Types of Security Data
Consists of messages generated by IPSs or IDSs in response to traffic that violates a rule or matches the signature of a known exploit.
What is Alert Data
Two important server log files.
What are Apache webserver access logs and Microsoft Internet Information Server access logs
Contains the meaning of a Syslog message.
What is the MSG (message text) portion
A very command line tool and popular packet analyzer.
What is Tcpdump
Devices that act as intermediaries for network clients
What are Proxy servers
Consists of the messages that are exchanged during network sessions. Can be viewed in packet capture transcripts.
What is Transaction Data
An essential source of data for network security monitoring. Used by network application servers such as email.
What are Server Logs
A popular SIEM widely used in SOCs.
What is Splunk
A protocol developed as a tool for network troubleshooting and session-based accounting.
What is NetFlow
A device that acts as a web proxy, meaning that it logs all inbound and outbound transaction information for HTTP traffic.
What is the Cisco Web Security Appliance (WSA)
The most detailed network data collected, making it the most storage and retrieval intensive types of data used in NSM.
What are Full Packet Captures
An alternative to Syslog not often used by UNIX and Linux servers.
What is proprietary logging
Used in many organizations to provide real-time reporting and long-term analysis of security events.
What is Security Information and Event Management (SIEM)
Combines multiple technologies to recognize, analyze, and control over 1000 applications, including voice, video, email, file sharing, and gaming.
What is the Cisco Application Visibility and Control (AVC) system
Has more than 30 logs used to monitor aspects of email delivery, system functioning, antivirus, antispam operations, and block list and allow list decisions.
What is the Cisco Email Security Appliance (ESA)
A network internet detection system that comes configured with rules for known exploits, with alerts made readable and searchable by the Sguil and Squert applications.
What is Snort
A part of a Syslog message that consists of two elements, the Facility and Severity of the message.
What is PRI (priority)
Used for identifying hosts that have visited dangerous websites and identifying DNS data exfiltration and connections to malware command-and-control servers.
What are DNS proxy logs
Based on a set of 5 to 7 IP packet attributes flowing in a single direction.
What is an IP Flow
Extend network security beyond IP addresses and Layer 4 port numbers to the application layer and beyond
What are Next-Generation Firewalls
A record of a conversation between two network endpoints, which are often a client and a server. It doesn't contain data retrieved and used by the client.
What is Session Data
A popular open-source HIDS (host-based intrusion detection systems) that includes a robust log collection and analysis functionality.
What is OSSEC
Takes SIEM and goes beyond into automating security response workflows and facilitating incidence response.
What is security orchestration, automation, and response (SOAR)
Entities lists several hundred attributes for a flow available, with the first 128 being the most common.
What is the IANA registry of IPFIX
A management and reporting system that analyzes and presents the application analysis data from a AVC into dashboard reports.
What is Cisco Prime