SIEM Operations
1. A platform that aggregates logs from firewalls, endpoints, cloud services, and applications, correlates them, and generates security alerts is called:
2. The process of adding an application's log stream to the SIEM for monitoring is called:
3. A SIEM rule fires when 5 failed login attempts are followed by a successful login from the same IP within 60 seconds. What is this rule called?
4. UEBA stands for User and Entity Behaviour Analytics. What makes UEBA different from rule-based detection?
5. An alert fires because the vulnerability scanner's IP matches a portscan detection rule. This is classified as a false positive. What does 'false positive' mean?
Exercise complete!
out of 5 questions