Unit 6 - Module 4 - IDS & SIEM Tools Flashcards
What is a record of events that occur within an organization’s systems?
A Log
What is the process of examining logs to identify events of interest?
Log Analysis
What is the process of examining logs to idenify events of interest?
Log Analysis
What are the 5 most common log types?
1) Network
2) System
3) Application
4) Security
5) Authentication
What is the process of collecting, storing, analyzing, and disposing of log data?
Log Management
What is a set of data that presents two linked itmes?
ie) a key and it’s corresponding value. “Alert” : “Malware”
Key-Value Pair
What is a data type that stores data in a comma-seperated list of key-value pairs?
ie ) “User”
{
“id”: “1234”,
“name”: “user”,
“role”: “engineer”
}
Object
What is a data type that stores data in a comma-separated ordered list?
Array
What log format that uses key-value pairs to structure data and identify fields and their corresponding values?
ie) CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Common Event Format (CEF)
What 3 capabilities can syslog be used for?
Service
Protocol
Log Format
What is the collection and transmission of data for analysis?
Telemetry
What’s an application that monitors activity and alerts on possible intrusions?
Intrusion Detection System (IDS)
What is it called when any device connected on a network?
Endpoint
What is an application that monitors the acitivty of the host on which it’s installed?
Host-Based Intrusion Detection System (HIDS)
What application collects and monitors network traffic and network data?
Network-based intrusion detection system (NIDS)
What is a detection method used to find events of interest?
Signature analysis
When monitoring activity, what specifies the rules used by an intrusion detection system (IDS)?
A signature
What specifies the rules that an IDS uses to monitor activity. Signature analysis is one of the most common methods of detection used by IDS tools.
A Signature
What’s an advantage of using signatures?
Low rate of false positives - It’s very efficient at detecting known threats because it is simly compairing acitivity to signatures.
What are 3 disadvantages of using signatures?
They can be evaded- Signatures are unique, and attackers can modify their attack behaviours to bypass the signatures.
Signatures require updates - Signature-based analysis rilies on database of signatures to detect threats.
Inabliity to detect unknown threats - Signature-based analysis relies on detecting known threats through signatures.
What do you call a pattern that is associated with malicious activity?
A Signature
What is a detection method that identies abnormal behaviour?
Anomaly-based Analysis
What’s the one advantage of anomaly-based analysis?
Ability to detect new and evolving threats.
What are two disadvantages of anomaly-based analysis?
High rate of false positives
Pre-existing compromise
What is the edtection methods used to find events of interest?
Signature Analysis
What is a file used to configure the settings of an application?
Configuration File
In these 3 steps, what tool follows these?
Collect and aggregate data
Normalize Data
Analyze Data
**Security Information and Event Management (SIEM Tool) **
What search language is “Search Processing Language (SPL)”?
Splunk’s Query Language
What is a computer language used to create rules for searching through ingested log data?
YARA-L
Chronicle uses What search language to normalize data?
Unified Data Model
What is a special character that can be substituted with any other character?
a Wildcard
