Course 6 - Sound the Alarm: Detection and Response Flashcards

1
Q

To recall, the five core functions of the NIST CSF are:

A

identify, protect, detect, respond, and recover.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The NIST incident response lifecycle is another NIST framework with additional substeps dedicated to incident response. It begins with preparation. Next, detection and analysis, and then containment, eradication and recovery, and finally post-incident activity.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

According to NIST, an incident is “an occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An event is an observable occurrence on a network, system, or device.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

five W’s of an incident: who triggered the incident, what happened, when the incident took place, where the incident took place, and why the incident occurred.

A

who triggered the incident,

what happened,

when the incident took place,

where the incident took place,

why the incident occurred.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Computer security incident response teams, or CSIRTs, are a specialized group of security professionals that are trained in incident management and response.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Depending on the organization, a CSIRT can also be referred to as an Incident Handling Team, or IHT, or Security Incident Response Team, SIRT.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

National Institute of Standards and Technology (NIST) Incident Response Lifecycle

A

Preparation

Detection and Analysis

Containment, Eradication, and Recovery

Post-incident activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A computer security incident response team (CSIRT) is a specialized group of security professionals that are trained in incident management and response. During incident response, teams can encounter a variety of different challenges. For incident response to be effective and efficient, there must be clear command, control, and communication of the situation to achieve the desired goal.

Command refers to having the appropriate leadership and direction to oversee the response.

Control refers to the ability to manage technical aspects during incident response, like coordinating resources and assigning tasks.

Communication refers to the ability to keep stakeholders informed.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

An incident response plan is a…

A

…document that outlines the procedures to take in each step of incident response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

An ______________ is an application that monitors system and network activity, and produces alerts on possible intrusions.

A

intrusion detection system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

___________ have all the same capabilities as an IDS, but they can do more. They monitor system activity for intrusions and take action to stop it.

A

Intrusion prevention systems, or IPS,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Many tools have the ability to perform the function of both IDS and IPS. Some popular tools are….

A

Snort
Zeek
Kismet
Sagan
Suricata

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

SIEM is a tool that collects and analyzes log data to monitor critical activities in an organization. SIEM provides security professionals with a high-level overview of what goes on in their networks.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Security orchestration, automation, and response, or SOAR, is a collection of applications, tools, and workflows that uses automation to respond to security events.

While SIEM tools collect, analyze, and report on security events for security analysts to review, SOAR automates analysis and response to security events and incidents. SOAR can also be used to track and manage cases. Multiple incidents can form a case, and SOAR offers a way to view all of these incidents in one centralized place.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A form of documentation used in incident response

A

Incident handler’s journal:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

A document that outlines the procedures to take in each step of incident response

A

Incident response plan:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident activity

A

National Institute of Standards and Technology (NIST) Incident Response Lifecycle:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A manual that provides details about any operational action

A

Playbook:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

An application that collects and analyzes log data to monitor critical activities in an organization

A

Security information and event management (SIEM):

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

An organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks

A

Security operations center (SOC):

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

A collection of applications, tools, and workflows that uses automation to respond to security events

A

Security orchestration, automation, and response (SOAR):

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A state where there is no detection of malicious activity

A

True negative:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

An alert that correctly detects the presence of an attack

A

True positive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Organizations may deploy a network operations center (NOC), which is an organizational unit that monitors the performance of a network and responds to any network disruption, such as a network outage. While a SOC is focused on maintaining the security of an organization through detection and response, a NOC is responsible for maintaining network performance, availability, and uptime.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

As part of an organization’s security policy, all assets should be cataloged in an asset inventory. The appropriate security controls should also be applied to protect these assets from unauthorized access.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

header, which includes information like the type of network protocol and port being used. Imagine this as being the name and mailing address located on an envelope.

The header also contains the packet’s source and destination IP address. We’ll explore more information contained in the header in a later section.

next, there’s the payload, which contains the actual data that’s being delivered. This is like the content of a letter inside of an envelope.

And there’s the footer, which signifies the end of the packet.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Security analysts monitor networks to identify any signs of potential security incidents known as indicators of compromise (IoC) and protect networks from threats or attacks. To do this, they must understand the environment that network communications travel through so that they can identify deviations in network traffic.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Network protocol analyzers, also known as packet sniffers, are tools designed to capture and analyze data traffic within a network. They can be used to analyze network communications manually in detail. Examples include tools such as tcpdump and Wireshark, which can be used by security professionals to record network communications through packet captures. Packet captures can then be investigated to identify potentially malicious activity.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Payload
The payload component directly follows the header and contains the actual data being delivered. Think back to the example of uploading an image to a website; the payload of this packet would be the image itself.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Footer
The footer, also known as the trailer, is located at the end of a packet. The Ethernet protocol uses footers to provide error-checking information to determine if data has been corrupted. In addition, Ethernet network packets that are analyzed might not display footer information due to network configurations.

Note: Most protocols, such as the Internet Protocol (IP), do not use footers.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Network protocol analyzers (packet sniffers) are tools designed to capture and analyze data traffic within a network. Examples of network protocol analyzers include tcpdump, Wireshark, and TShark.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

How network protocol analyzers work
Network protocol analyzers use both software and hardware capabilities to capture network traffic and display it for security analysts to examine and analyze. Here’s how:

First, packets must be collected from the network via the Network Interface Card (NIC), which is hardware that connects computers to a network, like a router. NICs receive and transmit network traffic, but by default they only listen to network traffic that’s addressed to them. To capture all network traffic that is sent over the network, a NIC must be switched to a mode that has access to all visible network data packets. In wireless interfaces this is often referred to as monitoring mode, and in other systems it may be called promiscuous mode. This mode enables the NIC to have access to all visible network data packets, but it won’t help analysts access all packets across a network. A network protocol analyzer must be positioned in an appropriate network segment to access all traffic between different hosts.

The network protocol analyzer collects the network traffic in raw binary format. Binary format consists of 0s and 1s and is not as easy for humans to interpret. The network protocol analyzer takes the binary and converts it so that it’s displayed in a human-readable format, so analysts can easily read and understand the information.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Note: Using network protocol analyzers to intercept and examine private network communications without permission is considered illegal in many places.

P-cap files can come in many formats depending on the packet capture library that’s used. Each format has different uses and network tools may use or support specific packet capture file formats by default. You should be familiar with the following libraries and formats:

Libpcap is a packet capture library designed to be used by Unix-like systems, like Linux and MacOS®. Tools like tcpdump use Libpcap as the default packet capture file format.

WinPcap is an open-source packet capture library designed for devices running Windows operating systems. It’s considered an older file format and isn’t predominantly used.

Npcap is a library designed by the port scanning tool Nmap that is commonly used in Windows operating systems.

PCAPng is a modern file format that can simultaneously capture packets and store data. Its ability to do both explains the “ng,” which stands for “next generation.”

Pro tip: Analyzing your home network can be a good way to practice using these tools.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

The internet layer accepts and delivers packets for the network. It’s also the layer where the Internet Protocol operates as the foundation for all communications on the internet. It’s responsible for making sure packets reach their destinations.

The Internet Protocol operates like a mail courier delivering an envelope. Instead of using the delivery information found on the envelope, the Internet Protocol uses the information found in a packet header, like IP addresses. It then determines the best available route for packets to take, so that data can be sent and received between hosts.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

There are two different versions of the Internet Protocol: IPv4, which is considered to be the foundation of internet communications, and IPv6, which is the most recent version of the Internet Protocol. Remember, different protocols use different headers. So IPv4 and IPv6 headers differ, but they contain similar fields with different names. IPv4 is still the most widely used

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

The next field, ToS stands for Type of Service. This field tells us if certain packets should be treated with different care. For example, think of ToS like a fragile sticker on a mailed package.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Next, IHL stands for Internet Header Length. This field specifies the length of the IP header plus any options

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Next is the Total Length field, which identifies the length of the entire packet, including the headers and the data. This can be compared to the dimensions and weight of an envelope.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Let’s start with the Version field, which specifies which version of IP is being used, either IPv4 or IPv6. Referring back to our mail analogy, the Version field is like the different classes of mail, like priority, express, or regular.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

The next three fields, Identification, Flags, and Fragment Offset, deal with information related to fragmentation. Fragmentation is when an IP packet gets broken up into chunks, which then get transmitted over the wire and reassembled when they arrive at their destination. These three fields specify if fragmentation has been used and how to reassemble the broken packets in the correct order. This is similar to how mail can travel through multiple routes like mailboxes, processing facilities, airplanes, and mail trucks before it reaches its destination.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

The TTL field stands for Time to Live. Like its name suggests, this field determines how long a packet can live before it gets dropped. Without this field, packets could loop through routers endlessly. TTL is similar to how tracking information provides details about an envelope’s expected delivery date.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

The Protocol field specifies the protocol used by providing a value which corresponds to a protocol. For example, TCP is represented by 6. This is similar to including the number of a house in a postal address.

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

The Header Checksum stores a value called a checksum, which is used to determine if any errors have occurred in the header.

A
61
Q

The Source Address specifies the source IP address and the Destination Address specifies the destination IP address. This is just like the sender and receiver’s contact information found on an envelope.

A
62
Q

The Options field is not required and is commonly used for network troubleshooting rather than common traffic. If it’s used, the header length increases. It’s like purchasing postal insurance for an envelope.

A
63
Q

Finally, at the end of the packet header is where the packet’s data resides, like the text in an email message.

A
64
Q

IPv4
IPv4 is the most commonly used version of IP. There are thirteen fields in the header:

Version: This field indicates the IP version. For an IPv4 header, IPv4 is used.

Internet Header Length (IHL): This field specifies the length of the IPv4 header including any Options.

Type of Service (ToS): This field provides information about packet priority for delivery.

Total Length: This field specifies the total length of the entire IP packet including the header and the data.

Identification: Packets that are too large to send are fragmented into smaller pieces. This field specifies a unique identifier for fragments of an original IP packet so that they can be reassembled once they reach their destination.

Flags: This field provides information about packet fragmentation including whether the original packet has been fragmented and if there are more fragments in transit.

Fragment Offset: This field is used to identify the correct sequence of fragments.

Time to Live (TTL): This field limits how long a packet can be circulated in a network, preventing packets from being forwarded by routers indefinitely.

Protocol: This field specifies the protocol used for the data portion of the packet.

Header Checksum: This field specifies a checksum value which is used for error-checking the header.

Source Address: This field specifies the source address of the sender.

Destination Address: This field specifies the destination address of the receiver.

Options: This field is optional and can be used to apply security options to a packet.

A
65
Q
A
66
Q
A
67
Q
A
68
Q
A
69
Q
A
70
Q
A
71
Q
A
72
Q
A
73
Q
A
74
Q

Tcpdump is a popular network analyzer. It’s pre-installed on many Linux distributions and can be installed on most Unix-like operating systems, like macOS. You can easily capture and monitor network traffic such as TCP, IP, ICMP, and many more.

A
75
Q

Tcpdump is a command-line network protocol analyzer. Recall that a command-line interface (CLI) is a text-based user interface that uses commands to interact with the computer.

A
76
Q
A
77
Q
A
78
Q
A
79
Q
A
80
Q
A
81
Q
A
82
Q
A
83
Q
A
84
Q
A
85
Q
A
86
Q
A
87
Q
A
88
Q
A
89
Q
A
90
Q

A command that temporarily grants elevated permissions to specific users

A

Sudo:

91
Q

An open-source network protocol analyzer

A

Wireshark:

92
Q

A command-line network protocol analyzer

A

tcpdump:

93
Q
A
94
Q
A
95
Q
A
96
Q
A
97
Q
A
98
Q

Chain of custody is the process of documenting evidence possession and control during an incident lifecycle.

A
99
Q
A
100
Q
A
101
Q

Automated playbooks automate tasks in incident response processes. For example, tasks such as categorizing the severity of the incident or gathering evidence can be done using an automated playbook. Automated playbooks can help lower the time to resolution during an incident. SOAR and SIEM tools can be configured to automate playbooks.

Finally, semi-automated playbooks combine a person’s action with automation. Tedious, error-prone, or time-consuming tasks can be automated, while analysts can prioritize their time with other tasks. Semi-automated playbooks can help increase productivity and decrease time to resolution.

A
102
Q
A
103
Q
A
104
Q
A
105
Q

Containment is the act of limiting and preventing additional damage caused by an incident. Organizations outline their containment strategies in incident response plans. Containment strategies detail the actions that security teams should take after an incident has been detected. Different containment strategies are used for various incident types.

A
106
Q

Eradication involves the complete removal of the incident elements from all affected systems. For example, eradication actions include performing vulnerability tests and applying patches to vulnerabilities related to the threat.

A
107
Q

Recovery is the process of returning affected systems back to normal operations. An incident can disrupt key business operations and services. During recovery, any services that were impacted by the incident are brought back to normal operation. Recovery actions include: reimaging affected systems, resetting passwords, and adjusting network configurations like firewall rules.

A
108
Q

Similar to an incident response plan, a business continuity plan (BCP) is a document that outlines the procedures to sustain business operations during and after a significant disruption. A BCP helps organizations ensure that critical business functions can resume or can be quickly restored when an incident occurs.

A
109
Q

Site resilience
Resilience is the ability to prepare for, respond to, and recover from disruptions. Organizations can design their systems to be resilient so that they can continue delivering services despite facing disruptions. An example is site resilience, which is used to ensure the availability of networks, data centers, or other infrastructure when a disruption happens. There are three types of recovery sites used for site resilience:

Hot sites: A fully operational facility that is a duplicate of an organization’s primary environment. Hot sites can be activated immediately when an organization’s primary site experiences failure or disruption.

Warm sites: A facility that contains a fully updated and configured version of the hot site. Unlike hot sites, warm sites are not fully operational and available for immediate use but can quickly be made operational when a failure or disruption occurs.

Cold sites: A backup facility equipped with some of the necessary infrastructure required to operate an organization’s site. When a disruption or failure occurs, cold sites might not be ready for immediate use and might need additional work to be operational.

A
110
Q
A
111
Q

Containment, Eradication and Recovery phase of the NIST Incident Response Lifecycle

A
112
Q
A
113
Q
A
114
Q

Terms and definitions from Course 6, Module 3
Analysis: The investigation and validation of alerts

Broken chain of custody: Inconsistencies in the collection and logging of evidence in the chain of custody

Business continuity plan (BCP): A document that outlines the procedures to sustain business operations during and after a significant disruption

Chain of custody: The process of documenting evidence possession and control during an incident lifecycle

Containment: The act of limiting and preventing additional damage caused by an incident

Crowdsourcing: The practice of gathering information using public input and collaboration

Detection: The prompt discovery of security events

Documentation: Any form of recorded content that is used for a specific purpose

Eradication: The complete removal of the incident elements from all affected systems

Final report: Documentation that provides a comprehensive review of an incident

Honeypot: A system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders

Incident response plan: A document that outlines the procedures to take in each step of incident response

Indicators of attack (IoA): The series of observed events that indicate a real-time incident

Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security incident

Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions

Lessons learned meeting: A meeting that includes all involved parties after a major incident

Open-source intelligence (OSINT): The collection and analysis of information from publicly available sources to generate usable intelligence

Playbook: A manual that provides details about any operational action

Post-incident activity: The process of reviewing an incident to identify areas for improvement during incident handling

Recovery: The process of returning affected systems back to normal operations

Resilience: The ability to prepare for, respond to, and recover from disruptions

Standards: References that inform how to set policies

Threat hunting: The proactive search for threats on a network

Threat intelligence: Evidence-based threat information that provides context about existing or emerging threats

Triage: The prioritizing of incidents according to their level of importance or urgency

VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content

A
115
Q
A
116
Q
A
117
Q
A
118
Q
A
119
Q
A
120
Q
A
121
Q
A
122
Q
A
123
Q
A
124
Q

Telemetry is the collection and transmission of data for analysis.

A
125
Q

An endpoint is any device connected on a network, such as a laptop, tablet, desktop computer, or a smartphone. Endpoints are entry points into a network, which makes them key targets for malicious actors looking to gain unauthorized access into a system.

A
126
Q

network-based intrusion detection system collects and analyzes network traffic and network data.

A
127
Q

Signature analysis is a detection method used to find events of interest. A signature specifies a set of rules that an IDS refers to when it monitors activity. If the activity matches the rules in the signature, the IDS logs it and sends out an alert. For example, a signature can be written to generate an alert if a failed login on a system happens three times in a row, which suggests a possible password attack.

A
128
Q
A
129
Q
A
130
Q
A
131
Q
A
132
Q
A
133
Q
A
134
Q

Typically, the action is the first item specified in a signature. This determines the action to take if the rule criteria matches are met. Actions differ across NIDS rule languages, but some common actions are: alert, pass, or reject.

A
135
Q

The header defines the signature’s network traffic. These include information such as source and destination IP addresses, source and destination ports, protocols, and traffic direction.

A
136
Q
A
137
Q
A
138
Q
A
139
Q

The first word specifies the signature’s ACTION. For this signature, the action is alert. This means that the signature generates an alert when all of the conditions are met. The next part of the signature is the HEADER. It specifies the protocol http. The source IP address is HOME_NET and source port is defined as ANY. The arrow indicates the direction of traffic coming from the home network and going to the destination IP address EXTERNAL_NET and ANY destination port.

A
140
Q

The last part of the signature includes the RULE OPTIONS. They’re enclosed in parentheses and separated by semicolons. There’s many options listed here, but we’ll focus on the message, flow, and content options. The message option will show the message “GET on wire” once the alert is triggered. The flow option is used to match on direction of network traffic flow. Here, it’s established. This means that a connection has been successfully made. The content option inspects the content of a packet. Here, between the quotation marks, the text GET is specified. GET is an HTTP request that’s used to retrieve and request data from a server. This means the signature will match if a network packet contains the text GET, indicating a request.

A
141
Q

Alert logs contain information that’s relevant to security investigations. Usually this is the output of signatures which have triggered an alert. For example, a signature that detects suspicious traffic across the network generates an alert log that captures details of that traffic.

A
142
Q

While network telemetry logs contain information about network traffic flows, network telemetry is not always security relevant, it’s simply recording what’s happening on a network, such as a connection being made to a specific port. Both of these log types provide information to build a story during an investigation.

A
143
Q
A
144
Q
A
145
Q
A
146
Q
A
147
Q
A
148
Q
A
149
Q
A
150
Q
A
151
Q
A
152
Q
A
153
Q
A
154
Q
A
155
Q

Anomaly-based analysis: A detection method that identifies abnormal behavior

Array: A data type that stores data in a comma-separated ordered list

Common Event Format (CEF): A log format that uses key-value pairs to structure data and identify fields and their corresponding values

Configuration file: A file used to configure the settings of an application

Endpoint: Any device connected on a network

Endpoint detection and response (EDR): An application that monitors an endpoint for malicious activity

False positive: An alert that incorrectly detects the presence of a threat

Host-based intrusion detection system (HIDS): An application that monitors the activity of the host on which it’s installed

Intrusion detection systems (IDS): An application that monitors system activity and alerts on possible intrusions

Key-value pair: A set of data that represents two linked items: a key, and its corresponding value

Log: A record of events that occur within an organization’s systems

Log analysis: The process of examining logs to identify events of interest

Log management: The process of collecting, storing, analyzing, and disposing of log data

Logging: The recording of events occurring on computer systems and networks

Network-based intrusion detection system (NIDS): An application that collects and monitors network traffic and network data

Object: A data type that stores data in a comma-separated list of key-value pairs

Search Processing Language (SPL): Splunk’s query language

Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization

Signature: A pattern that is associated with malicious activity

Signature analysis: A detection method used to find events interest

Suricata: An open-source intrusion detection system, intrusion prevention system, and network analysis tool

Telemetry: The collection and transmission of data for analysis

Wildcard: A special character that can be substituted with any other character

YARA-L: A computer language used to create rules for searching through ingested log data

Zero-day: An exploit that was previously unknown

A
156
Q
A
157
Q
A