Professional Documents
Culture Documents
oof:
Business
Sensitiv
Interview Questions: e
Informa
Basic Network Questions: tion
-> Main difference between TCP and UDP
-> On which OSI layer Formatting, compression and encapsulation happens? - presentation layer
-> On which OSI layer sets up and maintains the connection between two devices - transport layer
->If you want to do encryption from one system to another which one we choose and why?
FTP 20, 21
SMTP 25 TFTP 69
HTTPS 443
Cyberpr
oof:
Business
Sensitiv
Threats: e
Informa
-> What is SQL Injection and how it works? tion
-> What is client-side cross site scripting and how it works?
-> What changes that you see once the malware is infected in the system?
-> There are emerging threats every day, How you update yourself as a Security Analyst?
>Recent attacks
>What is sandboxing
ArcSight:.
-> can we export logs for HPE from the console? how?
-> on which port console/web console/command center and Manager connects? And on which
protocol?
-> what are the data sources we can use to generate a report/trend?
-> What are the criteria priority evaluation happens in the ArcSight? -> Model Confidence, relevance,
severity, asset criticality.
Cyberpr
oof:
Business
Sensitiv
-> Using which interface you manage CORR Engine? e
Informa
-> What are the types of storage retentions in ArcSight
tion CORRE engine -> (Time based, and Space based)
-> What is the default retention period in CORRE? -> (30 to 90 days)
Qradar:
-> What are the different flows types you see in Network activity tab?
-> If you see some offenses in qradar which are already informed by client as pen testing alerts what you
do-
-> Using which option in qradar local and remote IP’s are differentiated
-> what is QID? During normalization DSM will add map the qid so that low level category high level
category is assigned to that event
-> If you set any offense in pending, the same events triggered new offense?
>Reference set, Reference map, Reference map of set, Reference map of maps
>scaserver
>Will the event retention get change when you do qradar upgrade
https://www.ibm.com/developerworks/community/forums/html/topic?id=269b4eff-81ad-4ac5-9f2b-
cdeab14a2500
>what kind of use cases you can think of after integrating firewall.
Types of flows:
•Type A Super flow (Network scans): One source to many destination IPs
This is a unidirectional flow, which has the same source, but multiple destinations.
•Type C Super flow (Port scans): One-to-one source and destination with
Cyberpr
oof:
Business
Sensitiv
many ports This is a one-to-one flow with different
e source or destination ports
Informa
•Over Flow record: Created when license limits are
tionexceeded
When a QFlow collector hits its flow license limit, it begins creating over flow records. Over flow records
have a source IP of 127.0.0.4 and a destination IP of 127.0.0.5 with one flow created per protocol (icmp,
udp, tcp, etc). When the license limit is reached, QFlow rolls the rest of the traffic for the protocol within
the interval in to a single record. All bytes and packet counts are totaled up and added to these
“overflow records”
>What is GRUB
>What si d/f b/w soft SIM clean and Hard SIM clean.
>what is sudo
>swap memory-It is a extra memory which is taken from HDD when the ram memory is full and the
system needs more memory resources.
>QID:
Cyberpr
oof:
Business
Sensitiv
>Kill switch e
Informa
>Domain generation algorithms (DGA) tion
Double Pulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA)
Equation Group that was leaked by The Shadow Brokers in early 2017
Double Pulsar runs in kernel mode, which grants cybercriminals a high level of control over the
computer system.[3] Once installed, it uses three commands: ping, kill, and exec, the latter of which can
be used to load malware onto the system
>CISSP, CISSP-ISSAP, CISA, CISM, CEH, CHFI, ITILv3F, ISO 27001 LI, CCNA
>why meltdown, specter is difficult to crack and what are the practical issues to fix them
>How do you analyze whether the system got compromised when you open an attachment
>How does WAF, ROUTER, SWITCH, PROXY, IDS, IPS, EMAIL GATEWAY, ETC works
Cyberpr
oof:
Business
Sensitiv
>How do you confirm whether sql injection, Xss attack
e happened and which logs you will check
Informa
for confirmation and what actions, you will take tion
>what are the top web application attacks(OWASP) and what is the mitigation for each attack
>How do you confirm DOS, DDOS, attack happened and what action you will take to fix it
>like wise
>Pluralsight
Categories: Application, Authentication, DOS, Exploit, Malware, policy, potential exploit, suspicious
activity
>Syslog stands for System Logging Protocol and is a standard protocol used to send system log or event
messages to a specific server, called a syslog server. It is primarily used to collect various device logs
from several different machines in a central location for monitoring and review.
>netstat: The netstat command is a Command Prompt command used to display very detailed
information about how your computer is communicating with other computers or network devices
netstat -f
>The Forwarded protocol is typically used to forward events to another QRadar® Console. For example,
Console A has Console B configured as an off-site target.
>IBM resilient
protocol -JDBC
-postgress DB 5432
-Sybase DB 5000
-DB2 50000
-Informix DB 9088
>Windows without win collect - Microsoft Remote Procedure Call (MSRPC) 135
Quantitively the risk will be measured in terms of money like 2000$ risk etc.
Qualitatively is the common method, using this you will measure risk as Low High and Medium as a scale
from 1 to 10 etc
4-7 MEDIUM
8-10 HIGH
>Is there a way to know which user created a rule and who edit it
Cyberpr
oof:
Business
Sensitiv
Look in these events: e
Informa
Event name: CRE Rule Modified, CRE Rule Addedtion
>When we add log source which database will be updated, or which location will be updated in the
qradar backend
>How do you Find malware on your Windows box (using the command line) >netstat -ano,net
users,tasklist /svc,net localgroup administrators, Netstat –an –proto,Netstat –s
>How does coalescing work, what are the parameters for coalescing to work, can we modify those
parameters?
>What is ransomware, types of ransomware and how do we analyze and mitigate them
>What is the minimum bandwidth and latency required for a HA pair in qradar
>What are parameters you will check while calculating a license for qradar
>Can we keep one device in HA pair in one location and other in another geo location, if so what are the
challenges we get
>What parameter you will check to give log source identifier as hostname / Ip address
>What are configurations steps you do on a firewall, proxy, email gateway, WAF, End point device, ...etc
to send the logs to SIEM
>What are the parameters we will check to confirm a website is a secured or not
>How do you confirm or how do you analyze whether your email id is compromised or not
>When a antivirus software is updating during that if any virus attack the system will the AV detect the
threat or not
>How does the malware identify a normal system and sandbox and it behaves differently in those 2
scenarios
>What are the standard parameters we will check to confirm SQL injection, XSS is performed (True
positive/false positive)
>False positive or false negative which one we need to be more concerned about?
>What is the protocol used to collect logs from windows device other than win collect, syslog?
>Diff between reference set (set of elements to refer ip’s, md5, usernames, IOC’s) and building block
>what is the difference between defining severity, credibility and relevance in rule actions and rule
responses?
>/opt/qradar/support/validate_deployment.sh
>What is honeypot
WAF:
Email secure gateway:Cisco Email Security Appliance, Clearswift SECURE Email Gateway, Fortinet
FortiMail, McAfee Security for Email Servers, Microsoft Exchange Online Protection, Proofpoint Email
Protection, Sophos Email Appliance, Symantec Email Security.cloud, Symantec Messaging Gateway,
Trend Micro InterScan Messaging Security
Webgateway:Symantec,iboss,McAfee,F5 Networks,Check
PointSoftware,zScaler,Cisco,Barracuda,Forcepoint
>How can we bypass correlation for a log source which is sending logs to qradar
>What is the port number for protocol DRBD (Distributed Replicated Block Device) 7789
>How can take data/config back up using CLI (using perl script)
/opt/qradar/bin/contentManagement.pl
https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/
t_cmt_importing_content.html
>Service now app (to create the ticket from the offense)
>how would you confirm that a windows 7 system has been compromised
>what are the examples of tools or logs might use to collect and analyze evidence
>when you suspect that an attack against network has occurred what information should you collect to
prove the theory
>what is vulnerability scanning and how does it help to keep an enterprise secure
PSH
TCP buffers data that you send. This means it won't send data immediately and will wait to see if you
have more. By setting the PSH flag, and confirming that you have no more data to send, TCP will "push"
or send the buffered or collected data into the wire towards the receiver. In the receiving end, normally,
it will also buffer data. But, if it sees the PSH flag being set, it pushes it immediately to the application. If
a packet leaving the sender has the PSH field set, it only means that the sender has nothing more to
send.
URG
If you have pushed data, the receiving end will wait for all of the data first and will see the PSH flag being
set. Then it forwards the data to the application. This means, you have to wait for the receiver to get all
of the data before forwarding it and processing a new one. If the URG flag is set, this is like the sender
saying "You do not need to wait for all of the data before sending them. Go ahead and prioritize sending
Cyberpr
oof:
Business
Sensitiv
urgent data.". This causes the receiving TCP to forward
e the urgent data on a separate channel to the
application. This allows the application to processInforma
the data out of band.
tion
The urgent pointer is the one that indicates how much of the data in the segment is urgent where in it
starts counting from the first byte.
> Enumeration: The process of counting off or listing what services, applications, and protocols are
present on each identified computer
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>