Analyzing Your SIEM

Question 1

A console presenting selected information in an easily digestible format, such as a
visualization

Answer 1

Dashboards

Question 2

A widget showing records or metrics in a visual format, such as a graph or table
Selecting the right metrics for the dashboard is critical

Answer 2

Visualizations

Question 3

A quantifiable measure used to evaluate the success of an organization,
employee, or other element in meeting objectives for performance
▪ # of vulnerabilities
▪ # of failed log-ons
▪ # of vulnerable systems
▪ # of security incidents
▪ Average response time
▪ Average time to resolve tickets
▪ # of outstanding issues
▪ # of employees trained
▪ % of testing completed

Answer 3

Key Performance Indicators (KPIs)

Question 4

An analyst needs to dismiss false positives while responding to true positives

Answer 4

Analysis and Detection

Question 5

A simple form of correlation performed by a machine by using signature detection
and rules-based policies

Answer 5

Conditional Analysis

Question 6

A method that uses feature comparisons and likenesses rather than specific
signature matching to identify whether the target of observation is malicious

Answer 6

Heuristic Analysis

Question 7

A component of AI that enables a machine to develop strategies for solving a task
given a labeled dataset where features have been manually identified but without
further explicit instructions

Answer 7

Machine Learning

Question 8

A network monitoring system that detects changes in normal operating data
sequences and identifies abnormal sequences

Answer 8

Behavioral Analysis

Question 9

A network monitoring system that uses a baseline of acceptable outcomes or
event patterns to identify events that fall outside the acceptable range

Answer 9

Anomaly Analysis

Question 10

The process of detecting patterns within a dataset over time, and using those
patterns to make predictions about future events or better understand past
events

Answer 10

Trend Analysis

Question 11

Establishes a baseline for a metric and monitors the number of occurrences over
time

Answer 11

Frequency-based Analysis

Question 12

Measures a metric based on the size of something, such as disk space used or log
file size

Answer 12

Volume-based Analysis

Question 13

Uses the concept of mean and standard deviations to determine if a data point
should be treated as suspicious

Answer 13

Statistical Deviation Analysis

Question 14

Interpreting the relationship between individual data points to diagnose incidents
of significance to the security team

Answer 14

Correlation

Question 15

A statement that matches certain conditions as expressed using logical
expressions, such as AND and OR, and operators, such as == (matches), < (less
than), > (greater than), and in (contains)

Answer 15

SIEM Correlation Rule

Question 16

Extracts records from among all the data stored for review or to show as a
visualization

Answer 16

SIEM Queries

Question 17

A group of characters that describe how to execute a specific search pattern on a
given text

Answer 17

Regular Expression (regex)

Question 18

Matches a single instance of a character within the brackets, such as [a-z], [A-Z],
[0-9], [a-zA-Z0-9], [\s] (white space), or [\d] (single digit)

Answer 18

[…]

Question 19

Matches one or more occurrences and is called a quantifier, such as \d+ matching
one or more digits

Answer 19

+

Question 20

Matches zero or more occurrences, such as \d* matching zero or more digits

Answer 20

*

Question 21

Matches one or none times, such as \d? matching zero or one digits

Answer 21

?

Question 22

Matches the number of times within the curly braces,
such as \d{3} matching three digits or \d{7-10} matching seven to ten digit

Answer 22

{}

Question 23

Defines a matching group with a regex sequence placed within the parentheses,
and then each group can subsequently be referred to by \1 for the first group, \2
for the second, and so on

Answer 23

( … )

Question 24

The OR logical operator to match conditions as “this or that”

Answer 24

|

Question 25

The regex will only match at the start of a line when searching

Question 26

The regex will only match at the end of a line when searching

Answer 26

$

Question 27

A command on Unix/Linux/macOS systems that invokes simple string matching or
regex syntax to search text files for specific strings
-i (ignore case sensitivity)
▪ -v (return non-matching strings)
▪ -w (treat search strings as words)
▪ -c (return a count of matching strings only)
▪ -l (return names of files with matching lines)
▪ -L (return names of files without matching lines)

Answer 27

grep

Question 28

A command that enables the user to specify which text on a line they want
removed from the results

Answer 28

cut

Question 29

A command that can be used to change the output order

Answer 29

sort

Question 30

A command that outputs the first 10 lines of a file specified

Answer 30

head

Question 31

A command that outputs the last 10 lines of a file specified

Answer 31

tail

Question 32

The process of using the output of one command as the input for a second
command

Answer 32

Piping ( | )

Question 33

Issuing commands individually can be useful for one-time analysis, but scripting allows
recurring searches to be repeated easily and automated

Answer 33

Scripting Tools

Question 34

A list of commands that are executed by a certain program or scripting engine

Answer 34

Script

Question 35

A scripting language and command shell for Unix-like systems that is the default
shell for Linux and macOS

Answer 35

Bash

Question 36

A scripting language and command shell for Windows systems

Answer 36

PowerShell

Question 37

Program used to review log files on a remote Windows machine

Answer 37

Windows Management Instrumentation Command-Line (WMIC)

Question 38

An interpreted, high-level, general-purpose programming languages used heavily
by cybersecurity analysts and penetration testers

Answer 38

Python and Ruby

Question 39

A scripting engine geared toward modifying and extracting data from files or data
streams in Unix, Linux, and macOS systems

Answer 39

Awk