SER
John Smith has an account in HTEN Prod, but not HTEN Lab. SER submitted for a modify for a John in HTEN Prod and Lab. Approve or Reject?
Reject. Modify for Prod, Create for Lab.
The SOC monitors unassigned tickets in the queue using what visual interface?
HTEN SOC Dashboard
FIRN: Florida Information Resource Network
CS: Common Services
What can be used as data to start an investigation?
Anything. System alert, ArcSight notification, firewall logs, IDS logs, Arbor trends.
What IP Address networks are considered private?
10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
Reject, users can't submit their own SERs. Managers need to submit SERs for their people.
Tickets in the Security Operations queue are assigned to the ENS-Security Analysts or Security_Analyst assignment groups? T or F
False. SOC tickets get assigned to the ENS - Security Analysts assignment group regardless of program.
Free Points
Team race to see who can draw a cube on the whiteboard one line at a time. (David demonstrates)
What is the SLA for Security Investigations (Time/Task)?
15 minutes to send notification email to customer.
The MGMT or Management VRF/VLAN is used for what?
L3Harris management control over devices, not including customer access.
John is the Deputy NOC Manager for DCNS and was submitted with the Network_Operations_Management_DCNS role. Approve or Reject?
Reject, John needs to be submitted with a Deputy management role.
When escalating a case to SecEng, you can simply reassign the case to the SecEng queue and the engineer working the issue if one is assigned. T or F
False, an incident needs to be created and assigned to the SecEng queue. SecEng only works Incidents, not Cases.
Palo Alto customer logs are investigated in:
A: The IAG firewalls themselves
B: Panorama
B: Panorama
What is SLA for Arbors? Time/Task?
45 minutes to start manual mitigation for customers who request it in writing via email.
For MFN2, what tools do we use for defense in depth?
Palo Alto firewalls, Cisco IDS, Arbor Sightline
Mark has 19 new accounts to create to support the creations of new accounts for a specific team and wants them created in bulk to save time. Can the SOC support this request?
Yes or no, and why?
No, PD13 states 20+ SERs for the same action is allowed.
For MFN2 Security Incidents, what are the ticket CATEGORY and SUBCATEGORY that needs to be assigned for the ticket to be hidden from DMS, and offer the "Reportable Incident" button?
Category: Security Incident
Subcategory: Initial Investigation
VPN tunnels supported through Hayes that the SOC often has to clear, operate over what Application and Port?
Application: IKE
Port: 500
3 parts. What is the Arbor Hardware that we use for mitigations? What is the mitigation capability for the device? What is the mitigation capability for cloud?
Arbor TMS
20GBPS
Unlimited
What is the CIDR block for a 255.255.255.0 Netmask?
/24
Peter sends in an email with 22 SERs after an audit to correct permissions for existing employees and delete old user accounts for employees who have left the program. Can the SOC support this request with a bulk order? Yes, no, why?
No, PD13 states 20+ SERs can be processed if all the actions are the same.
When working a case with an external customer, assigning the specific agency code (ex:DOT-550) has a farther reach then assigning the customer. (ex:DOT)
T or F
False, with ServiceNow, the customer code (DOT) is now considered the overarching selection compared to the legacy overarching Remedy codes (DOT-550).
Broadband and Starlink setups are configured in what 3 devices?
Panorama, IAG ASA VPN Concentrators, CPE routers?
What part of an IDS intrusion event helps determine if its a false positive or not?
Rule: lists out the signature and identifiers that can be compared to traffic to determine if its a true threat or false positive.
Describe the differences between the IAG and POP locations for MFN2.
IAGs, route traffic in/out of MFN2 to Internet.
POPs, route traffic around the state of Florida.