Alerting & Monitoring & Incident Response

What is the main goal of security alerting?

To notify personnel of potential threats.

What type of alert correctly identifies a real threat?

True Positive.

What type of alert falsely indicates a threat where there is none?

False Positive.

What type of situation involves no alert and no threat?

True Negative.

What is a False Negative in alerting?

A real threat occurred but no alert was triggered.

What are two common problems in alerting?

False positives and false negatives.

What is the purpose of monitoring in cybersecurity?

To observe systems/networks for threats or anomalies.

What type of monitoring uses software to scan logs automatically?

Automated Monitoring.

What type of monitoring involves human analysis of logs/data?

Manual Monitoring.

What protocol helps monitor/manage network devices?

SNMP (Simple Network Management Protocol).

What are SNMP traps used for?

Sending automatic alerts from devices.

What does a SIEM system do?

Aggregates and analyzes security data from across the network.

What are two types of SIEM monitoring methods?

Agent-based and Agentless monitoring.

What is SCAP used for?

Automated vulnerability management and compliance checks.

What is a “Single Pane of Glass”?

A unified dashboard displaying security data from multiple sources.

What is the primary purpose of log aggregation in cybersecurity?

To centralize logs for analysis, troubleshooting, and compliance.

What are common tools used for log aggregation?

ELK Stack, Splunk, Graylog.

What is alerting in the context of monitoring systems?

Real-time notifications triggered by defined system thresholds or anomalies.

What might trigger an alert in a network environment?

High CPU usage, failed logins, unusual traffic patterns.

Why is alert tuning important in a SOC (Security Operations Center)?

To reduce false positives and focus on true threats.

What is the purpose of vulnerability scanning?

To identify known security weaknesses or CVEs in systems.

What is the difference between static and dynamic code scanning?

Static scans code without execution; dynamic scans code during execution.

Which tools are commonly used for vulnerability scanning?

Nessus, OpenVAS.

What is a configuration scan used for?

To check system settings against best practices or benchmarks (e.g., CIS).

What role does reporting play in security operations?

It summarizes monitoring data for audits, trend analysis, and compliance.

Why is archiving important in cybersecurity monitoring?

For long-term log retention, audit trails, and forensic analysis.

What is an example of using a monitoring tool to validate remediation?

Running a follow-up scan after patching to confirm the issue is resolved.

What does quarantine mean in incident response?

Isolating an infected or compromised system to prevent spread.

What happens during the alert response phase?

The incident is investigated and escalated based on impact and scope.

Why is validation a critical part of remediation?

It ensures the vulnerability has been successfully mitigated.

What does SIEM stand for?

Security Information and Event Management

What is the primary purpose of a SIEM system?

To centralize, analyze, and correlate logs for real-time threat detection and response.

Why is log correlation important in a SIEM?

It helps identify complex attacks by linking events across different systems.

What are two common deployment methods for SIEM data collection?

Agent-based and agentless

What is a key benefit of using an agent-based SIEM?

Real-time, detailed data collection from endpoints

What is one downside of using an agentless SIEM?

It may lack detail and real-time capabilities

What is the main goal of threat hunting in a SIEM environment?

To detect threats that may have bypassed automated alerts

Why is establishing a ticketing process important when using a SIEM?

To track and manage alerts and investigations

What is a use case in the context of SIEM setup?

A predefined threat scenario that guides alert logic and response

What is the purpose of defining event scope in a SIEM?

To determine which events are relevant for logging and monitoring

Which SIEM tool is open-source and includes Elasticsearch, Logstash, Kibana, and Beats?

ELK Stack (Elastic Stack)

What language does Splunk use for searching logs?

Search Processing Language (SPL)

Which SIEM is commonly used for compliance with HIPAA, SOX, and PCI DSS?

ArcSight

Which company develops QRadar, a well-known SIEM?

IBM

Why is a SIEM useful for compliance audits?

It provides centralized logs and an audit trail for investigation and reporting

What type of data does antivirus software provide to a SIEM?

Malware detections, system scans, and update logs.

Which security tool prevents sensitive data from being exfiltrated outside the organization?

Data Loss Prevention (DLP) systems.

What’s the key difference between NIDS and NIPS?

NIDS detects threats (passive); NIPS blocks threats (active).

How can repeated malware alerts in SIEM from one host be interpreted?

As a possible widespread infection or targeted attack.

What type of event might firewall logs reveal when a threat actor is performing reconnaissance?

Port scans.

What is one major benefit of centralizing logs from multiple tools into a SIEM?

It provides a comprehensive view of the organization’s security posture.

What kind of information can a DLP system flag?

Policy violations, data leaks, and suspicious user behavior.

What do vulnerability scanners provide to a SIEM?

Identified vulnerabilities, severity levels, and remediation steps.

Why is it important to analyze antivirus logs in a SIEM?

To detect persistent threats and monitor system health.

How do NIDS/NIPS logs enhance security monitoring in a SIEM?

By identifying malicious activity, blocked traffic, and unusual patterns.

What does SCAP stand for and what is its primary purpose?

Security Content Automation Protocol; a NIST framework to automate vulnerability management, configuration checking, and compliance evaluation.

What are the three core languages used in SCAP?

OVAL, XCCDF, and ARF.

What is the function of OVAL in SCAP?

Open Vulnerability and Assessment Language; describes system states and security conditions using XML.

What does XCCDF provide in SCAP?

Extensible Configuration Checklist Description Format; defines machine-readable security checklists and configuration rules.

What is the purpose of ARF in SCAP?

Asset Reporting Format; standardizes how asset information and report data are structured and shared.

What are the three types of enumerations used in SCAP?

CCE (configurations), CPE (platforms), and CVE (vulnerabilities).

What does CVE represent in cybersecurity?

What does CVE represent in cybersecurity?

What is the purpose of the CVSS in SCAP?

Common Vulnerability Scoring System; assigns a severity score (0–10) to vulnerabilities to help prioritize remediation.

What score range is considered "High" under CVSS v3?

7.0-8.9

Why are SCAP benchmarks important for system administrators?

They automate system hardening by providing standardized configuration rules in XCCDF format, ensuring security and compliance.

What is the primary difference between full packet capture (FPC) and flow analysis?

FPC captures the entire packet (header + payload), while flow analysis only captures metadata.

Why is flow analysis preferred over full packet capture in many enterprise environments?

It saves storage and processing by collecting metadata instead of full packet content.

What does NetFlow provide visibility into?

Traffic flows including source/destination IPs, ports, protocol, and type of service.

What standardized protocol evolved from Cisco’s NetFlow?

IPFIX (IP Flow Information Export).

What is a major limitation of flow analysis compared to full packet capture?

It cannot provide the actual contents of the data being transferred.

Which tool provides a hybrid solution by capturing full packets only when suspicious activity is detected?

Zeek.

What format does Zeek use to store normalized log data?

JSON or tab-delimited text files.

What is the function of MRTG (Multi Router Traffic Grapher)?

It visualizes traffic volume across network devices using SNMP data.

How can flow analysis assist in identifying data exfiltration?

By revealing traffic anomalies like unexpected data spikes during off-hours.

What type of tool would you use to identify protocols, volume, and sessions without inspecting payload content?

A flow analysis tool such as NetFlow or IPFIX.

What is a "Single Pane of Glass" (SPoG) in cybersecurity?

A centralized dashboard providing unified access to security tools, logs, alerts, and reports.

Why is a Single Pane of Glass important for security operations?

It allows security teams to monitor and manage the security posture efficiently from one interface.

What is one major benefit of using a Single Pane of Glass for threat detection?

It helps detect and respond to threats more quickly by consolidating data in one view.

How does a SPoG reduce manual workload for security teams?

By automating repetitive tasks like log collection and analysis.

How does SPoG improve collaboration within a security team?

It allows easy data sharing and coordination through a unified dashboard.

Is a Single Pane of Glass typically software-based or hardware-based?

Software-based, due to greater flexibility and integration options.

What is the first step when implementing a SPoG solution?

Defining the requirements – identifying the tools, systems, and data needed.

What does the integration step of SPoG implementation involve?

Connecting data sources like IDS or log servers using APIs, plugins, or connectors.

Why is customizing the SPoG interface important?

To create an organized layout that helps teams navigate and interpret security data efficiently.

How does a Single Pane of Glass support regulatory compliance?

It simplifies generating reports and logs needed to demonstrate compliance.

What is the purpose of the "Preparation" phase in the incident response process? (Think: warming up before a heavy lift)

To strengthen systems in advance by creating policies, training staff, and developing plans to handle potential incidents.

In the gym analogy, what phase is like noticing joint pain during a lift?

Detection – spotting signs that an incident may have occurred.

Which phase involves analyzing the incident deeply to determine the impact, like a trainer reviewing your form and identifying why you're in pain?

Analysis.

What is the goal of the "Containment" phase in incident response? (Think: putting on a brace mid-workout to stop further damage)

To limit the spread of the incident and reduce its impact.

Which IR phase is like removing a knot from a tight muscle using a foam roller or therapist?

Eradication – removing the malicious element from the system.

What happens during the “Recovery” phase? (Think: light exercises to safely return after injury)

Systems are restored, patched, and monitored to return to normal operations securely.

What is the goal of “Post-Incident Activity” in IR? (Like reviewing your lift with a coach to improve next time)

To review what happened, identify improvements, and document lessons learned to strengthen future responses.

What are the 7 phases of the CompTIA incident response model?

Preparation, Detection, Analysis, Containment, Eradication, Recovery, and Post-Incident Activity.

Why is the “Preparation” phase essential to success in IR? (Think: preventing injury before it starts)

It builds resilience by preparing tools, policies, and communication channels before incidents occur.

How does the IR team relate to a gym support team?

Like trainers, therapists, and nutritionists support an athlete, the IR team includes IT, cybersecurity, legal, HR, and PR roles to recover the organization effectively.

What is the purpose of incident response training?

To educate employees on the procedures, priorities, and responsibilities during a security incident.

What is the difference between training and testing in incident response?

Training teaches what to do during an incident, while testing evaluates the ability to execute the procedures effectively.

Who should receive incident response training?

All relevant employees, including technical responders, managers, executives, and end users.

What is the primary focus of end-user training in incident response?

Teaching users how to identify and report suspicious activity, such as phishing emails, and preventing future incidents.

Why should incident response training include lessons learned from past incidents?

To prevent repeat mistakes by applying previous experiences to improve response actions.