Module 3 - 02-2

Question 1

What are the different types of SIEM tools an organizations can choose from, based on their unique security needs (3)?

Answer 1

• Self-hosted
• Cloud-hosted
• Hybrid solution

Question 2

Briefly describe Self-hosted SIEM tool?

Answer 2

• Requires organizations to install, operate, and maintain the tool using their own physical infrastructure, such as server capacity
• Managed and maintained by the organization’s IT department, rather than a third party vendor
• Ideal when an organization is required to maintain physical control over confidential data

Question 3

Briefly describe Cloud-hosted SIEM tool?

Answer 3

• Maintained and managed by the SIEM providers, making them accessible through the internet
• Ideal for organizations that don’t want to invest in creating and maintaining their own infrastructure

Question 4

Briefly describe Hybrid solution?

Answer 4

• An organization can choose to use a combination of both self-hosted and cloud-hosted SIEM tools
• Leverage the benefits of the cloud while also maintaining physical control over confidential data

Question 5

What are some common SIEM tools (3)?

Answer 5

• Splunk Enterprise
• Splunk Cloud
• Chronicle

Question 6

What is Splunk?

Answer 6

A data analysis platform

Question 7

What is Splunk Enterprise?

Answer 7

A self-hosted tool used to retain, analyze, and search an organization’s log data to provide security information and alerts in real-time

Question 8

What is Splunk Cloud?

Answer 8

A cloud-hosted tool used to collect, search, and monitor log data

Question 9

What is Chronicle?

Answer 9

Google’s Chronicle
A cloud-native tool designed to retain, analyze, and search data

Question 10

Define Open-source tools

Answer 10

A software program with a source code that is freely available to anyone, and can be modified, distributed, and studied for any purpose

Question 11

What is the objective of Open-source tools?

Answer 11

To provide users with software that is built by the public in a collaborative way, which can result in the software being more secure

The source code for open-source projects is readily available to users, as well as the training material that accompanies them.

Question 12

What are examples of Open-source tools (2)?

Answer 12

• Linux
• Suricata

Question 13

What is Linux?

Answer 13

An open-source operating system.
It allows you to tailor the operating system to your needs using a command-line interface.

Question 14

Define Operating System

Answer 14

The interface between computer hardware and the user.
It’s used to communicate with the hardware of a computer and manage software applications.

Question 15

What is Suricata?

Answer 15

An open-source network analysis and threat detection software

Question 16

Briefly explain Network analysis and Threat detection software

Answer 16

Network analysis and threat detection software is used to inspect network traffic to identify suspicious behavior and generate network data logs. The detection software finds activity across users, computers, or Internet Protocol (IP) addresses to help uncover potential threats, risks, or vulnerabilities.

Question 17

What foundation developed Suricata?

Answer 17

Open Information Security Foundation (OISF)

Question 18

What does OISF stand for?

Answer 18

Open Information Security Foundation (OISF)

Question 19

Define Proprietary tools

Answer 19

Developed and owned by a person or company, and users typically pay a fee for usage and training.

The owners of proprietary tools are the only ones who can access and modify the source code.
This means that users generally need to wait for updates to be made to the software, and at times they might need to pay a fee for those updates.

Question 20

What are examples of Proprietary tools (2)?

Answer 20

• Splunk®
• Chronicle SIEM

Question 21

What are the Splunk SIEM tool Dashboards (4)?

Answer 21

• Security posture dashboard
• Executive summary dashboard
• Incident review dashboard
• Risk analysis dashboard

Question 22

What is the purpose of the Security posture dashboard?

Answer 22

The security posture dashboard is designed for security operations centers (SOCs). It displays the last 24 hours of an organization’s notable security-related events and trends and allows security professionals to determine if security infrastructure and policies are performing as designed. Security analysts can use this dashboard to monitor and investigate potential threats in real time, such as suspicious network activity originating from a specific IP address.

Question 23

What is the purpose of the Executive summary dashboard?

Answer 23

The executive summary dashboard analyzes and monitors the overall health of the organization over time. This helps security teams improve security measures that reduce risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as generating a summary of security incidents and trends over a specific period of time.

Question 24

What is the purpose of the Incident review dashboard?

Answer 24

The incident review dashboard allows analysts to identify suspicious patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline of the events leading up to an incident.

Question 25

What is the purpose of the Risk analysis dashboard?

Answer 25

The risk analysis dashboard helps analysts identify risk for each risk object (e.g., a specific user, a computer, or an IP address). It shows changes in risk-related activity or behavior, such as a user logging in outside of normal working hours or unusually high network traffic from a specific computer. A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts.

Question 26

What does SOC stand for?

Answer 26

Security Operations Center (SOC)

Question 27

Chronicle allows you to collect and analyze log data according to (4):

Answer 27

• A specific asset
• A domain name
• A user
• An IP address

Question 28

What are the Google Chronicle Dashboards (6)?

Answer 28

• Enterprise insights dashboard
• Data ingestion and health dashboard
• IOC matches dashboard
• Main dashboard
• Rule detections dashboard
• User sign in overview dashboard

Question 29

What is the purpose of the Enterprise insights dashboard?

Answer 29

The enterprise insights dashboard highlights recent alerts. It identifies suspicious domain names in logs, known as indicators of compromise (IOCs). Each result is labeled with a confidence score to indicate the likelihood of a threat. It also provides a severity level that indicates the significance of each threat to the organization.

A security analyst might use this dashboard to monitor login or data access attempts related to a critical asset—like an application or system—from unusual locations or devices.

Question 30

What does IOCs stand for?

Answer 30

Indicators of Compromise

Question 31

Define Indicators of Compromise

Answer 31

suspicious domain names in logs

Question 32

What is the purpose of the Data ingestion and health dashboard?

Answer 32

The data ingestion and health dashboard shows the number of event logs, log sources, and success rates of data being processed into Chronicle.

A security analyst might use this dashboard to ensure that log sources are correctly configured and that logs are received without error. This helps ensure that log related issues are addressed so that the security team has access to the log data they need.

Question 33

What is the purpose of the IOC matches dashboard?

Answer 33

The IOC matches dashboard indicates the top threats, risks, and vulnerabilities to the organization.

Security professionals use this dashboard to observe domain names, IP addresses, and device IOCs over time in order to identify trends. This information is then used to direct the security team’s focus to the highest priority threats. For example, security analysts can use this dashboard to search for additional activity associated with an alert, such as a suspicious user login from an unusual geographic location.

Question 34

What is the purpose of the Main dashboard?

Answer 34

The main dashboard displays a high-level summary of information related to the organization’s data ingestion, alerting, and event activity over time.

Security professionals can use this dashboard to access a timeline of security events—such as a spike in failed login attempts— to identify threat trends across log sources, devices, IP addresses, and physical locations.

Question 35

What is the purpose of the Rule detections dashboard?

Answer 35

The rule detections dashboard provides statistics related to incidents with the highest occurrences, severities, and detections over time.

Security analysts can use this dashboard to access a list of all the alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user opens a known malicious attachment from an email. Analysts then use those statistics to help manage recurring incidents and establish mitigation tactics to reduce an organization’s level of risk.

Question 36

What is the purpose of the User sign in overview dashboard?

Answer 36

The user sign in overview dashboard provides information about user access behavior across the organization.

Security analysts can use this dashboard to access a list of all user sign-in events to identify unusual user activity, such as a user signing in from multiple locations at the same time. This information is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the organization’s applications.

Question 37

A security team wants some of its services to be hosted on the internet instead of local devices. However, they also need to maintain physical control over certain confidential data. What type of SIEM solution should they select?

• Remote
• Hybrid
• Cloud-hosted
• Self-hosted

Answer 37

Hybrid

They should select a hybrid solution. Hybrid solutions use a combination of both self- and cloud-hosted SIEM tools to leverage the benefits of the cloud while maintaining physical control over confidential data.

Question 38

True or False?
Security information and event management (SIEM) tools provide dashboards that help cybersecurity professionals organize and focus their security efforts.

Answer 38

True

SIEM tools provide dashboards that help cybersecurity professionals organize and focus their security efforts. This allows analysts to reduce risk by identifying, analyzing, and remediating the highest priority items in a timely manner.

Question 39

A _____ SIEM tool is specifically designed to take advantage of cloud computing capabilities including availability, flexibility, and scalability.

• cloud-infrastructure
• cloud-native
• cloud-hardware
• cloud-local

Answer 39

cloud-native

A cloud-native SIEM tool, such as Chronicle, is specifically designed to take advantage of cloud computing capabilities including availability, flexibility, and scalability.

Question 40

What are the different types of SIEM tools? Select three answers.

• Self-hosted
• Cloud-hosted
• Hybrid
• Physical

Answer 40

• Self-hosted
• Cloud-hosted
• Hybrid

Feedback: The three different types of SIEM tools are self-hosted, cloud-hosted, and hybrid.