AWS
AWS recorded the largest DDOS attack in history, what was the bandwidth of the recorded attack?
2.3 Tbps
Recently there was a phishing campaign against Google due to improperly secured GCP instances which involved sending an email blast to over 12k account holders. Name the attacker group who launched this.
Fancy Bear (APT28)
Customers should deploy Azure resources to multiple regions to ensure what?
Data Availability
What Cloud platform does the stack-driver monitor?
GCP
Which Amazon namespace is used to uniquely identify Amazon Resources?
ARN
In Google Cloud storage under default encryption, which is is the encryption algorithm used?
AES256
Which service in Azure is used to manage resources in Azure?
Azure resource manager
Nobelium attack on cloud services was seen in May 2021. Which cloud provider was impacted the most ??
Azure- password spraying method was used
Which feature of AWS service constantly monitors suspected config changes and anomalies in AWS account and notifies the relevant parties?
AWS Guard Duty
What is Google Cloud's DDoS Defence service and Web Application Firewall called?
Google Cloud Armor
Name the tool used for security posture management and threat detection.
Microsoft defender
Form the Query to detect malware detection in share-point?
index=O365prod Operation=FileMalwareDetected
For the logs given below on 16/09/2021, what is the name of the client?
awsRegion: us-east-1
eventCategory: Management
eventID: 199f05d4-f2f9-4c51-a70c-dab165534b2a
eventName: UpdateInstanceInformation
eventSource: ssm.amazonaws.com
eventTime: 2021-09-16T23:59:33Z
eventType: AwsApiCall
eventVersion: 1.08
managementEvent: true
readOnly: false
recipientAccountId: 779834649020
requestID: 2cfa966c-6096-44ef-8e14-590a836ea38e
requestParameters: { [+]
}
responseElements: null
sourceIPAddress: 3.209.36.228
userAgent: aws-sdk-go/1.35.23 (go1.15.11; linux; amd64) amazon-ssm-agent/
userIdentity: { [-]
accessKeyId: ASIA3LEOENG6LRVACEF7
accountId: 779834649020
arn: arn:aws:sts::779834649020:assumed-role/AWS_ANALYTICS_EC2/i-06ad02b92ff06874d
principalId: AROA3LEOENG6FSC5AXPCN:i-06ad02b92ff06874d
sessionContext: { [-]
attributes: { [-]
creationDate: 2021-09-16T23:28:28Z
mfaAuthenticated: false
}
ec2RoleDelivery: 2.0
sessionIssuer: { [-]
accountId: 779834649020
arn: arn:aws:iam::779834649020:role/AWS_ANALYTICS_EC2
principalId: AROA3LEOENG6FSC5AXPCN
type: Role
userName: AWS_ANALYTICS_EC2
}
webIdFederationData: { [-]
}
}
type: AssumedRole
}
Search in DCE-> ThousandEyes
Can you find the client of this particular logs in the image?
[-]
attributes: { [-]
logging.googleapis.com/timestamp: 2021-12-07T02:40:11.775802Z
}
data: { [-]
insertId: c9f1dccb-1b8b-45d0-a63e-1220b1e9c08e
labels: { [-]
authorization.k8s.io/decision: allow
authorization.k8s.io/reason:
}
logName: projects/bcld-sec03-netdev/logs/cloudaudit.googleapis.com%2Factivity
operation: { [-]
first: true
id: c9f1dccb-1b8b-45d0-a63e-1220b1e9c08e
last: true
producer: k8s.io
}
protoPayload: { [-]
@type: type.googleapis.com/google.cloud.audit.AuditLog
authenticationInfo: { [-]
principalEmail: system:addon-manager
}
authorizationInfo: [ [-]
{ [-]
granted: true
permission: io.k8s.authorization.rbac.v1.clusterrolebindings.patch
resource: rbac.authorization.k8s.io/v1/clusterrolebindings/system:gke-uas-hpa-controller
}
]
methodName: io.k8s.authorization.rbac.v1.clusterrolebindings.patch
request: { [-]
@type: k8s.io/Patch
subjects: [ [-]
{ [-]
kind: User
name: system:vpa-recommender
namespace: kube-system
}
]
}
requestMetadata: { [-]
callerIp: ::1
callerSuppliedUserAgent: kubectl/v1.13.2 (linux/amd64) kubernetes/cff46ab
}
resourceName: rbac.authorization.k8s.io/v1/clusterrolebindings/system:gke-uas-hpa-controller
response: { [-]
@type: rbac.authorization.k8s.io/v1.ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata: { [-]
annotations: { [+]
}
creationTimestamp: 2021-01-11T15:22:09Z
labels: { [+]
}
name: system:gke-uas-hpa-controller
resourceVersion: 193866475
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/system%3Agke-uas-hpa-controller
uid: 8e68174b-5c48-45bc-8d93-b3b0278d41e1
}
roleRef: { [+]
}
subjects: [ [+]
]
}
serviceName: k8s.io
status: { [+]
}
}
receiveTimestamp: 2021-12-07T02:40:12.404778697Z
resource: { [-]
labels: { [-]
cluster_name: g81-standard-cluster-sec03-01-ubuntu
location: us-central1-b
project_id: bcld-sec03-netdev
}
type: k8s_cluster
}
timestamp: 2021-12-07T02:40:11.775802Z
}
publish_time: 1638844812.683
}
Webex Calling NextGen
With the given log, identify the region the log generated, Owner/contacts.
--------------------------------------------------------
action: added
calendarTime: Wed Dec 1 18:19:22 2021 UTC
columns: { [-]
action: CREATED
category: homes
ctime: 1638382511
gid: 1001
md5: 620f0b67a91f7f74151bc5be745b7110
mode: 0700
sha256: ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
size: 4096
target_path: /home/anubandi/.cache
time: 1638382511
uid: 1001
}
counter: 0
decorations: { [-]
csp: AZURE
environment: CMD-raptor-prod
hostname: bastion.uga3afs1wkjehfzegbhlscp2vc.frax.internal.cloudapp.net
instance_id: d25addc3-fcae-4627-9e75-356770b2c6aa
region: GermanyWestCentral
tenant: 4af90980-c68c-4e3f-87d2-aa393f699732
}
epoch: 0
hostIdentifier: 9405b825-f6be-9b49-9bef-1489833fb633
log_type: result
name: pack_csirt-lnx-ir_watched_files
numerics: false
unixTime: 1638382762
}
Have to search in DCE->Cisco-SBG-Raptor-Eng
Identify the project owner details for the given log.
------------------------------------------------------------
{ [-] attributes: { [-] logging.googleapis.com/timestamp: 2021-12-06T08:30:51.664319Z
}
data: { [-] insertId: 817de7ce-0582-4555-b9c7-b1636af69c96
labels: { [-] authorization.k8s.io/decision: allow
}
logName: projects/vss-intgn-integration-qb8u/logs/cloudaudit.googleapis.com%2Factivity
operation: { [-] first: true
id: 817de7ce-0582-4555-b9c7-b1636af69c96
last: true
producer: k8s.io }
protoPayload: { [-] @type: type.googleapis.com/google.cloud.audit.AuditLog authenticationInfo: { [-] principalEmail: system:node:gke-gke-cluster-app-euwe1-i-default-af877eb6-q4pf
}
authorizationInfo: [ [-] { [-] granted: true
permission: io.k8s.coordination.v1.leases.update
resource: coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-gke-cluster-app-euwe1-i-default-af877eb6-q4pf }
]
methodName: io.k8s.coordination.v1.leases.update
requestMetadata: { [+] }
resourceName: coordination.k8s.io/v1/namespaces/kube-node-lease/leases/gke-gke-cluster-app-euwe1-i-default-af877eb6-q4pf serviceName: k8s.io status: { [-] }
}
receiveTimestamp: 2021-12-06T08:30:52.724078111Z
resource: { [-] labels: { [-] cluster_name: gke-cluster-app-euwe1-i
location: europe-west1
project_id: vss-intgn-integration-qb8u
}
type: k8s_cluster
}
timestamp: 2021-12-06T08:30:51.664319Z
}
publish_time: 1638779453.568
}
user:mariblim@cisco.com
user:ramkchid@cisco.com, user:wkaraoun@cisco.com
For the following Account ID: 975051357194, Name the countries from which we have seen console logins on 8th Nov 2021 and 9th Nov 2021.
173.38.117.71-> US
64.104.125.224-> Hong Kong
119.18.1.9-> Australia
What is the number of delete compute instance events we see with the project id : gcp-gpf-prod-lv27 on 25th November 2021.
~206 events
ATA azure risky sign-in seen on 26/08/2021. Write query to detect the activity and check user name, identify the country where the sign-in was seen.
index=azure source=*ATA* category=SIGNINLOGS properties.riskState!=none ( US )
Multiple suspicious email sending patterns were detected on 15/11/2021. Identify the users and the total count.
index=o365prod Name="Suspicious email sending patterns detected"
Answer:
CTHERASI@CISCO.COM, AMYCALLE@CISCO.COM