Consider the search shown below. What is this search's intended function?
A.
To return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.
B.
To find all the denied, high severity events in the firewall index, and use those events to further search for lateral movement within the web index.
C.
To return all the web_log events from the web index that occur two hours before and after all high severity, denied events found in the firewall index.
D.
To search the firewall index for web logs that have been denied and are of high severity.
The correct answer is A. The search is intended to return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.
The intended function of this search is to return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index. The subsearch within square brackets is searching the firewall index for the most recent high severity, denied event, and using the status command to get the latest time for that event. The eval command is then used to create earliest and latest fields for the web_log search, based on the time of the most recent denied event. The fields command at the end is used to limit the fields returned to earliest and latest.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Giodada
Highly Voted 2 years, 10 months agofrappe
Highly Voted 1 year, 2 months agojcisco123
Most Recent 8 months, 2 weeks agonutsu
2 years, 1 month agosunil299
2 years, 2 months agok3115807
1 year, 12 months agoNemo72
2 years, 9 months ago