In a security operations center (SOC) environment, one method that could be used to identify a session from a group of logs is the use of a 5-tuple. A 5-tuple consists of five pieces of information that can be used to identify a specific network session: the source IP address, source port, destination IP address, destination port, and protocol. By using this information, an analyst can identify a specific session from a group of logs and track its progress through the system. Other methods that could be used to identify a session from a group of logs include the use of sequence numbers, timestamps, or IP identifiers.
The 5-tuple consists of five values: source IP address, source port, destination IP address, destination port and transport protocol. By examining the 5-tuple, analyst can determine the sequence events within a session and identify logs related to the session.
Together these five values uniquely identify a network session, by examining these attributes within a log data, an analyst can pinpoint and correlate activities related to a specific session, aiding in incident investigation within a SOC environment.
The 5-Tuple, on first place, is a method, which matches the question. Second of all, with the help of 5-Tuple methodology, we can easily filter out logs based on the main elements of the method mentioned.
I actually think it's A. My logic being the question is to identify a session, surely a sequence number is unique. If the same computer connected to the same service a number of times they would have exactly the same 5-Tuple. So there is no way to identify a single session without also say a timestamp or a sequence number ?
A 5-tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCP/IP) connection.
1. Layer 4 Protocol
2. Source IP address
3. Destination IP address
4. Source Port Number
5. Destination Source Port Number
"C" is correct.
Traditional firewalls typically provide security event logs that are mostly based on the 5-tuple.
A TCP session is a sequence of sockets with the same IP addresses, ports and protocol.
Read the question, which method?
sequence numbers is not a method. Given answer is correct
upvoted 7 times
...
...
This section is not available anymore. Please use the main Exam Page.200-201 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Proctored_Expert
7 months, 3 weeks agokenprewitt
11 months, 1 week ago036e554
11 months, 1 week agomsg01
1 year, 6 months agoPrettyMs
1 year, 6 months agoWISDOM2080
1 year, 8 months agoYulkata
1 year, 9 months agoIanR7
2 years agoEng_ahmedyoussef
2 years, 7 months agoSecurityGuy
3 years, 3 months agohalamah
3 years, 6 months agoanonymous1966
3 years, 8 months agogermx
4 years, 1 month agoSun2sun
2 years, 11 months agobeowolf
4 years ago