4.3 Given an incident, utilize appropriate data sources to support an investigation

  • Vulnerability Scan Output
  • SIEM Dashboard
    • Sensor
    • Sensitivity
    • Trends
    • Alerts
    • Correlation
  • Logs
    • Network
    • System
    • Application
    • Security
    • Web
    • DNS
    • Authentication
    • Dump Files
    • VoIP and Call Managers
    • Session Initiation Protocol (SIP) Traffic
  • syslog / rsyslog / syslog-ng
  • journalctl
  • NXLog
  • Bandwidth Monitors
  • Metadata
    • Email
    • Mobile
    • Web
    • File
  • Netflow / sFlow
    • Netflow
    • sFlow
    • IPFIX
  • Protocol Analyzer Output

Vulnerability Scan Output

A vulnerability scan output tells us all the bad things that are happening on our network.  This includes

  • A list of devices with known vulnerabilities

  • The type of vulnerabilities on each device

  • A cross-reference between the vulnerability and a database of known vulnerabilities

  • The severity of each vulnerability

We can sort vulnerabilities by device type, vulnerability type, severity, or number of devices affected.  We might not have the time or money to fix everything, or to fix everything right away.  We should sort vulnerabilities by severity and/or by the number of affected devices.  Then we should determine the amount of time and money that it would cost to correct each vulnerability.

We should prioritize our corrective action by fixing the most severe problems, if time and budget allows.  We should also prioritize correcting vulnerabilities that are easy to fix and affect many users.

For example, if a vulnerability has a low severity, but affects thousands of machines, and can be corrected by deploying a patch, we might make it a top priority.

SIEM Dashboard

Remember that an SIEM collects a lot of data.  Millions or billions of data points if the network is large enough.  We need a way to make sense of it all.  That is where the dashboard comes in.  The dashboard gives us a high-level overview of what is happening.

  • Sensor – what data are we collecting and from where?

  • Sensitivity – how sensitive is the system?  Are there lots of false positives or are there lots of false negatives.  The sensitivity can be set according to the needs of the organization.

  • Trends – what trends are happening?  Are there more attacks or less attacks in general?  Are there attacks on specific resources?  Is there increased activity in some parts of the network?  Is the SIEM aware of attacks happening across the internet that we should be aware of (not necessarily attacks on our network)?

  • Alerts – what alerts do we have?  Are we under attack?

  • Correlation – the SIEM takes data from multiple sources and draws conclusions about how a thread develops.  What conclusions is the SIEM drawing?


Most network and computer devices keep logs.  A computer may have hundreds of different logs, which could show

  • Logins and failed log in attempts

  • Attempts to access a server or server port

  • Application errors

Consider having a web server running the Windows Server Operating System.  The server may have logs that show

  • Each time an administrator logs in or attempts to log in to the server

  • Each time a web user attempts to access the server (their remote IP address, the page they attempted to access, the date and time of the access attempt, and the data that was transmitted)

  • Errors in retrieving the web site data (such as 404 – page not found, 401 – user unauthorized to access the particular web page/data, etc.)

The logs can be analysed to determine if a security event has occurred and if remedial action should be taken.  Software applications can be used to automatically detect security events and alert administrators.

Areas where we can find logs

  • Network – Each network device (router, firewall, access point, switch) will maintain logs.  There might be three types of logs

    • System logs that cover the physical hardware.  This log might alert us to hardware failures.

    • System logs that cover administrator functions.  This log might alert us when an administrator logs in or when the configuration has changed.

    • Traffic logs.  These logs tell us about the type and quantity of traffic passing through the device and whether any traffic has been blocked for security reasons.

  • System – A system log might be present on a server or computer.  Windows Event Viewer contains many logs that are categorized into the following

    • Application – logs generated by applications installed on the system

    • Security – logs generated by security events

    • Setup – logs generated by setup processes

    • System – logs generated by system events

There can be additional logs in other places.

Physical server hardware or computer hardware can generate logs and store them in the device firmware or memory.  For example, a Dell iDRAC or HP iLO device can monitor the server hardware and log any errors.

  • Application – An Application can log any errors that it encounters.  The logs may be stored within the Windows Event Viewer or they may be stored on the computer hard disk drive in a separate log file.

  • Security – Security logs are generated by security devices such as firewalls and other devices.

  • Web – Web logs are generated by web server software such as Microsoft IIS or Apache.  A web log might have the following information

    • IP address of the user who accessed the resource

    • The specific URL that was accessed

    • The date and time that the URL was accessed

If we are running a language on top of the server such as PHP or ASP, it may have its own logs to record errors within the application.  A PHP error could result from programming issues.

If we are running an application or website, we might have our own internal logging apparatus.  We might log invalid user inputs or other types of data.

  • DNS – A DNS server will log each DNS request.  It will also log each time a DNS record is updated and the data that is updated.

  • Authentication – An authentication server will maintain logs.  The logs will list

    • The source of a login attempt

    • The date and time of the login attempt

    • The user name that attempted to log in

    • Whether the log in was successful

  • Dump Files – A dump file is a file that contains the contents of a computer’s memory.  When a computer has a critical error, it “dumps” the contents of the memory into a file and the shuts down.  We can later take this memory dump and analyse it to see what was wrong.  A dump happens when the error is critical, but we don’t know the cause.

  • VoIP and Call Managers – A VoIP log tracks every call that is made, and includes the originating caller, the recipient’s phone number and/or IP address, the time of the call, and the duration of the call.

  • Session Initiation Protocol (SIP) Traffic – SIP is used for initiating or terminating a VoIP phone call.  A SIP log contains details about the user who initiated the call and the user who accepted the call

syslog / rsyslog / syslog-ng

Syslog allows network devices to generate logging messages and send them to a server.  This allows an administrator to remotely view logs from many different devices in a centralized location.  Syslog is produced in a standard format.

Each log entry contains the following

  • The facility code.  The facility code tells us the type of system that created the log.

  • The severity level.  The severity level tells us how fast we should respond.  It ranges from 0 (an emergency) to 7 (a debug message).

rsyslog is the UNIX version of syslog but it also has additional features such as filtering, support for TCP, timestamps, and logging into database engines.

syslog-ng is an open source version of syslog that includes advanced features including the ability to format log messages.

journalctl is a tool to read UNIX system logs.  We can access it by typing journalctl and it will just dump the entire log onto the screen.  The tool runs on the command line.  There are other options to filter the log or to display portions of it. 

We can do the following

  • Limit the number of log entries that are displayed

  • Filter and display log entries by severity

  • Filter and display logs by other fields  

  • Display meta data associated with each log

  • Display the logs in JSON format (JavaScript Object Notation)

  • Filter logs by absolute or relative time periods

  • Search for specific keywords

  • Filter by kernel or boot messages

NXLog is a more advanced open source logging tool.  It runs on Windows, macOS, and UNIX.  It allows us to collect logs from many formats such as Windows Event Viewer, JSON, XML, and CSV, not just syslog.  It also communicates with many SIEMs and can scale to collect more than 100,000 events per second.

NXLog can transport data over SSL and can verify message integrity.  It also includes a programming language similar to Perl so that users can write their own filtering and analysis tools.

Bandwidth Monitors

A Bandwidth Monitor is a device that tracks how much traffic is going over a network interface.  The bandwidth monitor might be an application provided by our SD-WAN provider, ISP, router, or SDN application.


Metadata is the data that describes the data.  Every file or transmission contains metadata.  Sometimes we can’t read the data because it is encrypted or because privacy laws prohibit us.  Sometimes, we can’t log the data because it is too large.  But we can usually read and log the metadata.

  • Email – An email contains the following metadata.  Many of these can be forged.

    • The sender’s e-mail address and display name (the from field)

    • The recipient’s e-mail address and display name (the to field).  This could also include people who are cc’d.

    • The reply to e-mail address

    • The sender’s e-mail program

    • The IP address of the sender’s server

    • The date and time that the e-mail was sent

    • The date and time that the e-mail was received

    • The message-ID number (every ID is unique)

    • The content type (whether the e-mail is HTML or plain text)

    • The subject

  • Mobile.  There is a wide variety of mobile metadata.  It includes

    • The duration of a phone call, the destination, and the time it was placed

    • The phone’s GPS location

    • The time that an SMS message was sent and the destination

    • The time and GPS coordinates of a photograph

    • Other types of data generated by user applications.  There are thousands of other types of metadata.  We might need a special application to analyse all of the data.

  • Web.  A webpage metadata includes the URL and the date/time that it was accessed.  It could also include

    • The operating system that accessed the web page (Windows, macOS, UNIX, mobile)

    • The web browser make and version that accessed the web page

    • The screen resolution of the device that accessed the web page

    • The IP address of the device that accessed the web page

    • The link that the user clicked to visit the web page

    • If the user was logged in or if there was a cookie, the web page can track additional information about the user such as their username

    • More advanced tracking tools can determine whether a user scrolled down the page, how far they scrolled down, how long they sat on the page, where they moved their cursor, and whether they opened the page and stayed on it or whether they switched to a different tab

  • File.  A file’s metadata depends on the operating system.  It could include

    • The filename

    • The size of the file

    • The file type

    • The permissions of the file

    • The name of the file owner

    • The date that the file was created, modified, and last accessed

    • Whether the file was downloaded from the internet

Photos have additional data called EXIF (Extensible Image File Format).  It includes

  • The manufacturer of the camera that took the photo

    • The model of the camera that took the photo

    • The resolution of the camera

    • The date and time that the photo was taken

    • The date and time that the photo was digitized

    • Whether the camera had a flash

    • The dimensions of the photograph

    • The exposure time

    • The focal length and F-number of the lens

An audio or video file might have the following metadata

  • The bitrate of the file

    • The duration of the file

    • The codec used to encode the file

Office documents might have the following metadata

  • The name of the author and author’s organization

    • The amount of time spent editing the document

    • The number of pages and words in the document

    • A summary of the document

NetFlow / sFlow

NetFlow is a tool that allows us to monitor traffic flows in our network.

  • NetFlow.  NetFlow is a proprietary Cisco router feature that aggregates and exports traffic on an interface.  The router captures data belonging to a specific flow.  A flow of traffic is one direction and shares the following attributes

    • The interface

    • Source IP address

    • Destination IP address

    • Protocol

    • Source Port

    • Destination Port

    • IP Type of Service

The router monitors the traffic until it concludes that the flow is complete.  The flow is complete when no more traffic passes, or when a TCP connection is terminated.  The router exports the flow over UDP.  To collect the traffic, we must set up a server known as a NetFlow collector and provide the router with the IP address.  A NetFlow record contains the following

  • Input and output interfaces

    • Timestamps for the flow start and finish times

    • Number of bytes and packets in the flow

    • Layer 3 headers (source and destination IP addresses, IP protocol, ICMP type)

    • Source and destination port numbers

    • Layer 3 Routing information

When there is lots of traffic, we might not have the capacity to capture all of it.  A feature called Cisco sampled NetFlow can capture a sample of the packets at random.

  • sFlow.  sFlow is an open technology that randomly samples packets on a network device.  Because random samples are taken, the technology can scale with large amounts of traffic.  sFlow is implemented by devices made by multiple manufacturers.  sFlow can export the data to an external monitoring server.

  • IPFIX.  IP Flow Information Export or IPFIX is an open standard that defines the export of IP flow information from routers and network probes.  IPFIX defines a flow of traffic the same way that NetFlow does.  It gathers information from one or more observation points on the network and aggregates this data to produce a picture of the overall traffic flow.

Protocol Analyzer Output

A protocol analyser captures data over a transmission channel.  There are many types of transmission channels and protocols, including

  • Telecom

  • Internet Protocol

  • Satellite

The protocol analyser can be used to intercept and monitor some or all the data transmissions over the protocol. 

The analyser can also be used to analyse the quality of the connection.  For example, an internet router may communicate over a copper or fiber optic cable and use OSPF, BGP, and RIP protocols.  These protocols require the connection to perform at a specific standard that may include a minimum speed, a maximum latency, and a lack of dropped packets.  The analyser can stress test the connection to ensure that it performs in accordance with the standard.

Questions to ask

  • Is this protocol secure or can any intruder gain access to it?

  • Is this protocol performing to the necessary standard required by the business?