4_3_3 Section 4 – Operations and Incident Response - 4.3 – Investigations- Log Management

Questions and Answers

What type of information can be obtained from a log file on a switch?

• Interface status and security information (correct)
• Application setup information
• File system details
• Router updates

What type of attack is being blocked by the switch for 60 seconds?

• Denial of Service (DoS)
• TCP SYN flood
• TCP SYN traffic (correct)
• Authentication attack

What type of devices can provide feedback about network activity?

• Switches, routers, firewalls, VPN concentrators, and other devices (correct)
• Only routers and switches
• Only firewalls and VPN concentrators
• Only operating systems

What type of information can be collected from Windows operating system logs?

Application, setup, system, forwarded events, and security events (C)

Why is it important to analyze log files from network devices?

To identify potential security threats and network issues (D)

What type of issues may occur with VPN concentrators?

Authentication issues (A)

Where can you find application log information in a Windows operating system?

Event Viewer under Application log (A)

What type of information can you gather from security devices connected to your network?

Information about network traffic flows (C)

What type of attacks can be identified from a web application firewall log?

Cross-site scripting attacks and SQL injections (D)

What is the primary emphasis of this course?

Security (B)

Where can you find log entries in a Linux operating system?

/var/log (A)

What can you do with log files from different security devices?

Correlate them with other log files (B)

What type of information can you gather from a web server log?

Information about website access and errors (D)

What is the purpose of a SIEM (Security Information and Event Manager)?

To consolidate log files from different security devices (A)

What type of information can you gather from a DNS server log?

Information about DNS queries (B)

What can you learn from a firewall log?

Information about traffic flows that have been allowed or blocked (A)

What can be viewed from the IP address of a request and many log files?

The fully-qualified domain name of the request (A)

What can be done if a device is attempting to resolve a known malicious site?

Block the attempt and identify the potentially infected device (C)

What information can be found in an authentication log file?

The account name, source IP address, and authentication method used (C)

What is the purpose of correlating authentication log files with other log files?

To identify the causes of authentication failures and potential security threats (B)

What is the purpose of a memory dump file?

To resolve application problems and locate issues (A)

How can a memory dump file be created in Windows?

Using the Task Manager to create a dump file (B)

What type of information can be viewed from Call Manager logs?

Inbound and outbound call information and endpoint details (A)

What can be created from multiple log files to show authentication attempts across the network?

A single report showing all authentication attempts (D)

What is a potential indicator of a brute force attack?

Multiple failed authentication attempts from the same IP address (D)

What is a benefit of consolidating log files into a single SIEM?

It allows for easier identification and analysis of security threats (B)

Flashcards

Switch log file information

Interface status and security information.

Blocked attack type

TCP SYN traffic, potentially indicating a denial-of-service attack.

Network activity feedback devices

Switches, routers, firewalls, VPN concentrators

Windows OS log information

Application, setup, system, forwarded events, and security events.

Importance of log file analysis

To identify potential security threats and network issues by reviewing unusual activity.

VPN concentrator issues

Authentication issues, impacting secure remote access.

Application log location (Windows)

Event Viewer under Application log.

Security device log information

Information about network traffic flows, source and destination.

Web application firewall log insights

Cross-site scripting (XSS) attacks and SQL injections, attempts to inject malicious code.

Course emphasis

Security.

Linux log location

/var/log

Log file action

Correlate them with other log files to identify suspicious patterns or attacks.

Web server log information

Information about website access (who visits) and errors (what went wrong).

SIEM purpose

To consolidate log files from different security devices into a central system.

DNS server log information

Information about DNS queries (domain name lookups).

Firewall log contents

Information about traffic flows that have been allowed or blocked.

IP address log viewing

The fully-qualified domain name of the request.

Resolving malicious site action

Block the attempt and identify the potentially infected device.

Authentication log file information

The account name, source IP address, and authentication method used.

Authentication log correlation purpose

To identify the causes of authentication failures and potential security threats.

Memory dump file purpose

To resolve application problems and locate issues within the application code.

Memory dump creation (Windows)

Using the Task Manager to create a dump file.

Call Manager log information

Inbound and outbound call information and endpoint details.

Creation from multiple log files

A single report showing all authentication attempts.

Brute force attack indicator

Multiple failed authentication attempts from the same IP address.

Benefit of consolidating log files

It allows for easier identification and analysis of security threats by providing a centralized view of logs.