SECOPS 5: Event correlation and normalization

Question 1

Event data type for DHCP

Answer 1

Transaction

Question 2

Event data type for DNS

Answer 2

Transaction

Question 3

Event data type for AAA

Answer 3

Alert

Question 4

Event data types for Netflow

Answer 4

Session, Statistical

Question 5

Event data type for IPS

Answer 5

Alert. Some full packet capture

Question 6

Event data types for Firewall

Answer 6

Session, pcap, Statistical

Question 7

Event data types for Proxy (web/email)

Answer 7

Transaction, Extracted content

Question 8

Event data type for Anti-Virus

Answer 8

Alerts, Extracted content

Question 9

Direct Evidence

Answer 9

Does not require any reasoning to reach a conclusion

Question 10

Circumstantial evidence

Answer 10

Requires inference linking the evidence to the conclusion

Question 11

Indirect evidence

Answer 11

aka Circumstantial evidence

Question 12

IPS alert evidence type

Answer 12

Direct

Question 13

Best evidence

Answer 13

Eyewitness

Question 14

4 Phases of forensics

Answer 14

Collection
Examination
Analysis
Reporting

Question 15

Forensics collection

Answer 15

Identify, label, record, acquire

Question 16

Forensics examination

Answer 16

Forensically processing data to extract data of interest.

Question 17

Forensic analysis

Answer 17

Analyze the results of the examination

Question 18

Forensic reporting

Answer 18

Report results of the analysis.

Describes actions performed. How tools were chosen, further actions to take, recommendations for improvement.

Question 19

Normalization

Answer 19

Manipulating event data to fit into a common schema

Question 20

Correlation

Answer 20

Recognizing that two or more events are related

Question 21

Aggregation

Answer 21

More or less, searching

Question 22

Summarization

Answer 22

Graphic or tabular summary of data

Question 23

Deduplication

Answer 23

Present all details in a concise format. Must be normalized first.