Log Analysis

Question 1

What is Event Correlation?

Answer 1

identification of significant relationships from multiple log sources such as application logs, endpoint logs, and network logs

Question 2

What are the different common log types?

Answer 2

• event
• audit
• error
• debug

Question 3

What are event logs?

Answer 3

logs record information about a system or network occurrence, such as login attempts, application events and network traffic

Question 4

What are audit logs?

Answer 4

a sequential recording of activities within a system by capturing who performed an action, what activity was initiated, and how the system responded

Question 5

What are the two types of audit logs?

Answer 5

Success and Failure

Question 6

What are common log sources?

Answer 6

• network logs
  
  • network devices such as switches and routers and through packet capture solutions
• host perimeter logs
  
  • firewalls, proxies, and VPN servers - contain information about allowed and denied actions transmitted to the organisation’s host devices
• system logs
  
  • logs record events and services being run by the operating system
• application logs
  
  • logs collected from the applications being run internally - web applications, cloud services, databases and proprietary tools

Question 7

What are Sigma Rules?

Answer 7

• generic and open signature format for log-based intrusion detection systems (IDS)
• way to describe patterns in log files in a standardized and tool-agnostic manner

Question 8

What is the language in which Sigma Rules are written in?

Answer 8

YAML (Yet Another Markup Language)

Question 9

What is one of the main strenghts of Sigma Rules?

Answer 9

tool-agnostic nature - can be applied across different SIEM systems, log management tools, and analysis platforms without being tied to a specific vendor or product