SECOPS 5: Event correlation and normalization Flashcards Preview

CCNA Cyber Ops SECOPS > SECOPS 5: Event correlation and normalization > Flashcards

Flashcards in SECOPS 5: Event correlation and normalization Deck (23)
Loading flashcards...
1

Event data type for DHCP

Transaction

2

Event data type for DNS

Transaction

3

Event data type for AAA

Alert

4

Event data types for Netflow

Session, Statistical

5

Event data type for IPS

Alert. Some full packet capture

6

Event data types for Firewall

Session, pcap, Statistical

7

Event data types for Proxy (web/email)

Transaction, Extracted content

8

Event data type for Anti-Virus

Alerts, Extracted content

9

Direct Evidence

Does not require any reasoning to reach a conclusion

10

Circumstantial evidence

Requires inference linking the evidence to the conclusion

11

Indirect evidence

aka Circumstantial evidence

12

IPS alert evidence type

Direct

13

Best evidence

Eyewitness

14

4 Phases of forensics

Collection
Examination
Analysis
Reporting

15

Forensics collection

Identify, label, record, acquire

16

Forensics examination

Forensically processing data to extract data of interest.

17

Forensic analysis

Analyze the results of the examination

18

Forensic reporting

Report results of the analysis.

Describes actions performed. How tools were chosen, further actions to take, recommendations for improvement.

19

Normalization

Manipulating event data to fit into a common schema

20

Correlation

Recognizing that two or more events are related

21

Aggregation

More or less, searching

22

Summarization

Graphic or tabular summary of data

23

Deduplication

Present all details in a concise format. Must be normalized first.