MCyber_Chap20N21

Statistical data is created through the analysis of other forms of network data.

Conclusions from these analyses can be used to describe or predict network behavior.

Event Viewer in Windows can be used to review entries in various logs.

Security Information and Event Management (SIEM) is a technology that provides real-time reporting and long-term analysis of security events.

Two SIEM platforms used by organizations are Splunk and Security Onion with ELK.

The tcpdump command line tool is a packet analyzer that captures detailed packet protocol and content data.

It can display packet captures in real time or write them to a file.

Cisco Cognitive Intelligence utilizes statistical data for statistical analysis in order to find malicious activity that has bypassed security controls, or entered through unmonitored channels (including removable media), and is operating inside the network of an organization.

The components of a 5-tuple include a

1) Source IP address,

2) Port number,

3) Destination IP address ,

4) Port number,

5) Protocol in use.

The tcpdump command line tool is a popular packet analyzer.

It can display packet captures in real time or write packet captures to a file.

Various Windows host logs can have different event types.

The Information event type records an event that describes the successful operation of an application, driver, or service

NetFlow does not capture the entire contents of a packet.

Instead, NetFlow collects metadata, or data about the flow, not the flow data itself. NetFlow information can be viewed with tools such as nfdump and FlowViewer.

On a Windows host, security logs record events related to security, such as login attempts and operations related to file or object management and access.