4_3_3 Section 4 – Operations and Incident Response - 4.3 – Investigations- Log Management

Questions and Answers

What type of information can be obtained from a log file on a switch?

Interface status and security information (correct)

Application setup information

File system details

Router updates

What type of attack is being blocked by the switch for 60 seconds?

Denial of Service (DoS)

TCP SYN flood

TCP SYN traffic (correct)

Authentication attack

What type of devices can provide feedback about network activity?

Switches, routers, firewalls, VPN concentrators, and other devices (correct)

Only routers and switches

Only firewalls and VPN concentrators

Only operating systems

What type of information can be collected from Windows operating system logs?

Application, setup, system, forwarded events, and security events

Why is it important to analyze log files from network devices?

To identify potential security threats and network issues

What type of issues may occur with VPN concentrators?

Authentication issues

Where can you find application log information in a Windows operating system?

Event Viewer under Application log

What type of information can you gather from security devices connected to your network?

Information about network traffic flows

What type of attacks can be identified from a web application firewall log?

Cross-site scripting attacks and SQL injections

What is the primary emphasis of this course?

Security

Where can you find log entries in a Linux operating system?

/var/log

What can you do with log files from different security devices?

Correlate them with other log files

What type of information can you gather from a web server log?

Information about website access and errors

What is the purpose of a SIEM (Security Information and Event Manager)?

To consolidate log files from different security devices

What type of information can you gather from a DNS server log?

Information about DNS queries

What can you learn from a firewall log?

Information about traffic flows that have been allowed or blocked

What can be viewed from the IP address of a request and many log files?

The fully-qualified domain name of the request

What can be done if a device is attempting to resolve a known malicious site?

Block the attempt and identify the potentially infected device

What information can be found in an authentication log file?

The account name, source IP address, and authentication method used

What is the purpose of correlating authentication log files with other log files?

To identify the causes of authentication failures and potential security threats

What is the purpose of a memory dump file?

To resolve application problems and locate issues

How can a memory dump file be created in Windows?

Using the Task Manager to create a dump file

What type of information can be viewed from Call Manager logs?

Inbound and outbound call information and endpoint details

What can be created from multiple log files to show authentication attempts across the network?

A single report showing all authentication attempts

What is a potential indicator of a brute force attack?

Multiple failed authentication attempts from the same IP address

What is a benefit of consolidating log files into a single SIEM?

It allows for easier identification and analysis of security threats