Section 4.3 Appropriate data sources to support an investigation Flashcards
What can identify an report various vulnerabilities before they are exploited, such as software flaws, missing patches, open ports, services that should not be running, and weak passwords?
Vulnerability scanners
Dashboards are very useful to the security operations centers as they provide?
centralized visibility and information on threats in real time
What kind of log file can identify the IP and MAC addresses of devices that are attached to your network? NIDS/NIPS can be important in identifying threats and anomalies from these.
Network log files
What kind of log file contains many types of information about web requests so evidence of potential threats and attacks will be visible here?
Web log files
400 series HTTP response codes are what kind of errors?
client-side errors
500 series HTTP response codes are what kind of errors?
server-side errors
Sending log files that exist on client and server systems can help establish what?
a central audit trail and visibility into the scope of an attack
What kind of log files contain information about hardware changes, updates to devices, and time synchronization, group policy application, etc…?
System log files
What kind of log files contain information about software applications when launched, success or failure, and warnings about potential problems or errors?
Application log files
What kind of log files contain information about a successful login as well as unauthorized attempts to access the system and resources? Captures information on file access and can determine who has downloaded certain data and can identify attackers trying to log into your computer systems.
Security log files
What kind of log files contain virtually all DNS server-level activity such as zone transfer, DNS server errors, DNS caching, and DNSSEC?
DNS log files
What kind of log files contain information about login events, logging success or failure?
Authentication log files
What kind of log files are generated when a computer crashes with contents in the memory saved in a dump file (.dmp)?
Dump files
What is known as a log collector as it collects event logs from various devices and often sent to a central server?
Syslog
What logging solution is a utility for querying and displaying logs from a journald, which is systemd’s logging service?
journalctl
What logging solution collects and stores log data in binary format?
journald
What logging solution is used to query and display journald logs in a readable format?
journalctl
What logging solution is an open-source log management tool that helps identify security risks in a Linux/Unix environment? It’s a multi-platform log collection and centralization tool that offers log processing features, including log enrichment and log forwarding.
NXLog
What monitor changes in traffic patterns and identify devices on the network that are causing bottlenecks? They can be used to understand you network traffic flow and can detect broadcast storms and potential denial-of-service attacks.
Bandwidth Monitors
What do you call data that provides information about other data?
Metadata
What kind of metadata is headers that contain detailed information, including source, destination, and route through the email providers to the recipient? Can be used when phishing emails are received to identify the bad actor.
Email Metadata
What kind of metadata provides information about every page created on a website, including author, date created, images, and other files (videos, pdfs, etc..)?
Web Metadata
What kind of metadata can be used to track information such as the author, date created, date modified, and file size?
File Metadata
What kind of metadata might include geotagging that documents the location in which a photograph was taken?
Photograph metadata
What kind of network monitoring solution is a CISCO product that monitors network traffic and can identify the load on the network? In an investigation, it can help identify patterns in network traffic.
Netflow
What kind of network monitoring solution is a multi-vendor product that provides visibility into network traffic patterns? Can help identify malicious traffic to help in securing the network.
Sflow
What kind of network monitoring solution can be used to capture traffic from the node itself and data can then be exported to a collector within the node? Can be used to identify data traveling through a switch to facilitate billing and format IP flow data and forward it to a collector.
IP Flow Information Export (IPFIX)