According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?
Correct Answer:
C
According to Splunk CIM (Common Information Model) documentation, thesrc_userfield in the Authentication Data Model represents the user who initiated an action, including privilege escalation. This field is used to track the source user responsible for generating an authentication event, which is critical in understanding and responding to potential security incidents involving privilege escalation. The other fields likedest_userorusernamehave different roles, focusing on the target of the action or the general username involved.
Top of Form Bottom of Form
An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attempts by IP address over a specific time period?
Correct Answer:
C
Thestatscommand is used to generate statistics, such as counts, over specific fields. In this case, the commandindex=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attemptscreates a temporary table that counts the number of failed login attempts (failed_attempts) for each source IP (src_ip). Thesort -failed_attemptsensures the results are ordered by the number of failed attempts in descending order, making it easier for an analyst to identify problematic IPs.
The Lockheed Martin Cyber Kill Chain® breaks an attack lifecycle into several stages. A threat actor modified the registry on a compromised Windows system to ensure that their malware would automatically run at boot time. Into which phase of the Kill Chain would this fall?
Correct Answer:
D
The Lockheed Martin Cyber Kill Chain® is a widely recognized framework that breaks down the stages of a cyber attack. The stages are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. The scenario described—modifying the registry on a compromised Windows system to ensure malware runs at boot time—fits into theInstallationphase. This phase involves placing a persistent backdoor or other malicious software on the victim's system, ensuring it can be executed again, even after a system reboot. By modifying the registry, the attacker is achieving persistence, a classic example of the Installation phase.
In which phase of the Continuous Monitoring cycle are suggestions and improvements typically made?
Correct Answer:
C
✑ Continuous Monitoring Cycle:This cycle is part of a broader security strategy that involves constantly assessing and managing the security state of an organization's information systems. The phases generally include defining metrics, collecting data, analyzing it, reporting findings, and implementing improvements.
✑ Analyze and Report Phase:
✑ Purpose of Recommendations:The goal of this phase is to ensure that the organization??s security measures are continuously improved based on the latest data and threat landscape. It is a critical step in maintaining an effective security program that adapts to new challenges.
✑ NIST SP 800-137:This publication provides guidelines on continuous monitoring of information systems, detailing the processes involved, including the Analyze and Report phase.
✑ Security Operations Center (SOC) Best Practices:Many SOC frameworks emphasize the importance of the Analyze and Report phase in
An IDS signature is designed to detect and alert on logins to a certain server, but only if they occur from 6:00 PM - 6:00 AM. If no IDS alerts occur in this window, but the signature is known to be correct, this would be an example of what?
Correct Answer:
A
In the context of Intrusion Detection Systems (IDS), determining whether an event is a True Negative, True Positive, False Negative, or False Positive depends on the system's detection and the reality of the situation.
Let's break down the scenario: IDS Signature Explanation:
The IDS is set to detect and alert on logins to a server, but only if they happen during a specific time window, from 6:00 PM to 6:00 AM.
The question states that no alerts occur during this time frame, but the IDS signature is known to be correct.
Understanding Detection Terms:
True Positive: The IDS correctly detects an intrusion or suspicious activity that is actually happening.
True Negative: The IDS does not detect any activity because no suspicious or malicious activity is occurring, and this lack of detection is correct.
False Positive: The IDS detects an intrusion or activity, but it is a false alarm (i.e., there is no real threat).
False Negative: The IDS fails to detect a real intrusion or activity when it should have, missing a legitimate alert.
Applying the Scenario:
In this case, no IDS alerts occurred during the specified time frame. If there were no actual logins during this period and the signature was designed correctly, then the absence of alerts is expected and appropriate.
Since no suspicious logins occurred, and the IDS did not trigger any alerts, this situation represents a True Negative—the system correctly identified that there was no suspicious activity to alert on.
Why the Answer is "True Negative":
The IDS signature is working as expected.
The condition that would trigger an alert (logins during the specified time) did not happen, so the lack of alerts is a correct response.
Therefore, this is classified as a True Negative because no malicious activity took place, and the IDS correctly refrained from raising an alert.
Comparison to Other Options:
* B. True Positive – This would indicate that an alert occurred because of actual suspicious activity, but in this case, no alerts occurred.
* C. False Negative – This would mean that suspicious activity occurred, but the IDS failed to detect it. In this case, there was no activity to detect, so this option is not correct.
* D. False Positive – This would suggest the IDS raised an alert when no suspicious activity happened, but again, no alerts occurred, so this doesn??t apply.
References:
Cybersecurity analysts working with IDS systems frequently use concepts like True Negative and False Positive in evaluating the effectiveness of their detection tools.
The correct handling of such detection cases is critical to minimizing unnecessary alerts (False Positives) and ensuring real threats are not missed (avoiding False Negatives).
