Security Information and Event Management Deployment
____ is one of the market-leading big data information gathering and analysis tools. It can import machine-generated data via a connector or visibility add-on.
Splunk
Behavior-based detection
Means that the engine is trained to recognize baseline traffic or expected events associated with a user account or network device.
By default, literal search strings in grep are case-sensitive. This option ignores case sensitivity.
-i
True or false? Syslog uses a standard format for all message content.
False—syslog messages have a PRI code, header, and message structure, but the format of messages is application-specific.
____ matches zero or more times (quantifier).
*
_____ is an open-source SIEM with an enterprise version focused on compliance and supporting IT operations and DevOps.
Graylog
Trend analysis
The process of detecting patterns within a dataset over time and using those patterns to make predictions about future events.
Returns the total count of matching lines rather than the lines themselves.
-c
Which two factors do you need to account for when correlating an event timeline using a SIEM?
First, you need to validate that all log sources were synchronized to the same time source. Second, you need to account for any variations in time zone for the different sources.
_____ matches the start of a line only (anchor/boundary).
^
_____ is IBM's SIEM log management, analytics, and compliance reporting platform.
QRader
Anomaly analysis
The process of defining an expected outcome or pattern to events, and then identifying any events that do not follow these patterns.
Reverses the command's default be-havior, returning only lines that do not match the given string.
-v
What type of visualization is most suitable for identifying traffic spikes?
A line graph is a good way of showing changes in volume over time.
____matches a single instance of a character within the brackets. This can include literals, ranges such as [a-z], and token matches, such as [\s] (white space) or [\d] (one digit).
[ ... ]
______ is a vendor of SIEM log management and analytics software, now owned by HP, via the affiliated company Micro Focus.
ArcSight
Regular expression
A search pattern to match within a given string. The search pattern is built from the regex syntax.
Returns the names of the files with matching lines rather than the lines themselves. Primarily used in multi-file grep searches.
-l
Which default port do you need to allow on any internal firewalls to allow a host to send messages by syslog to a SIEM management server?
The default port for syslog is UDP 514. If the syslog implementation is using reliable delivery, the default TCP port is 1468.
_____ matches one or more occurrences (quantifier). A quantifier is placed after the term to match; for example, \s+ matches one or more white space characters.
+
______ is a SIEM product developed by Alien Vault, who market commercial versions of it.
Open-Source Security Information Management
Heuristic Analysis
Means the software can use techniques to determine whether a set of data points are similar enough to "IF x AND (y OR z)" that an alert should be generated anyway.
Treats literal search strings as discrete words. By default, the string add will also return address. With this option, the string add will only return instances of the word add by itself.
-w
What options are there for ingesting data from a unified threat management (UTM) appliance deployed on the network edge to a SIEM?
If supported, you could deploy agent software to the UTM. In the latter case, you will still need to use a filter to parse and normalize the logs. Most SIEMs come with filters for the major appliance platforms, but if not supported directly, you will need to configure a custom filter.
____ defines a matching group, with a regex sequence placed within the parentheses. Each group can subsequently be referred to by \1 for the first group, \2 for the second, and so on.
( ... )