LDR551-Book 3 Flashcards

1
Q

What does the Internet Storm Center do?

A

Operates the Internet’s early warning system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What skills are necessary for security leaders?

A

Business, leadership, and technical skills.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the inefficiency in traditional Blue Team operations?

A

Each team gathers and analyzes threat intel independently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the benefit of information sharing in Blue Team operations?

A

Efficient sharing of defense knowledge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is MITRE ATT&CK?

A

Model for sharing attacker tactics and techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are Sigma signatures used for?

A

Log content matching.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the purpose of Jupyter notebooks in security analysis?

A

Make complex analysis repeatable and shareable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is MITRE D3FEND?

A

Knowledge graph of security countermeasures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is MITRE Engage?

A

Knowledge base for denial, deception, and adversary engagement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is D3FEND?

A

A knowledge graph mapping security countermeasures to attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the main goal of D3FEND?

A

Establish a common vocabulary for security tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the most obvious use case for D3FEND?

A

Capturing and comparing features of controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What has replaced MITRE’s Shield framework?

A

MITRE Engage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does MITRE Engage describe?

A

Denial, deception, and adversary engagement techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What new concepts were added in MITRE Engage?

A

Goals and adversary vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is YARA?

A

A language for defining file characteristics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What can YARA signatures identify?

A

Strings, bytes, and other content in files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Why should teams invest in learning YARA?

A

To produce file-based threat detections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What makes YARA signatures easy to manage?

A

Simple text-based format for change tracking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Who created notable YARA rule sets?

A

Didier Stevens and Florian Roth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is Sigma?

A

High-level generic language for log analytics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Who leads the Sigma project?

A

Florian Roth and Thomas Patzke

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What problem does Sigma address?

A

Generic detection for log content

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How does Sigma benefit SOC teams?

A

Allows sharing and distributing log analytics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What format are Sigma rules written in?

A

Text-based YAML files

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What does Sigma eliminate?

A

Vendor lock-in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is a key benefit of Sigma’s text-based format?

A

Enables version control for analytics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What can Sigma’s metadata sections refer to?

A

ATT&CK tactics and techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What tool can be used to visualize Sigma data on MITRE’s ATT&CK navigator?

A

Sigma tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What does implementing Sigma help avoid when changing SIEM products?

A

Migration pains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What format are Sigma rule files written in?

A

YAML

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What does the metadata in a Sigma rule include?

A

Title, status, description, author, tag

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the purpose of the log source in a Sigma rule?

A

Indicates the log type, brand, service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Why is auditing Sigma rules easy?

A

YAML formatting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What can be easily performed using Sigma rules?

A

Gap analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What does the Sigma converter do?

A

Converts generic rules to SIEM-specific queries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is a major benefit of Sigma format rules?

A

Analytic version control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What would increase ops tempo for defense teams?

A

Publishing analytics in Sigma format

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What do analysts often lack knowledge in?

A

Writing Python code and understanding analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What do notebooks lower the bar for?

A

Applying advanced analysis and data science

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What should you avoid when running cells in a notebook?

A

Using “run all cells”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What does the notebook credential compromise notebook leverage for analysis?

A

Machine learning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Where can you find pre-made threat hunting oriented notebooks?

A

GitHub repo

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What are examples of pre-captured logs and network data for analytic testing?

A

Mordor, EVTX-ATTACK-SAMPLES, Splunk Boss of the SOC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What project allows you to spin up Active Directory labs in Azure?

A

Adaz

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What does Splunk’s Attack Range perform?

A

Attack simulation using different engines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What does the Attack Range integrate into to automate detection rule testing?

A

CI/CD pipeline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What are some shared data types for cyber defense?

A

Tactics with ATT&CK, detection with YARA and Sigma

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What should you do if your tools don’t support YARA and Sigma signatures?

A

Request it from your vendor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What are the benefits of simple text-based formats?

A

Help with version control and make information sharable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Where should you share new detections or analysis methods?

A

Conferences, GitHub, or anywhere the Blue Team benefits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What is the second core SOC function responsible for?

A

Finding malicious content in gathered events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What is a central struggle for nearly every SOC?

A

Alert tuning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What is the first step to detection?

A

Submitting the captured event to analytic matching rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What should receive top priority for analysis if resources are limited?

A

Logs most likely to identify an intrusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What determines how many alerts will be made?

A

Accuracy, sensitivity, and rule count.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What would an ideal detection system achieve?

A

100% true positives, no false positives, no false negatives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What must a reliable detection system support?

A

Reliable collection, health telemetry, and analytic development.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What is the “fuel” for modern, detection-oriented SOCs?

A

SIEM function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

What are the commonalities in effective detection solutions?

A

Reliable, scalable, healthy, low overhead, analytic abstraction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

What are the four analytic outcomes for events?

A

True positives, true negatives, false positives, false negatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Why are false positives problematic for SOC analysts?

A

They drive analysts crazy daily

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Why are false negatives considered the worst outcome?

A

They indicate undetected attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Can a detection system achieve zero false positives and zero false negatives?

A

No, it’s unrealistic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What does the “alerting threshold” represent?

A

Line separating alert/no alert events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What happens when you lower the alerting threshold?

A

Increase false positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What happens when you raise the alerting threshold?

A

Increase false negatives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What is the SOC manager’s job regarding false positives and false negatives?

A

Decide the acceptable mix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What should analysts know if the system prioritizes minimizing false positives?

A

Very small chance of false positives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What is the key to writing the best possible detection rules?

A

Apply analytics downstream, post enrichment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

How can you improve the accuracy of analytics in SOCs?

A

Use correlation and enrichment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

What is one way of working alerting with Snort IDS?

A

Send alerts for everything that matches one of the signatures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

How can SOCs improve upon sending IDS alerts straight to a triage queue?

A

Forward Snort information to the SIEM for enrichment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What can internal IPs in the alert be cross-referenced against?

A

DHCP logs, hostnames, and vulnerability databases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What does Snort not know about the web server?

A

Whether it runs Apache or its patch level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What should be done instead of forwarding alerts directly to a triage queue?

A

Send the alert to the SIEM for further analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What is the benefit of sending alerts to the SIEM?

A

Alerts irrelevant to the system can be ignored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

How should the Snort alert rule be implemented at the SIEM?

A

If Snort sends an alert for an exploit against a system and that system runs the affected software and version, then alert.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

What is a key action in assessing false positives and analytic accuracy?

A

Assessing accuracy of individual analytics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What should you periodically run a report on?

A

Each alert that fired.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What should all analytics have?

A

A unique ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

What should alert instances include?

A

Unique ID and final disposition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What is a key activity in keeping sanity in your SOC?

A

Knowing the accuracy and count of each analytic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

What should each analytic have?

A

A unique identifier or alert name.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What happens when your analytics match?

A

An alert is created with a unique ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

What should you do after a week of analytics activity?

A

Create metrics on fired alerts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

What should the final determination of alerts be labeled for?

A

Easy counting for metrics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

What should be done with false positives?

A

Dismissed from the alert queue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

What should both paths of false positives lead to?

A

A label for ultimate “false positive count.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

How should you evaluate your best and worst analytics?

A

Create a chart grouping by unique alert ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

What does creating the chart of alerts help visualize?

A

True and false positive counts and ratios per rule.

92
Q

What is the goal when tuning alerts to minimize time wasted?

A

Fix the source of the highest number of false positives first.

93
Q

Which alert should be addressed after fixing alert C?

A

Alert A, due to higher false positives count.

94
Q

What should be done if Alert E continuously produces no value?

A

Alert E should likely be disabled

95
Q

What are the two variables to consider for high volume alerts?

A

Analytics’ accuracy and apparent priority

96
Q

What action is suggested for high volume, poor accuracy, low priority alerts?

A

Disable or fix them

97
Q

What should be done with high volume, poor accuracy, high priority alerts?

A

Fix them first

98
Q

How should high volume, accurate, low priority alerts be handled?

A

Triage and possibly group alerts

99
Q

What is the key to success in dealing with high volume alerts?

A

Increased efficiency

100
Q

What indicates a prevention capability issue in high volume alerts?

A

High accuracy and high priority alerts

101
Q

What should be done if true positives remain high after controls?

A

Consider adding more people

102
Q

Why might some attacks not apply to your environment?

A

You don’t run the relevant software

103
Q

Why should internet noise alerts be suppressed?

A

They waste time and provide no value

104
Q

What is Hanlon’s Razor?

A

Never attribute to malice what can be explained by stupidity

105
Q

What should be done with rules not tied to a specific use case?

A

Deactivate them

106
Q

What is the solution for advanced attacks triggering low priority alerts?

A

Use Risk Based Scoring

107
Q

What does Risk Based Scoring involve?

A

Assigning risk scores based on predefined rules

108
Q

What is the purpose of collecting all suspicious events into a holding area?

A

To aggregate risk by user/host/asset/system.

109
Q

What triggers an analyst’s attention in risk-based scoring?

A

Hitting a threshold per user/device.

110
Q

How can low priority alerts indicate potential compromise?

A

By aggregating alerts over time for the same systems and users.

111
Q

What is the middle ground approach used by many SOCs for low priority alerts?

A

Risk based scoring or alerting.

112
Q

How do alerting systems handle low priority alerts in risk-based scoring?

A

Collect all alerts, score risk based on user, system, and software.

113
Q

When is a situation escalated in a risk-based alerting system?

A

When enough alerts occur for a single user or system.

114
Q

What assumption is key to risk-based scoring?

A

Advanced attacks may only fire low priority anomaly alerts.

115
Q

How can repeated low priority alerts help identify attacks?

A

By triggering more than one alert for the same system.

116
Q

Who documented a specific method for risk-based scoring at the 2019 SANS SIEM Summit?

A

Jim Apger, staff architect at Splunk.

117
Q

What impact did Jim Apger’s “Risk Based Attribution” method reportedly have?

A

Increased true positive alert rate, reduced alert count.

118
Q

What factors affect alert count in detection systems?

A

Scope, sensitivity, accuracy, and analytics enabled.

119
Q

What is the worst part of many analysts’ jobs?

A

False positives.

120
Q

What is more dangerous than false positives?

A

False negatives.

121
Q

What is crucial for improving true positive separation from false positives?

A

Data enrichment and constant analytic testing and tuning.

122
Q

What should SOCs prioritize to combat alert fatigue and burnout?

A

Understanding and maximizing enrichment opportunities.

123
Q

What should be done if high volume alerts indicate valid concerns?

A

Block the issue before it becomes a problem.

124
Q

What can remedy bad high volume alert rules?

A

Tuning, enrichment, suppression, or risk based scoring.

125
Q

What is the focus of Section 3 in the course?

A

Attack Detection, Threat Hunting, and Triage

126
Q

What are the objectives of Exercise 3.1?

A

Rule management, Sigma usage, Git tracking, MITRE visualization

127
Q

What is the key to success in the triage phase?

A

Speed, accuracy, context, automation

128
Q

What is a downside of a tiered SOC?

A

Complex alerts may be improperly passed over

129
Q

What is a benefit of a tierless SOC?

A

Analysts gain exposure to diverse data

130
Q

What is a downside of a tierless SOC?

A

Analysts must work closely to avoid cherry-picking alerts

131
Q

What is the MSSP hybrid model?

A

A strategy for dealing with complex alerts in-house

132
Q

What is the role of MSSP in the hybrid model?

A

Outsourced Tier 1 for filtering alerts

133
Q

What is a key advantage of the MSSP hybrid model?

A

In-house team focuses on important items

134
Q

What is a major con of the MSSP hybrid model?

A

Trusting first line to someone else

135
Q

How can the risk of MSSP incorrectly dismissing alerts be mitigated?

A

Pre-determine high-priority alerts

136
Q

What is a con of pre-determining high-priority alerts?

A

Requires frontloaded work to review alerts

137
Q

What should be tracked to measure MSSP effectiveness?

A

Incidents by alert source, false positive rate

138
Q

What skills are necessary for accurate triage and risk assessment?

A

Understanding alert, attack stage, context

139
Q

What is a benefit of triaging alerts in the point product?

A

Interface is designed for specific alert type

140
Q

What is a downside of triaging alerts in the SIEM?

A

Data related to alert is in remote system

141
Q

What is a downside of using SIEMs for displaying network packets?

A

SIEMs aren’t always the best way to display network packets.

142
Q

What is the third option for handling alerts in a SIEM?

A

Gather all alerts, enrich them, and push to incident management.

143
Q

Why might ticketing systems offer the best UI and user experience for alert triage?

A

Ticketing systems are often specifically designed for this workflow.

144
Q

What is a downside of using ticketing systems similar to SIEMs?

A

May need to reach out to other systems for additional data.

145
Q

What must the software used to triage alerts support?

A

Must support the workflow and data display needed.

146
Q

What is the ideal experience for displaying data in an alert triage system?

A

Well-formatted data displayed clearly and field-separated.

147
Q

What should analysts be able to see in an alert triage system?

A

All metadata, original packet/log, and signature/analytic.

148
Q

What should analysts be able to do from the alert view?

A

Easily enrich or pivot to external data with a click.

149
Q

How should fields be transferred when an alert is accepted as true positive?

A

Without extraneous copy and paste or formatting changes.

150
Q

Name two point product-based alert triage systems.

A

Sguil and EveBox.

151
Q

What do Sguil and EveBox offer?

A

View packet metadata, full PCAP captures, signatures, enrichment information.

152
Q

What is key to success in alert triage systems?

A

No manual process of moving data into different boxes.

153
Q

What should you do if security products don’t supply data in the needed format?

A

Use SOAR or a script to format data seamlessly.

154
Q

What are important alerts for immediate attention?

A

Targeted attacks, exploits against sensitive info, safety critical infrastructure.

155
Q

What indicates an attack should jump to the top of the priority list?

A

Exploits against air gapped or segmented subnets.

156
Q

What must analysts do when faced with limited resources?

A

Look for the very worst items first.

157
Q

What often signifies the worst attacks?

A

Attacks nearing completion of attackers’ goals.

158
Q

What should analysts do if they see signs of data theft, destruction, or denial of service?

A

Take quick action.

159
Q

What must analysts be familiar with to identify high-priority items?

A

Organization’s threat model and attack tactics.

160
Q

What helps analysts make the call on advanced attack stages?

A

Perspective on attacker techniques and target systems.

161
Q

What combination helps get analysts to identify advanced attacks?

A

Data classification, technology, experience, and Red Team training.

162
Q

What does Microsoft Defender for Office 365 support for prioritizing accounts?

A

Account tagging for fast identification of priority account attacks.

163
Q

Why is fast and accurate triage of suspicious email important?

A

90% of attacks originate over email, high cost of breaches.

164
Q

What is a new feature in Defender for Office 365 Plan 2?

A

Priority Account Protection

165
Q

What does Priority Account Protection allow security teams to do?

A

Tag accounts for high visibility alerts

166
Q

Who should you tag with Priority Account Protection?

A

VIPs, C-Suite, admin users, help desk, accounting

167
Q

What is one benefit of tagging accounts during triage?

A

Visually labeled, stands out in alerts

168
Q

How can custom workflows for tagged accounts help?

A

Increase speed of addressing alerts

169
Q

What can trigger a fast response for priority account alerts?

A

Notify SOC members via SMS/email

170
Q

What should you design for priority account alerts?

A

Fast track treatment workflows

171
Q

How does Defender for Office 365 support investigation of tagged accounts?

A

Priority tags in submission queues, quarantine, threat explorer

172
Q

What does distinguishing attack trends to priority accounts help with?

A

Build relevant threat intelligence

173
Q

What key information should alerts include for proper triage?

A

User type, asset, patching status, criticality

174
Q

How can you ensure alerts are prioritized correctly from the start?

A

Show key info about source and destination in triage interface

175
Q

What is required for effective alert triage?

A

Data classification

176
Q

What should SIEMs monitor to keep user lists up-to-date?

A

Domain administrators, email administrators groups

177
Q

What is the benefit of loading information at one point in time?

A

Prevents data, system, and user lists from becoming outdated.

178
Q

What is the focus of the Efficient Alert Triage Summary?

A

Fundamentals of alert triage and investigation.

179
Q

What must be done to convert noise into meaningful signal in an alert queue?

A

Effectively process and triage the data.

180
Q

What was discussed regarding managing alerts in a SOC?

A

Fundamentals, tools, approaches, and strategies.

181
Q

What should analysts prioritize to respond to late-stage attacks?

A

Identify and prioritize critical alerts.

182
Q

What helps separate important alerts from noise?

A

Adding context to alerts.

183
Q

What is the next step after handling current alerts in a SOC?

A

Designing and creating new analytics.

184
Q

What are the sections covered in the Course Roadmap?

A

SOC Design, Telemetry, Attack Detection, and more.

185
Q

What should analysts have for various alert conditions?

A

Reference for alert conditions and reactions.

186
Q

What supports the creation of playbooks for analysts?

A

Use case documentation.

187
Q

What drives the data collection required in detection?

A

Use cases implemented.

188
Q

Who described the “Githubification of Infosec”?

A

John Lambert

189
Q

What is the “Githubification of Infosec”?

A

Community-based, democratized approach to analysis

190
Q

What tools support a common language for detections?

A

Sigma, Jupyter, YARA, ATT&CK

191
Q

What should you strive to maintain for effective incident response?

A

Proven set of curated detections

192
Q

What are the inputs to the detection engineering process?

A

Threat model, intelligence, visibility

193
Q

What does the detection engineering process include?

A

Data sources, event pipelines, correlation, enrichment

194
Q

What is the goal of detection engineering?

A

Complete data sources, robust pipeline, flexible detections

195
Q

What is detection engineering?

A

Blending engineering and analysis to identify and implement use cases

196
Q

What varies depending on SOC maturity in detection engineering?

A

Process and rigor

197
Q

What should analytics be based on?

A

Intelligence and threat model

198
Q

What should advanced teams avoid when solving detection problems?

A

Avoid solving detection problems with analysts.

199
Q

What should detection engineers be aware of according to the “law of the lever”?

A

Work imbalance created by new detections.

200
Q

What do engineering best practices involve in detection engineering?

A

Building rigor into the process and thorough testing.

201
Q

What is crucial to provide analysts to reduce their response time?

A

Arm analysts with as much information as possible.

202
Q

What should not be given a pass in detection engineering?

A

Bad alerts must be tuned or retired.

203
Q

When should detections be tested according to the guiding principles?

A

Before an incident occurs.

204
Q

What is the importance of historical accuracy in rule classification?

A

True/false positive ratio of past rule firings.

205
Q

What should analysts consider about the type of alert?

A

Whether it detects known malicious activities or anomalies.

206
Q

What should be documented in a use case?

A

Conditions/attack techniques to detect and related details.

207
Q

What is the purpose of use case tracking in a SOC?

A

List specific conditions to detect and how to detect them.

208
Q

What should a use case documentation set include?

A

Why detect condition, detection method, owner, required data

209
Q

Why is tracking detailed use cases important for SOCs?

A

To avoid “tribal knowledge” and ensure continuity

210
Q

What happens if detection conditions are undocumented and key personnel leave?

A

No one may know what an alarm means or what action to take

211
Q

What alleviates the issue of undocumented detection conditions?

A

Use case documentation and tracking

212
Q

Where should information on actions to take when key alerts fire be kept?

A

Use case database or tracking system

213
Q

What are key items to look for in a use case tracking solution?

A

Usability, customization, flexibility, metrics reporting capability

214
Q

What should a use case tracking tool be easy to do?

A

Enter new data and track life cycle and metadata

215
Q

What is a use case database for?

A

Documenting new analytics and supporting details

216
Q

What should analysts refer to when seeing an alert for the first time?

A

Use case information in the database

217
Q

What additional function should a use case database serve?

A

Generate metrics

218
Q

What features are important in a use case database platform?

A

Field customization, owner assignment, nested items, framework alignment

219
Q

What drives the formality of a use case tracking system?

A

Size and complexity of SOC operation

220
Q

What tools might smaller teams use for use case tracking?

A

Excel

221
Q

What should a use case tracking system ideally allow?

A

Simple use, easy customization, organization, change tracking, metric generation

222
Q

What can use case database metrics drive?

A

Investments in new technology

223
Q

Who are the primary users of a use case database?

A

Analysts

224
Q

Who documents the details of analytics in the use case database?

A

Detection engineers

225
Q

What should managers be able to do with a use case database?

A

Answer coverage questions and pull metrics