CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

Log Analysis & Continuous Security Monitoring

  • Event Logs

    • Windows

      • Application

      • Security

      • System

      • Setup

      • Forwarded

    • Severity (Windows Scale):

      • Information

      • Warning

      • Error

      • Audit success/failure

    • Linux

      • Text files in /var/log/*

      • Systemd uses journalctl (binary)

    • MacOS

      • “Console” app

      • Also test logs, just like Linux

    • Log Analysis

      • Correlation of events

      • Configuration changes

      • Gaps in time

      • Trend analysis

    • Syslog

      • Old protocol, UDP 514

      • No built in security

      • Newer versions: security, TCP 1468

      • Log archiving.

      • Structure:

        • Header: timestamp, IP address

        • Facility

        • Severity

        • Message

    • Firewall Logs

      • Source of information for devices involved in security incidents.

      • Log traffic permitted or dropped.

      • Statistics

      • Centralized storage recommended

    • Proxy logs

      • Forward proxies

        • Outbound traffic

        • Transparent

        • Non-transparent

      • Reverse proxies

        • Inbound traffic

        • Load balancers, basically.

        • Look for malicious requests

    • Web Application Firewall (WAF) Logs

      • A WAF scans application level (web) requests for intrusion attempts

      • Logs suspicious and malicious attempts for:

        • Malformed inputs

        • SQLi

        • Buffer overflows

        • Brute force logins

        • XML, JSON injection attempts

        • XSS, CSRF

    • IDS/IPS Logs

      • An intrusion detection/prevention device uses signatures to match suspicious traffic.

      • Can generate a lot of logging activity

      • Require rule tweaking

      • Alerts ingested in SIEM

PreviousIoT, Embedded Systems & ICS/SCADA ThreatsNextSIEM and Event Correlation

Last updated 2 years ago