course 6 – SOUND THE ALARM: DETECTION AND RESPONSE

Module 4: Network Traffic and Logs Using IDS and SIEM Tools

GOOGLE CYBERSECURITY PROFESSIONAL CERTIFICATE

Complete Coursera Study Guide

Enroll in Coursera Google Cybersecurity Professional Certificate

TABLE OF CONTENT

INTRODUCTION – Network Traffic and Logs Using IDS and SIEM Tools


In this comprehensive overview, participants will delve into the critical realm of logs and their pivotal role in both Intrusion Detection Systems (IDS) and Security Information Event Management (SIEM) systems. The course intricately examines the significance of logs as an integral component for threat detection, offering insights into how these systems function to identify and respond to potential security breaches. The curriculum provides a detailed exploration of the methodologies employed by IDS and SIEM systems, shedding light on their capabilities in recognizing and mitigating cyber threats.

Furthermore, participants will be introduced to prominent IDS and SIEM products, gaining familiarity with industry-leading tools that play a central role in fortifying digital landscapes. The course goes beyond theoretical understanding by incorporating practical elements, guiding participants in the creation of basic IDS rules. This hands-on experience ensures that learners not only comprehend the theoretical foundations of IDS and SIEM but also develop the practical skills needed to contribute effectively to cybersecurity efforts. Overall, this module serves as a crucial stepping stone for participants aiming to grasp the complexities of log analysis and intrusion detection, fostering a well-rounded understanding of contemporary cybersecurity practices.

Learning Objectives

  • Discuss the importance of logs during incident investigation.
  • Determine how to read and analyze logs during incident investigation.
  • Describe how common intrusion detection system (IDS) tools provide security value.
  • Interpret the basic syntax and components of signatures and logs in IDS and NIDS tools.
  • Describe how SIEM tools collect, normalize, and analyze log data.
  • Perform queries in SIEM tools to investigate an incident.

TEST YOUR KNOWLEDGE: OVERVIEW OF LOGS

1. What is the primary purpose of logs during incident investigation?

  • To identify and diagnose system issues
  • To manage alert volumes
  • To provide a record of event details (CORRECT)
  • To improve user experience

The primary purpose of logs during incident investigation is to provide a record of event details. Knowing what occurred on systems, networks, and devices helps security analysts identify unusual or malicious activity.

2. A security analyst wants to determine whether a suspicious login was successful. Which log type would be most useful for this purpose?

  • Firewall
  • System
  • Authentication (CORRECT)
  • Network

An authentication log would be most useful for this purpose. Authentication logs record login attempts, including whether a login was successful.

3. In the following log, what action does the log entry record?

[ALLOW: wikipedia.org] Source: 192.167.1.1 Friday, 10 June 2022 11:36:12

  • Friday, 10 June 2022 11:36:12
  • Source
  • 192.167.1.1
  • ALLOW (CORRECT)

ALLOW refers to the action that has been recorded. In this instance, it allows access to wikipedia.org.

4. Fill in the blank: _____ is the process of examining logs to identify events of interest.

  • Log forwarder
  • Log file
  • Logging
  • Log analysis (CORRECT)

Log analysis is the process of examining logs to identify events of interest.

TEST YOUR KNOWLEDGE: LOG COMPONENTS AND FORMATS

1. Examine the following authentication log:

[2022/12/20 08:20:38.921286] User nuhara logged in successfully

What type of information does this log contain? Select two answers.

  • Syslog
  • Message ID
  • Timestamp (CORRECT)
  • Event description (CORRECT)

This log contains a timestamp 2022/12/20 08:20:38.921286 and a description of the event User nuhara logged in successfully.

2. Which of the following capabilities can syslog be used for? Select three answers.

  • Service (CORRECT)
  • Log format (CORRECT)
  • Extension
  • Protocol (CORRECT)

Syslog is a standard for logging and transmitting data and can be used as a protocol, service, or log format.

3. What are examples of log formats? Select three answers.

  • eXtensible Markup Language (XML) (CORRECT)
  • Gramm-Leach-Bliley Act (GLBA)
  • Common Event Format (CEF) (CORRECT)
  • JavaScript Object Notation (JSON) (CORRECT)

Common Event Format (CEF), JavaScript Object Notation (JSON), and eXtensible Markup Language (XML) are examples of different log formats.

4. Which log format uses tags to structure data?

  • Verbose
  • Comma Separated Values (CSV)
  • Syslog
  • eXtensible Markup Language (XML) (CORRECT)

XML is a log format that uses tags and other keys to structure data.

TEST YOUR KNOWLEDGE: OVERVIEW OF INTRUSION DETECTION SYSTEMS (IDS)

1. A security analyst uses a network protocol analyzer to capture HTTP traffic to analyze patterns. What type of data are they using?

  • Network telemetry (CORRECT)
  • Host-based
  • Signature-based
  • False positive

They are using network telemetry data. Network telemetry refers to the collection and transmission of network data for analysis, such as HTTP traffic. Signature-based refers to a type of detection method that is used to find events of interest using signatures.

2. Which statement accurately describes the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)?

  • A NIDS uses signature analysis to detect threats; a HIDS uses agents.
  • A NIDS is installed on individual devices; a HIDS is installed on a network.
  • A NIDS only detects known threats; a HIDS detects unknown threats.
  • A NIDS is installed on a network; a HIDS is installed on individual devices. (CORRECT)

A NIDS is installed on a network and is used to collect and monitor network traffic and network data. A HIDS is installed on a host and is used to monitor the activity of the host.

3. Fill in the blank: The _____ component of an IDS signature includes network traffic information.

  • signature ID
  • action
  • rule options
  • header (CORRECT)

The header component of an IDS signature includes network traffic information. This includes source and destination IP addresses, source and destination ports, protocols, and traffic direction.

4. A security analyst creates a Suricata signature to identify and detect security threats based on the direction of network traffic. Which of the following rule options should they use?

  • Message
  • Content
  • Flow (CORRECT)
  • Rev

They should use flow. The flow option matches the direction of network traffic flow.

5. When monitoring activity, what specifies the rules used by an intrusion detection system (IDS)?

  • An alert
  • A signature (CORRECT)
  • An endpoint
  • A log

A signature specifies the rules that an IDS uses to monitor activity. Signature analysis is one of the most common methods of detection used by IDS tools.

6. Which of the following is true when it comes to analyzing Suricata signatures?

  • The first field specifies the action. (CORRECT)
  • The message option inspects the content of a packet.
  • The rule options are enclosed in semicolons.
  • The arrows specify the severity of a threat.

In a Suricata signature, the first field specifies the action.

TEST YOUR KNOWLEDGE: OVERVIEW OF SIEM TOOLS

1. In Search Processing Language (SPL), which special character is a wildcard that can be used to substitute with any other character?

  • | (CORRECT)
  • =
  • *
  • !=

In Search Processing Language (SPL), the * character is a wildcard which is a special character that can be substituted with any other character.

2. Which of the following steps are part of the security information and event management (SIEM) process? Select three answers.

  • Normalize data so it is ready to read and analyze (CORRECT)
  • Collect and process data (CORRECT)
  • Index data to improve search performance (CORRECT)
  • Monitor activity and alerts related to intrusions

The SIEM process involves the following steps: collect and process data, normalize data, and index data. SIEM tools collect and process data that is generated by devices and systems from all over an environment.

3. Fill in the blank: Chronicle uses _____ to search through unstructured logs.

  • raw log search
  • metadata
  • entity search
  • unified data model (CORRECT)

Chronicle uses raw log search to search through unstructured logs.

4. Which of the following is Splunk’s query language?

  • UDM
  • SQL
  • SPL (CORRECT)
  • IDS

Splunk uses its own query language known as Search Processing Language (SPL).

5. Which of the following steps are involved in the SIEM process for data collection? Select three answers.

  • Collect and process (CORRECT)
  • Search
  • Index (CORRECT)
  • Normalize (CORRECT)

The SIEM process for data collection involves the following steps: collect and process, normalize, and index. Normalizing is the step that makes raw data easy to read and analyze. It processes the raw data so that it is formatted consistently, and only relevant event information is included.

6. Do specific queries improve the speed and relevance of SIEM search results?

  • No
  • Yes (CORRECT)

Specific queries improve the speed and relevance of SIEM search results.

7. Fill in the blank: Chronicle uses _____ to search through normalized data.

  • Structured Query Language (SQL)
  • Extensible Event Format JavaScript Object Notation (EVE JSON)
  • Unified Data Model (UDM) (CORRECT)
  • Search Processing Language (SPL)

Chronicle uses UDM to search through normalized data.

MODULE 4 CHALLENGE

1. What is the difference between a log and log analysis?

  • A log is a record of events that occur within an organization’s systems. Log analysis is the process of examining logs to identify events of interest. (CORRECT)
  • A log and log analysis both contain details of events, but they record details from different sources.
  • A log records details in log files. Log analysis involves a high-level overview of all events that happen on the network.
  • A log contains log file details. Log analysis involves the collection and storage of logs.

2. Fill in the blank: A syslog entry contains a header, _____, and a message.

  • structured-data (CORRECT)
  • tag
  • object
  • eXtensible Markup Language

3. What is the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)?

  • Both NIDS and HIDS monitor systems and generate alerts, but a NIDS use agents.
  • A NIDS collects and monitors network traffic and network data. A HIDS monitors the activity of the host on which it is installed. (CORRECT)
  • A NIDS monitors the activity of the host on which it is installed. A HIDS uses signature analysis to analyze network activity.
  • A NIDS logs and generates alerts. A HIDS system monitors endpoint activity.

4. What are examples of common rule actions that can be found in signature? Select three answers.

  • Flow
  • Reject (CORRECT)
  • Pass (CORRECT)
  • Alert (CORRECT)

5. Which rule option is used to match based on the direction of network traffic?

  • content
  • flow (CORRECT)
  • sid
  • message

6. What is the difference between network telemetry and network alert logs?

  • Network telemetry is output in EVE JSON format; network alert logs are output in HTML.
  • Both provide information that is relevant for security analysts, but network alert logs contain network connection details.
  • Network telemetry contains information about network traffic flows; network alert logs are the output of a signature. (CORRECT)
  • Network telemetry is the output of a signature; network alert logs contain details about malicious activity.

7. Fill in the blank: The asterisk symbol is also known as a(n) _____.

  • label
  • option
  • wildcard (CORRECT)
  • Boolean operator

8. Which step in the SIEM process involves the processing of raw data into a standardized and structured format?

  • Index
  • Normalize (CORRECT)
  • Collect
  • Process

9. Examine the following log:

{
	“name”: “System test”,
	“host”: "167.155.183.139",
	“id”: 11111,
	“Message”: [error] test,
}

Which log format is this log entry in?

  • JSON (CORRECT)
  • Syslog
  • XML
  • CSV

10. Fill in the blank: _____ analysis is a detection method used to find events of interest using patterns.

  • Host
  • Network
  • Endpoint
  • Signature (CORRECT)

11. Which rule option is used to indicate the number of times a signature is updated?

  • sid
  • rev (CORRECT)
  • msg
  • tcp

12. Which type of log data does Suricata generate? Select all that apply.

  • Protocol
  • Alert (CORRECT)
  • Signature
  • Network telemetry (CORRECT)

13. Fill in the blank: Chronicle uses ______ to define detection rules.

  • SPL
  • SQL
  • YARA-L (CORRECT)
  • UDM

14. What are the steps in the SIEM process for data collection? Select three answers.

  • Index
  • Collect (CORRECT)
  • Unify
  • Normalize (CORRECT)

15. Examine the following log:

[2022/12/21 17:46:35.232748] NOTIFY: NetworkPropertiesUpdated: wifi_psk_13

Which type of log is this?

  • Location
  • Application
  • Network (CORRECT)
  • Authentication

16. What information is included in a signature’s header? Select all that apply.

  • IP address (CORRECT)
  • Action
  • Port number (CORRECT)
  • Protocol (CORRECT)

17. Examine this Suricata signature:

alert http 167.215.72.95 any -> 156.150.71.141 80 (msg:”GET on wire”; flow:established,to_server; content:”GET”; sid:12345; rev:2;)

What is the destination port?

  • 80 (CORRECT)
  • 2
  • 141
  • 12345

18. Fill in the blank: Suricata uses the _____ format for event and alert output.

  • HTML
  • HTTP
  • CEF
  • EVE JSON (CORRECT)

19. Which querying language does Splunk use?

  • Structured Processing Language
  • SIEM Processing Language
  • Search Processing Language (CORRECT)
  • Structured Querying Language

20. Which of the following refers to a record of events that occur within an organization’s systems?

  • Occurrences
  • Logs (CORRECT)
  • Log sources
  • Log forwarder

21. Consider the following scenario:

A security analyst at a midsized company is tasked with installing and configuring a host-based intrusion detection system (HIDS) on a laptop. The security analyst installs the HIDS and wants to test whether it is working properly by simulating malicious activity. The security analyst runs unauthorized programs on the laptop, which the HIDS successfully detects and alerts on.

What is the laptop an example of?

  • An agent
  • A signature
  • An endpoint (CORRECT)
  • A log forwarder

22. Which symbol is used to indicate a comment and is ignored in a Suricata signature file?

  • Structured Processing Language
  • $
  • # (CORRECT)
  • :

23. What is the method to search for normalized data in Chronicle?

  • UDM search (CORRECT)
  • Unified
  • YARA-L
  • Raw log search

24. What details do logs contain? Select all that apply.

  • Time (CORRECT)
  • Location (CORRECT)
  • Forwarder
  • Date (CORRECT)

25. Which type of Splunk query searches through unstructured log records?

  • Reference search
  • Index search
  • Raw log search (CORRECT)
  • UDM search

26. Which Unified Data Model (UDM) field search specifies a security action?

  • block
  • metadata.event_type
  • security_result.action (CORRECT)
  • action

CONCLUSION – Network Traffic and Logs Using IDS and SIEM Tools

In conclusion, the comprehensive exploration of logs, Intrusion Detection Systems (IDS), and Security Information Event Management (SIEM) systems in this course equips participants with a profound understanding of the intricate world of cybersecurity. By unraveling the significance of logs as digital footprints and delving into the mechanisms of IDS and SIEM, participants gain a holistic perspective on threat detection and incident response. The hands-on introduction to prominent IDS and SIEM products ensures practical insights, empowering learners to navigate these essential tools in real-world cybersecurity scenarios.

Moreover, the practical application of creating basic IDS rules not only solidifies theoretical knowledge but also cultivates the skills necessary for active participation in cybersecurity practices. This module serves as a pivotal resource for those seeking to fortify their expertise in log analysis, incident detection, and response, contributing to the broader landscape of cybersecurity with both theoretical acumen and practical proficiency. Armed with this knowledge, participants are well-prepared to navigate the dynamic and ever-evolving challenges of digital security.

Previous Module
Next Course

Subscribe to our site

Get new content delivered directly to your inbox.

Quiztudy Top Courses

Popular in Coursera

Liking our content? Then, don’t forget to ad us to your BOOKMARKS so you can find us easily!

Subscribe