Investigating with Data

Question 1

What are the different pieces in a SIEM?

Answer 1

1. Sensor
2. Sensitivity
3. Trends
4. Alerts
5. Correlation

Question 2

What is the sensor in a SIEM?

Answer 2

Actual endpoint that’s being monitored

Question 3

Explain Sensitivity in a SIEM

Answer 3

sensitivity is focused on how much or how little you’re going to be logging.

Question 4

Explain Trends in a SIEM

Answer 4

By using a SIEM and its graphical ability to look across these logs, we can start seeing trends in our network

Question 5

Explain Alerts in a SIEM

Answer 5

Creating an alert every time something specific happens

Example: every time there is five failed login attempts, I want to have an alert sent to a system administrator to look into that account.

Question 6

Explain Correlation in a SIEM

Answer 6

one of the big things within a SIEM because we’re getting data from all sorts of different sources across all different types of hosts and network devices which all need to be correlated

Question 7

What is a Log File?

Answer 7

any file that records either events that occur in an operating system, or other software that’s running, or messages between different users of a communication software.

Question 8

What is Syslog/Rsyslog/Syslog-ng?

Answer 8

Variations of Syslog which all permit the logging of data from different types of systems in a certain repository

Question 9

What is Journalctl?

Answer 9

Linux command line utility that’s used for querying and displaying logs from the journald, which is responsible for managing and storing log data on a Linux machine

Question 10

What is NXLog?

Answer 10

multi-platform log management tool that helps us to easily identify security risks, policy breaches, or analyze operational problems

Question 11

Which systems do Rsyslog/Syslog-ng work on?

Answer 11

Linux and Unix

Question 12

Which systems do NXLog work on?

Answer 12

Unix, Linux, and Windows

Question 13

What is NetFlow?

Answer 13

network protocol system that was created by Cisco, and it’s going to collect active IP network traffic as it’s flowing into or out of an interface.

Question 14

What is SFlow?

Answer 14

Open sourced version of NetFlow

provide a means for exporting truncated packets, as well as having an interface counter that is going to be used for network monitoring.

Question 15

What is IPFIX?

Answer 15

Internet Protocol Flow Information Export

universal standard for the export of internet protocol flow information from your routers, your probes, and other devices that’s going to be used by mediation systems, accounting and billing systems, and network management systems to facilitate services

Question 16

What is Metadata?

Answer 16

data that describes other data by providing an underlying definition or description by summarizing basic information about the data that makes finding and working with particular instances of data much easier.