Tuning Correlation Searches Flashcards

1
Q

What are adaptive responses triggered by?

A

By correlation searches and users on the incident review dashboard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does the summariesonly=true option do for a correlation search?

A

Searches only accelerated data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

A

$fieldname$

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is an adaptive action that is configured by default for ES?
- Create notable event
- Create investigation
- Create new correlation search
- Create new asset

A

Creat notable event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which are the steps to tuning correlation searches?

A
  • Threshold
    • The triggering criteria
  • Scheduling and throttling
    • How often to generate notable events for the same type of incidents
  • Adaptive Responses
    • Actions to take
  • Notable Event Settings
  • Risk
    • Assigning, increasing or decreasing the risk score for a given type of threat
  • Any other adaptive responses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is part of tuning correlation searches for a new ES installation?
- Configuring correlation result storage
- Configuring correlation notable event index
- Configuring correlation adaptive responses
- Configuring correlation permissions

A

Configuring correlation adaptive responses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following actions would not reduce the number of false positives from a correlation search?
- Increasing threshold sensitivity
- Removing throttling fields
- Reducing the severity
- Increasing the throttling window

A

Reducing the severity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The Brute Force Access Behavior Detected correlation search is enabled, and is generating many false positives. Assuming the input data has already been validated. How can the correlation search be made less sensitive?

A

Edit the search, look for where or xswhere statements, and alter the threshold value being compared to make it a less common match.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Adaptive response action history is stored in which index?

A

cim_modactions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Where is it possible to export content, such as correlation searches?

A

Configure > Content Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Content Import/Export

A
  • To export any of the content types on the Content Management page, select the object and choose Edit Selected > Export
  • Enter an app name, prefix, label, version number, build number and click Export.
  • The content will be downloaded as an .spl file. It can then be installed as a new app into another ES search head.
  • Import content by installing an app.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which settings indicate that the correlation search will be executed as new events are indexed?
- Continuous
- Real-Time
- Always-On
- Scheduled

A

Real-Time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly