sound the alarm detection and response coursera weekly challenge 4 answers

Test your knowledge: Overview of logs

1. What is the primary purpose of logs during incident investigation?

  • To manage alert volumes
  • To identify and diagnose system issues
  • To improve user experience
  • To provide a record of event details

2. A security analyst wants to determine whether a suspicious login was successful. Which log type would be most useful for this purpose?

  • Network
  • Authentication
  • System
  • Firewall

3. In the following log, what action does the log entry record?

[ALLOW: wikipedia.org] Source: 192.167.1.1 Friday, 10 June 2022 11:36:12

  • 192.167.1.1
  • Source
  • Friday, 10 June 2022 11:36:12
  • ALLOW

4. Fill in the blank: _____ is the process of examining logs to identify events of interest.

  • Log forwarder
  • Log file
  • Log analysis
  • Logging

Test your knowledge: Log components and formats

5. Examine the following authentication log:

[2022/12/20 08:20:38.921286] User nuhara logged in successfully

What type of information does this log contain? Select two answers.

  • Event description
  • Syslog
  • Message ID
  • Timestamp

6. Which of the following capabilities can syslog be used for? Select three answers.

  • Extension
  • Log format
  • Protocol
  • Service

7. What are examples of log formats? Select three answers.

  • JavaScript Object Notation (JSON)
  • Gramm-Leach-Bliley Act (GLBA)
  • Common Event Format (CEF)
  • eXtensible Markup Language (XML)

8. Which log format uses tags to structure data?

  • eXtensible Markup Language (XML)
  • Verbose
  • Comma Separated Values (CSV)
  • Syslog

Test your knowledge: Overview of intrusion detection systems (IDS)

9. A security analyst uses a network protocol analyzer to capture HTTP traffic to analyze patterns. What type of data are they using?

  • Network telemetry
  • Host-based
  • False positive
  • Signature-based

10. Which statement accurately describes the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)?

  • A NIDS is installed on a network; a HIDS is installed on individual devices.
  • A NIDS uses signature analysis to detect threats; a HIDS uses agents.
  • A NIDS is installed on individual devices; a HIDS is installed on a network.
  • A NIDS only detects known threats; a HIDS detects unknown threats.

11. Fill in the blank: The _____ component of an IDS signature includes network traffic information.

  • action
  • rule options
  • header
  • signature ID

12. A security analyst creates a Suricata signature to identify and detect security threats based on the direction of network traffic. Which of the following rule options should they use?

  • Content
  • Message
  • Flow
  • Rev

Activity: Perform a query with Splunk

13. How many events are contained in the main index across all time?

  • Over 100,000
  • 100-1,000
  • 10,000
  • 10-99

14. Which field identifies the name of a network device or system from which an event originates?

  • host
  • sourcetype
  • index
  • source

15. Which of the following hosts used by Buttercup Games contains log information relevant to financial transactions?

  • www1
  • vendor_sales
  • www2
  • www3

16. How many failed SSH logins are there for the root account on the mail server?

  • One
  • None
  • 100
  • More than 100

Test your knowledge: Overview of SIEM tools

17. Which special character can be used to substitute with any other character in Search Processing Language (SPL)?

  • =
  • !=
  • |
  • *

18. Which of the following steps is part of the SIEM process for data collection? Select three answers.

  • Collect and process data.
  • SIEM tools index data to be made searchable.
  • Normalize data so it is ready to read and analyze.
  • Monitor activity and alerts related to intrusions.

19. Fill in the blank: ____ is a computer language used to create rules for searching through ingested log data.

  • EVE JSON
  • YARA-L
  • NIDS
  • SIEM

20. Which of the following is Splunk’s query language?

  • UDM
  • SPL
  • SQL
  • IDS

Weekly challenge 4

21. What details do logs contain? Select all that apply.

  • Location
  • Date
  • Forwarder
  • Time

22. What is the difference between a log and log analysis?

  • A log records details in log files. Log analysis involves a high-level overview of all events that happen on the network.
  • A log and log analysis both contain details of events, but they record details from different sources.
  • A log contains log file details. Log analysis involves the collection and storage of logs.
  • A log is a record of events that occur within an organization’s systems. Log analysis is the process of examining logs to identify events of interest.

23. Examine the following log:

{
“name”: “System test”,
“host”: "167.155.183.139",
“id”: 11111,
“Message”: [error] test,
}

Which log format is this log entry in?

  • Syslog
  • CSV
  • XML
  • JSON

24. Consider the following scenario:

A security analyst at a midsized company is tasked with installing and configuring a host-based intrusion detection system (HIDS) on a laptop. The security analyst installs the HIDS and wants to test whether it is working properly by simulating malicious activity. The security analyst runs unauthorized programs on the laptop, which the HIDS successfully detects and alerts on.

What is the laptop an example of?

  • An endpoint
  • An agent
  • A log forwarder
  • A signature

25. What information is included in a signature’s header? Select all that apply.

  • IP address
  • Port number
  • Protocol
  • Action

26. Which symbol is used to indicate a comment and is ignored in a Suricata signature file?

  • :
  • >
  • #
  • $

27. Which type of log data does Suricata generate? Select all that apply.

  • Network telemetry
  • Protocol
  • Alert
  • Signature

28. Which type of Splunk query searches through unstructured log records?

  • Reference search
  • Raw log search
  • Index search
  • UDM search

29. What is the default method of search in Chronicle?

  • YARA-L
  • Raw log
  • Non-normalized
  • UDM

30. Fill in the blank: SIEM tools _____ raw data so that it is formatted consistently.

  • process
  • ingest
  • normalize
  • collect

31. Which software is used to collect and send logs?

  • IDS
  • SIEM
  • IPS
  • Forwarder

32. Examine the following log:

LoginEvent[2021/10/13 10:32:08.958711] auth_session_authenticator.cc:304 Regular user login 1

Which type of log is this?

  • Location
  • Application
  • Network
  • Authentication

33. Fill in the blank: A syslog entry contains a header, _____, and a message.

  • structured-data
  • object
  • tag
  • eXtensible Markup Language

34. Fill in the blank: _____ analysis is a detection method used to find events of interest using patterns.

  • Endpoint
  • Signature
  • Network
  • Host

35. Which rule option is used to match based on the direction of network traffic?

  • content
  • sid
  • flow
  • message

36. Which querying language does Splunk use?

  • Structured Querying Language
  • Search Processing Language
  • Structured Processing Language
  • SIEM Processing Language

37. Which Unified Data Model (UDM) field search specifies a security action?

  • security_result.action
  • block
  • metadata.event_type
  • action

38. What are the steps in the SIEM process for data collection? Select all that apply.

  • Index
  • Normalize
  • Collect
  • Unify

39. Which of the following refers to a record of events that occur within an organization’s systems?

  • Logs
  • Log sources
  • Occurrences
  • Log forwarder

40. Examine the following log:

[2022/12/21 17:46:35.232748] NOTIFY: NetworkPropertiesUpdated: wifi_psk_13

Which type of log is this?

  • Authentication
  • Location
  • Application
  • Network

41. Examine the following log:

<111>1 2020-04-12T23:20:50.52Z my.machine.com evntslog - ID01 [user@98274 iut="2" eventSource="Mobile" eventID="24"][Priority@98274 class="low"] Computer A

What field value indicates the type of device that this event originated from?

  • my.machine.com
  • Computer A
  • Mobile
  • low

42. What is the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)?

  • A NIDS collects and monitors network traffic and network data. A HIDS monitors the activity of the host on which it is installed.
  • Both NIDS and HIDS monitor systems and generate alerts, but a NIDS use agents.
  • A NIDS monitors the activity of the host on which it is installed. A HIDS uses signature analysis to analyze network activity.
  • A NIDS logs and generates alerts. A HIDS system monitors endpoint activity.

43. Which rule option is used to indicate the number of times a signature is updated?

  • tcp
  • msg
  • rev
  • sid

44. Fill in the blank: The asterisk symbol is also known as a(n) _____.

  • label
  • wildcard
  • option
  • Boolean operator

45. Fill in the blank: Chronicle uses ______ to define detection rules.

  • UDM
  • YARA-L
  • SQL
  • SPL

46. What is the difference between network telemetry and network alert logs?

  • Network telemetry is output in EVE JSON format; network alert logs are output in HTML.
  • Network telemetry is the output of a signature; network alert logs contain details about malicious activity.
  • Network telemetry contains information about network traffic flows; network alert logs are the output of a signature.
  • Both provide information that is relevant for security analysts, but network alert logs contain network connection details.

Leave a Reply