An analyst is investigating an incident in a SOC environment.
Which method is used to identify a session from a group of logs?
An analyst is investigating an incident in a SOC environment.
Which method is used to identify a session from a group of logs?
The most effective way to identify a session from a group of logs in a SOC (Security Operations Center) environment is by using the 5-tuple. The 5-tuple is a combination of the source IP address, source port, destination IP address, destination port, and the transport protocol. These five components together uniquely identify a network session, allowing an analyst to accurately isolate and investigate specific sessions within the log data.
A 5-tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection. 1. Layer 4 Protocol 2. Source IP address 3. Destination IP address 4. Source Port Number 5. Destination Source Port Number
"C" is correct. Traditional firewalls typically provide security event logs that are mostly based on the 5-tuple. A TCP session is a sequence of sockets with the same IP addresses, ports and protocol.
The 5-tuple consists of five values: source IP address, source port, destination IP address, destination port and transport protocol. By examining the 5-tuple, analyst can determine the sequence events within a session and identify logs related to the session. Together these five values uniquely identify a network session, by examining these attributes within a log data, an analyst can pinpoint and correlate activities related to a specific session, aiding in incident investigation within a SOC environment.
In a security operations center (SOC) environment, one method that could be used to identify a session from a group of logs is the use of a 5-tuple. A 5-tuple consists of five pieces of information that can be used to identify a specific network session: the source IP address, source port, destination IP address, destination port, and protocol. By using this information, an analyst can identify a specific session from a group of logs and track its progress through the system. Other methods that could be used to identify a session from a group of logs include the use of sequence numbers, timestamps, or IP identifiers.
A -> Sequence Numbers
Read the question, which method? sequence numbers is not a method. Given answer is correct
How come A? Where is your evidence???
In the context of identifying a session from a group of logs in a SOC environment, which method relies on capturing both source and destination IP addresses,https://bitly.cx/nkz source and destination ports, and the transport protocol to uniquely identify network connections?
5-tuple
5- tuple
C. 5-tuple
C . 5-tuple
The 5-Tuple, on first place, is a method, which matches the question. Second of all, with the help of 5-Tuple methodology, we can easily filter out logs based on the main elements of the method mentioned.
I actually think it's A. My logic being the question is to identify a session, surely a sequence number is unique. If the same computer connected to the same service a number of times they would have exactly the same 5-Tuple. So there is no way to identify a single session without also say a timestamp or a sequence number ?
5-tuple is the correct answer as shown in given answer.
C IS CORRECT