Exam 200-201 topic 1 question 70 discussion

The correct answer is: StateFull Firewall, TCPDUMP, Cisco Umbrella, Snort StateFull Firewall --> Session data Session data is data about a network session that is usually established between two devices either on the same network or remote networks. Session data contains the following elements, which are used to identify the details within the network session: Source and destination IP addresses Source and destination service ports Layer 3 protocol details and code TCPDUMP --> full packet capture Cisco Umbrella (DNS) --> Transaction Data The actual data that is exchanged during a session is known as transaction data. The actual data that is being sent across the network. Snort (IDS) --> connection event Connection events – These events are generated when a device establishes a session with another device on the network. When a session is detected by NGIPS, it creates a connection log that contains all the information about the session/connection itself. Reference: Book Cisco Certified CyberOps Associate 200-201 Certification Guide - By Glen D. Singh

Q95 Cleary shows Stateful firewall as connection event and TCP Dump as Full Packet Capture . But i have no idea on the other 2 items https://vwannabe.com/2017/02/07/ccna-cyber-ops-5-0-security-monitoring/

the answer is correct. Snort is IDS, as Zeek, which has a transaction data. Umbrella is a DNS security tool that monitor the connections of urls.

Session data is associated with stateful firewalls. Full packet capture can be performed using tools like tcpdump. Transaction data is a more general term and is not specifically associated with Cisco Umbrella. Snort is an intrusion detection/prevention system and can detect connection events among other types of network activity.

Session data: Session data refers to information about network sessions, including data such as the source and destination IP addresses, source and destination ports, protocol used, and the duration of the session. This type of data is typically generated by stateful firewalls, which keep track of the state of network connections. Full packet capture: Full packet capture refers to capturing all the data that is transmitted over a network, including the packet headers and payloads. This type of data is typically captured using packet capture software or appliances such as Wireshark or tcpdump. Transaction data: Transaction data refers to data generated by a network application when a transaction occurs, such as a web server log recording a user's access to a website. Connection event: A connection event refers to an event in which a device initiates or receives a connection attempt, such as a TCP SYN packet. This type of event is typically captured by network flow analysis tools like NetFlow or sFlow collectors or Snort.

I think that correct answer is * tcp dump ==> full packet capture. * stateful firewall ==> session data. * cisco Umbrella (DNS) ==> transaction data. * snort ==> connection event.

Tcpdump -> full packet capture Cisco Umbrella -> transaction data Traditional stateful firewall -> connection event Snort -> session data Connection events – These events are generated when a device establishes a session with another device on the network. When a session is detected by NGIPS, it creates a connection log that contains all the information about the session/connection itself. Each connection log will contain essential data, such as date and timestamps, source and destination IP addresses, and any other additional information that can be used to identify the session. Additionally, if an ACL blocks traffic on a router or firewall, the name of the ACL is also inserted within the connection event log on the device. Reference: Book Cisco Certified CyberOps Associate 200-201 Certification Guide - By Glen D. Singh

snors is session umbrella is web data filtring so transcation statfull firewall connection data tcpdum-open source full packet capture

Snort is an IDS, so it should be provide alarm data... TCPdump & Umbrella are clear, but the firewall provide I think connection data. Later in the question #110 it seems clearer. Finally the session and IDS remains only..

Session data = protocol, source ip, source port, destination ip, destination port, timestamps, packet count, bytes transfered, 5-tuple information Transaction data = data exchanged during session, for example email transfers, kerberos ticket information for active directory

I think that correct answer is: Session Data -> stateful firewall full packet caputer -> tcpdump (or it could be also wireshark) transaction data -> cisco umbrella, it includes includes secure web gateway, firewall, and cloud access security broker (CASB) functionality. snort -> connection event Session Data = information about client/server connections, the details of a session betweem two hosts Transaction Data = "application data" that are exchanged during connection.

cisco umbrella dose content filtering using DNS it makes sense that it uses session data and SNORT uses transaction data

It is easier to store large amounts of NetFlow data because it is only a transactional record.

NetFlow provides information about network session data, and NetFlow records take less space than a full packet capture.

According to https://vwannabe.com/2017/02/07/ccna-cyber-ops-5-0-security-monitoring/ NextGen IPS (Snort) -> Connection event Session data - data is the summary of the communication between two network devices. -> hence FIREWALL And then Umbrella - Transaction data: application-specific