Forensics Flashcards
How do items get into the SIEM
Sensors
Sensitivity
Trends
Alerts
Correlation
Log Files
Describe the sensors that feed data into a SEIM
The endpoint being monitored feeds sata to the SEIM
Describe sensitivity as it relates to a SEIM
How much or how little we are logging and how sensos are configured to determine how much data is passed
Describe Trends as they relate to SEIM
SEIM identifies trends in the network as data is fed to the SIEM, for example, failed login attempts accross many user accounts may be brute force
How are alerts created in a SIEM
Created in the SIEM based on certaim parameters, such as account lock outs, failed password attempts
Describe correlation of SIEM data
Ensuring that endpoints are using standardized IP and hostname formatting, and devices are using UTC
Describe log files as they related to SIEMS
Files that record etiehr events that occur in an OS or other software that is being run, or message between users for COMMS software
What are the types of log files
System
Application
Security
web
DNS
Authentication
DumpFiles
VOIP
Describe what system, application, and security log files provide
System - What is occuring on host or server
Application - what each app is doing
Security- monitor log in events
Describe what web log files provide
Web - may be a proxy server that will detail what websites users are visiting, and if you host a web server, these logs will tell you what files and hosted items are being interacted with
Describe what DNS, and authentication files provide
DNS - What requests have been made of the DNS server, see what host is asking for what address
Authentication - will show all authentication info across files, systems, resources
Describe what DumpFiles and VOIP logs are used for
Dump Files are logged when things crash, memory contents are written to disk for later review
VOIP logs can be captured as VOIP metadata
What are the three variations of SYSLOG
Syslog, rsyslog, syslog-ng
Which versions of SYSLOG offer encryption
Syslog-NG
What is JournalCTL
LInux CMD utility used for querying and displaying logs from JournalD, the systemD logging service in Linux