CH23 Monitoring and Auditing Flashcards
Which of the following protocols is commonly used to collect information about CPU utilization and memory usage from network devices?
a. NetFlow
b. SMTP
c. MIB
d. SNMP
d. SNMP
Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device.
NetFlow provides information about network traffic.
A management information base (MIB) is a database used for managing the entities in a communication network.
The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.
Which security tool is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment?
a. SIEM
b. SOAR
c. MDM
d. DLP
b. SOAR
A security orchestration, automation, and response (SOAR) is used to facilitate incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.
A SOAR may be implemented as a standalone technology or integrated within a SIEM as a next-gen SIEM. A SOAR can scan the organization’s store of security and threat intelligence, analyze it using machine/deep learning techniques, and then use that data to automate and provide data enrichment for the workflows that drive incident response and threat hunting.
You are conducting an intensive vulnerability scan to detect which ports might be open to exploitation. During the scan, one of the network services becomes disabled and causes an impact on the production server. Which of the following sources of information would provide you with the most relevant information for you to use in determining which network service was interrupted and why?
a. Syslog
b. Network mapping
c. Firewall logs
d. NIDS
a. Syslog
The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers.
You are troubleshooting a network connectivity issue and need to determine the packet’s flow path from your system to the remote server. Which of the following tools would best help you identify the path between the two systems?
a. netstat
b. nbtstat
c. ipconfig
d. tracert
d. tracert
OBJ-4.1: The tracert (trace route) diagnostic utility determines the route to a destination by sending Internet Control Message Protocol (ICMP) echo packets to the destination. In these packets, tracert uses varying IP Time-To-Live (TTL) values. When the TTL on a packet reaches zero (0), the router sends an ICMP “Time Exceeded” message back to the source computer. The ICMP “Time Exceeded” messages that intermediate routers send back show the route. The ipconfig tool displays all current TCP/IP network configuration values on a given system. The netstat tool is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and some network interface and network protocol statistics on a single system. The nbtstat command is a diagnostic tool for NetBIOS over TCP/IP used to troubleshoot NetBIOS name resolution problems.
You have been hired to investigate a possible insider threat from a user named Terri. Which command would you use to review all sudo commands ever issued by Terri (whose login account is terri and UID=1003) on a Linux system? (Select the MOST efficient command)
a. journalctl_UID=1003 | grep -e [Tt]erri | grep sudo
b. journalctl_UID=1003 | grep -e 1003 | grep sudo
a. journalctl_UID=1003 | grep -e [Tt]erri | grep -e 1003 | grep sudo
a. journalctl_UID=1003 | grep sudo
d. journalctl _UID=1003 | grep sudo
OBJ-4.3: journalctl is a command for viewing logs collected by systemd. The systemd-journald service is responsible for systemd’s log collection, and it retrieves messages from the kernel, systemd services, and other sources. These logs are gathered in a central location, which makes them easy to review. If you specify the parameter of _UID=1003, you will only receive entries made under the authorities of the user with ID (UID) 1003. In this case, that is Terri. Using the piping function, we can send that list of entries into the grep command as an input and then filter the results before returning them to the screen. This command will be sufficient to see all the times that Terri has executed something as the superuser using privilege escalation. If there are too many results, we could further filter the results using regular expressions with grep using the -e flag. Since the UID of 1003 is only used by Terri, it is unnecessary to add [Tt]erri to your grep filter as the only results for UID 1003 (terri) will already be shown. So, while all four of these would produce the same results, the most efficient option to accomplish this is by entering “journalctl _UID=1003 | grep sudo” in the terminal. Don’t get afraid when you see questions like this; walk through each part of the command step by step and determine the differences. In this question, you may not have known what journalctl is, but you didn’t need to. You needed to identify which grep expression was the shortest that would still get the job done. By comparing the differences between the options presented, you could likely take your best guess and identify the right one.
