s] (white space), or [\d] (single digit)
[…]
Matches one or more occurrences and is called a quantifier, such as \d+ matching
one or more digits
+
Matches zero or more occurrences, such as \d* matching zero or more digits
*
Matches one or none times, such as \d? matching zero or one digits
?
Matches the number of times within the curly braces,
such as \d{3} matching three digits or \d{7-10} matching seven to ten digit
{}
Defines a matching group with a regex sequence placed within the parentheses,
and then each group can subsequently be referred to by \1 for the first group, \2
for the second, and so on
( … )
The OR logical operator to match conditions as “this or that”
|
The regex will only match at the start of a line when searching
The regex will only match at the end of a line when searching
$
A command on Unix/Linux/macOS systems that invokes simple string matching or
regex syntax to search text files for specific strings
-i (ignore case sensitivity)
▪ -v (return non-matching strings)
▪ -w (treat search strings as words)
▪ -c (return a count of matching strings only)
▪ -l (return names of files with matching lines)
▪ -L (return names of files without matching lines)
grep
A command that enables the user to specify which text on a line they want
removed from the results
cut
A command that can be used to change the output order
sort
A command that outputs the first 10 lines of a file specified
head
A command that outputs the last 10 lines of a file specified
tail
The process of using the output of one command as the input for a second
command
Piping ( | )
Issuing commands individually can be useful for one-time analysis, but scripting allows
recurring searches to be repeated easily and automated
Scripting Tools
A list of commands that are executed by a certain program or scripting engine
Script
A scripting language and command shell for Unix-like systems that is the default
shell for Linux and macOS
Bash
A scripting language and command shell for Windows systems
PowerShell
Program used to review log files on a remote Windows machine
Windows Management Instrumentation Command-Line (WMIC)
An interpreted, high-level, general-purpose programming languages used heavily
by cybersecurity analysts and penetration testers
Python and Ruby
A scripting engine geared toward modifying and extracting data from files or data
streams in Unix, Linux, and macOS systems
Awk
