Monitoring and Auditing Flashcards
What is SYSLOG
Standardized format used for computer message logging that allows for the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them
Log File Maintence
Actions taken to ensure the proper creation and storage of a log file, such as the proper configuration, saving, backup, securing, and encryption of the log files
What is ELK/Elastic Stack
Collection of free and open-source SIEM tools that provides, storage, search, and analysis functions
what does ELK/ Elastic Stack consist of.
Elasticsearch (query/analytics),
logstatsh( log colleciton/normalization),
kibana(visualization),
beats (endpoint collection agents)
What is syslog
A protocol enabling different appliances and software applications to transmit logs or event records toa central server.
It is the defacto standard for logging of events from distributed systems
what are the contexts of a syslog message?
PRI Code (priority code)
A header
A message portion
How is the pri code in a syslog message determined
A PRI code is calculated form the facility and severity level of the data
What is contained in the header of a syslog message
A header contains the timestamp of the event and the hostname
What does the message portion of a syslog message contain
The source process of the event and related content.
What was the original drawback to Syslog
Since the syslog relied on UDP, there can be delivery issues within congested networks.
There were also no security controls such as authentication and encryption included by default.
This can cause issues because UDP packets may be lost as they are fire and forget. This can be problematic
What are the improvements to newer Syslog messagin?
The ability to use port 1468 for TCP connections, ensuring consistent delivery.
The ability to use TLS to encrypt messages sent to servers
The ability to use MD-5 or SHA-1 for authentication and integrity
Message filtering, automated log analysis, event response scripting, and alternate message formats
What is the newer version of syslog server called?
Syslog-NG or Rsyslog
Syslog can be refered to as what three thigns
The network protocol, the server, or the log entries themselves
What is soar? And what is it primarily used for?
Security orchestration, automation, and response (SIEM 2.0) is used for incident response.
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.
What can you use a SOAR For
Scan security / threat data
Analyze data with Machine Learning
Automate data enrichment
Provision new resources using automated playbooks
( New accounts, VMs, delete infected virtual machines. )
What is a playbook
A checklist of actions to perform to detect and respond to a specific type of incident.
What is a runbook
An automated version of a playbook that leaves clearly defined interaction points for human analysis
Assist analysts by performing tasks before flagging for human involvement, humans make a decision, then the runbook performs actions based on the choices made.
What is SNMP and what does it provide
Simple Network Management Protocol (SNMP) is commonly used to gather information from routers, switches, and other network devices. It provides information about a device’s status, including CPU and memory utilization, as well as many other useful details about the device. NetFlow provides information about network traffic. A management information base (MIB) is a database used for managing the entities in a communication network. The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission.
What are the 3 main forms of automated monitoring and their characteristics
Signature - Network traffic is analyzed for predetermined attack patterns
Anomaly - Baseline is established, anything outside baseline is evaluated
Behavior - activity is based upon the previous behavior of applications, executables, and OS in comparison to the activity of the system
What automated monitoring form causes the most and least number of false positvives
Behavior creates the largest number of false positives
Signature based produces the fewest number of false positives