Analyzing Your SIEM Flashcards
A console presenting selected information in an easily digestible format, such as a
visualization
Dashboards
A widget showing records or metrics in a visual format, such as a graph or table
Selecting the right metrics for the dashboard is critical
Visualizations
A quantifiable measure used to evaluate the success of an organization,
employee, or other element in meeting objectives for performance
▪ # of vulnerabilities
▪ # of failed log-ons
▪ # of vulnerable systems
▪ # of security incidents
▪ Average response time
▪ Average time to resolve tickets
▪ # of outstanding issues
▪ # of employees trained
▪ % of testing completed
Key Performance Indicators (KPIs)
An analyst needs to dismiss false positives while responding to true positives
Analysis and Detection
A simple form of correlation performed by a machine by using signature detection
and rules-based policies
Conditional Analysis
A method that uses feature comparisons and likenesses rather than specific
signature matching to identify whether the target of observation is malicious
Heuristic Analysis
A component of AI that enables a machine to develop strategies for solving a task
given a labeled dataset where features have been manually identified but without
further explicit instructions
Machine Learning
A network monitoring system that detects changes in normal operating data
sequences and identifies abnormal sequences
Behavioral Analysis
A network monitoring system that uses a baseline of acceptable outcomes or
event patterns to identify events that fall outside the acceptable range
Anomaly Analysis
The process of detecting patterns within a dataset over time, and using those
patterns to make predictions about future events or better understand past
events
Trend Analysis
Establishes a baseline for a metric and monitors the number of occurrences over
time
Frequency-based Analysis
Measures a metric based on the size of something, such as disk space used or log
file size
Volume-based Analysis
Uses the concept of mean and standard deviations to determine if a data point
should be treated as suspicious
Statistical Deviation Analysis
Interpreting the relationship between individual data points to diagnose incidents
of significance to the security team
Correlation
A statement that matches certain conditions as expressed using logical
expressions, such as AND and OR, and operators, such as == (matches), < (less
than), > (greater than), and in (contains)
SIEM Correlation Rule
Extracts records from among all the data stored for review or to show as a
visualization
SIEM Queries
A group of characters that describe how to execute a specific search pattern on a
given text
Regular Expression (regex)
Matches a single instance of a character within the brackets, such as [a-z], [A-Z],
[0-9], [a-zA-Z0-9], [\s] (white space), or [\d] (single digit)
[…]
Matches one or more occurrences and is called a quantifier, such as \d+ matching
one or more digits
+
Matches zero or more occurrences, such as \d* matching zero or more digits
*
Matches one or none times, such as \d? matching zero or one digits
?
Matches the number of times within the curly braces,
such as \d{3} matching three digits or \d{7-10} matching seven to ten digit
{}
Defines a matching group with a regex sequence placed within the parentheses,
and then each group can subsequently be referred to by \1 for the first group, \2
for the second, and so on
( … )
The OR logical operator to match conditions as “this or that”
|
