1. When real-time reporting of security events from multiple sources is being received, which function in SIEM provides capturing and processing of data in a common format?
- normalization
- compliance
- log collection
- aggregation
Explanation: SIEM combines SEM and SIM tools to provide some useful functions, one of which is data normalization. Data normalization is the process of mapping log messages from different systems into a common data model in order to analyze related security events, even if they are initially logged in different source formats.
2. What is the value of file hashes to network security investigations?
- They can serve as malware signatures.
- They ensure data availability.
- They offer confidentiality.
- They assure nonrepudiation.
Explanation: Data confidentiality, integrity, availability and nonrepudiation are all crucial components of data security. The use of encryption algorithms ensures data confidentiality by safeguarding information from being disclosed to unauthorized people, processes, or devices. Data Integrity uses hashes or a message digest to ensure data nonalteration. Data availability ensures timely and reliable access to data for authorized users, whereas nonrepudiation is the ability to prove that an operation or event has occurred and cannot be repudiated later on.
3. Which technology is an open source SIEM system?
- Wireshark
- Splunk
- StealthWatch
- ELK
Explanation: There are many SIEM systems available to network administrators. The ELK suite is an open source option.
4. A network administrator is working with ELK. The amount of network traffic to be collected by packet captures and the number of log file entries and alerts that will be generated by network and security devices can be enormous. What is the default time configured in Kibana to show the log entries?
- 36 hours
- 48 hours
- 24 hours
- 12 hours
Explanation: Logstash and Beats are used for ingestion in the ELK stack. They provide access to large numbers of log file entries. Because the number of logs that can be displayed is so large, Kibana, which is the visual interface into the logs, is configured to show the last 24 hours by default.
5. In which programming language is Elasticsearch written?
- Python
- C
- C++
- Java
Explanation: Elasticsearch is a cross platform enterprise search engine written in Java.
6. For how long does the Payment Card Industry Security Standards Council (PCI DSS) require that an audit trail of user activities related to protected information be retained?
- 24 months
- 18 months
- 6 months
- 12 months
Explanation: Everyone would love the security of collecting and saving everything, but because of storage and access issues retaining NSM data indefinitely is not feasible. The retention period for certain types of network security information may be specified by compliance frameworks. The Payment Card Industry Security Standards Council (PCI DSS) requires that an audit trail of user activities related to protected information be retained for one year.
7. What is the host-based intrusion detection tool that is integrated into Security Onion?
- OSSEC
- Sguil
- Snort
- Wireshark
Explanation: Integrated into the Security Onion, OSSEC is a host-based intrusion detection system (HIDS) that can conduct file integrity monitoring, local log monitoring, system process monitoring, and rootkit detection.
8. Which core open source component of the Elastic-stack is responsible for accessing, visualizing, and investigating data?
- Kibana
- Elasticsearch
- Logstash
- Beats
Explanation: The core open source components of the Elastic-stack are Logstash, Beats, Elasticsearch, and Kibana. Kibana is responsible for accessing, visualizing, and investigating data. Elasticsearch is responsible for storing, indexing, and analyzing data. Logstash and Beats are responsible for acquiring network data.
9. What is the default time set in the securityonion.conf file for Sguil alert data retention?
- 15 days
- 45 days
- 60 days
- 30 days
Explanation: Sguil alert data is retained for 30 days by default. This value is set in the securityonion.conf file.
10. Which tool would an analyst use to start a workflow investigation?
- ELK
- Sguil
- Snort
- Zeek
Explanation: Sguil is a GUI-based application used by security analysts to analyze network security events.
11. Which core open source component of the Elastic-stack is responsible for storing, indexing, and analyzing data?
- Kibana
- Logstash
- Beats
- Elasticsearch
Explanation: The core open source components of the Elastic-stack are Logstash, Beats, Elasticsearch, and Kibana. Kibana is responsible for accessing, visualizing, and investigating data. Elasticsearch is responsible for storing, indexing, and analyzing data. Logstash and Beats are responsible for acquiring network data.
12. Which tool concentrates security events from multiple sources and can interact with other tools such as Wireshark?
- Sguil
- Curator
- Bro
- Kibana
Explanation: Sguil is a GUI-based application used by security analysts to analyze session data and packet captures.