Detection and Response: Quiz 6

Logs are one of the key ways security professionals detect unusual or malicious activity. A log is a rec__________ of events that occur within an organization's systems. System activity is recorded in what's known as a log file or commonly called logs. Almost every device or system can generate logs. Logs contain multiple entries which detail information about a specific event or occurrence.

Logs are useful to security analysts during incident investigation since they record details of what, where, and when an event occurred on the network. This includes details like date, time, location, the action made, and the names of the users or systems who performed the action. These details offer valuable insight, not only for troubleshooting issues related to system performance, but most importantly, for security monitoring. Logs allow analysts to build a story and timeline around various event occurrences to understand what exactly happened.

Since different types of devices and systems can create logs, there are different log data sources in an envir____________. These include network logs, which are generated by devices such as proxies, routers, switches, and firewalls, and system logs, which are generated by operating systems. There's also application logs, which are logs related to software applications, security logs, which are generated by security tools like IDS or IPS, and lastly authentication logs, which record login attempts.

One of the most commonly used log formats is Syslog. Syslog is both a prot_______ and a log form_______. As a prot______, it transports and writes logs. As a log form_______, it contains a header, followed by structured-data, and a message. The Syslog entry includes three sections: a header, structured-data, and a message.

Let's explore another common log format you might encounter as a security analyst. JavaScript Object Notation, more popularly known as JSON, is a text-based format designed to be easy to read and write. It also uses key-value pai____ to structure data.

eXtensible Markup Language, or XML, is a language and a format used for storing and transmitting data. Instead of key-value pairs, it uses ta__________ and other keys to structure data.

Comma Separated Values, or CSV, is a format that uses separators like commas to separate data val_________.

Telemetry is the collection and trans___________ of data for analysis. While logs record events occurring on systems, telemetry describes the data itself. For example, packet captures are considered network telemetry. For security professionals, logs and telemetry are sources of evid___________ that can be used to answer questions during investigations.

Telemetry is the collection and trans___________ of data for analysis. While logs record events occurring on systems, telemetry describes the data itself. For example, packet captures are considered network telemetry. For security professionals, logs and telemetry are sources of evid___________ that can be used to answer questions during investigations.

To monitor endpoints for threats or attacks, a host-based intrusion detection system can be used. It's an application that monitors the activity of the host on which it's installed. To clarify, a host is any device that communicates with other devices on a network, similar to an endpoint. Host-based intrusion detection systems are installed as an agent on a single host, such as a laptop computer or a server. Depending on its configuration, host-based intrusion detection systems will mon__________ the host on which it's installed to detect suspicious activity. Once something has been detected, it records output as logs and an alert gets generated.