Cyberpr

oof
Business
Sensitive
Interview Questions: e
Inform
Basic Network Questions: ton
The main difference between TCP and UDP

Which protocol does DNS use?

What is two-factor authentication?

What is the three-way handshake process?

The 3-way handshake process is happening on UDP protocol, true/false? Why?

On which OSI layer Formatting, compression, and encapsulation happens? - presentation layer

The transport layer sets up and maintains the connection between two devices.

Which port is used for SSL FTP connection? 2

Which protocol is used to manage network? SNMP

Which protocol is used to ping? On which port?

What is SSL?

What is Data exfiltration?

Difference between Malware and Virus/worm/spyware?

Difference between risk, threat, and vulnerability?

The difference between APT and zero-day attack.

Difference between encryption, encoding, and hashing.

If you want to do encryption from one system to another, which one do we choose and why?

Which method is best to do data transfer (SSL/TLS/HTTPS.)

How directory traversal attack works

FTP 0, 2

Telnet 3 DHCP 67, 68

SMTP 5 TFTP 69

DNS 53 NTP 23

HTTP 80 SNMP 262

POP 220 RDP 3389

NNTP 229 SSH

HTTPS 443
 Cyberpr
oof
Business
Sensitive
Threats: e
Inform
What is SQL Injection and how does it work? ton
What is client-side cross site scripting and how does it work?

What is DNS poisoning?

How do you identify backdoor activity happening in a system?

How does a DDoS attack work?

What changes do you see once the malware is infected in the system?

There are emerging threats every day, how do you update yourself as a security analyst?

How to mitigate DOS, DDOS, malware (virus,

worm,logicbomb,trojanhorse,botnet,rootkit,keylogger,ransomware,spyware,adware,dll,backdoor)

How do you analyze malware (sandboxing)

Specter, meltdown, wcry, petya Ransomware.

Recent attacks

What is DLL (Dynamic Link Library)?

What is sandboxing

How do you analyze zero-day exploit, malware

ArcSight:

Why do we need SIEM in an organization?

Event Life Cycle in ArcSight SIEM

Differences between smart connector and flex connector

5 GB

Default time window of an active channel? -> (now - hrs)

Difference between Active list and session list

Can we export logs for HPE from the console? How?

-> on which port console/web console/command center and Manager connects? And on which
protocol?

What are the data sources we can use to generate a report/trend?

What is the main purpose of Logger/connector appliance?

What are the criteria for priority evaluation that happens in the ArcSight? Model Confidence, relevance,
severity, asset criticality.
 Cyber
oof
Business
Sensitv
Using which interface do you manage the CORR Engine?
e
Inform
What are the types of storage retention in ArcSight
tonCORRE engine (Time based, and Space based)
What is the default retention period in CORRE? (30 to 90 days)

Many scenario-based questions

Qradar

Event Life Cycle in Qradar

Difference between DSM and UDSM

What are the different flow types you see in the Network activity tab?

What information do you see on the Asset Tab?

If you see some offenses in Qradar which have already been informed by the client as pentesting alerts, what do you
do

-> Using which option in QRadar local and remote IPPs are differentiated

What are the services running in Qradar?

Difference between Domain and tenant management

Difference between rules and building blocks

What are the criteria considered for event/offense magnitude?

Why do we see 0.0.0.0 in any events in QRadar?

uid=swg 26 0 82)
What is QID? During normalization, DSM will add the QID to map the low-level category to the high level.
category is assigned to that event

If you set any offense as pending, does the same event trigger a new offense?

Why do AQL services get stopped?

when we use historical correlation

What are the prerequisites for adding any log source?

Which three core functions are provided in a typical SIEM product?

A. The ability to monitor and stop threats

B. The ability to alert on real-time exploits

E. The ability to assist with forensic investigation

What is meant by multiline syslog?

What is syslog, TLS syslog, TCP multiline syslog?

 Cyberpr
oof
Business
Sensitive
Top 5 use cases (regularly used) e
Inform
Top Log source troubleshooting scenarios ton

How can we manage retention bucket sequence

What are Flow Retention & Event Retention Buckets?

Reference set, Reference map, Reference map of set, Reference map of maps

scaserver

Will the event retention change when you do the QRadar upgrade?

Where does the LMS exist?

Database integration in QRadar

variety of log source integration and types of logs from them

difference between stored and unknown events

hthttps://www.ibm.com/developerworks/communityty/forums/html/topic?id= 69b4ef82-ad-4ac5-9f b-
cdeab24a 500

What kind of use cases can you think of after integrating a firewall?
Difference between local rule and global rule

What is SIM generic?

What is a CRE event, do we use that anywhere?

What is severity, credibility, and relevance in QRadar magnitude calculation?

Types of flows:

Standard flow: A single standard flow record

Type A Super flow (Network scans): One source to many destination IPs

This is a unidirectional flow, which has the same source, but multiple destinations.

Type B Super flow (DDoS): Multiple sources to a single destination IP

This is a unidirectional flow, which has the

multiple sources but has a single destination.

Type C Super flow (Port scans): One-to-one source and destination with
 Cyberp
oof
Business
Sensitive
many ports This is a one-to-one flow with differentesource or destination ports
Inform
Over Flow record: Created when license limits aretonexceeded

When a QFlow collector hits its flow license limit, it begins creating overflow records. Overflow records
have a source IP of 2 7.0.0.4 and a destination IP of 2 7.0.0.5 with one flow created per protocol (icmp,
udp, tcp, etc). When the license limit is reached, QFlow rolls the rest of the traffic for the protocol within
the interval into a single record. All bytes and packet counts are totaled up and added to these
overflow records

What is the concept of virtual IP in HA cluster?

Damn Vulnerable Web Application (DVWA)

Diffie–Hellman key exchange

what is cyber kill
chain(reconnaissance, weaponization, delivery, exploit, installation, command & control, action)

What is a brute-force attack?

What is GRUB

What is the difference between soft SIM clean and hard SIM clean?

What is sudo?
In which layer do DDoS and DoS occur?

Difference between OSI and TCP/IP

carbon black(End point security, Defense, Response, Protect)

>DF(disk free) -h(human understandable)

swap memory - It is an extra memory that is taken from the HDD when the RAM memory is full.
System needs more memory resources.

Attacks at each layer

Application attacks - Distributed DoS (DDoS) and spoofing

Presentation attacks - DDoS and spoofing

Session attacks - DDoS and spoofing

Transport attacks - DoS and hijacking

Network attacks - Spoofing of IP & poisoning of ARP

Data Link attacks - Overload of MAC table and port

Physical attacks - Sniffing and severing of backbone

 Cyberpr
oof
Business
Sensitive
Kill switch e
Inform
Domain generation algorithms (DGA) ton
Double Pulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA)
Equation Group that was leaked by The Shadow Brokers in early 027

Double Pulsar runs in kernel mode, which grants cybercriminals a high level of control over the
computer system. Once installed, it uses three commands: ping, kill, and exec, the latter of which can
be used to load malware onto the system

Directory Traversal attack

psql command to check events in offense for QRadar

>CISSP, CISSP-ISSAP, CISA, CISM, CEH, CHFI, ITILv3F, ISO 7002 LI, CCNA

firewalls having different login levels: (verbose, warn, information,

SIEM implementation what all

What is the size of a single event for Windows, firewall, etc.?

Why Meltdown and Spectre are difficult to crack and what are the practical issues to fix them.

netstat -an | grep 222 to check the port status

tcp6 0 0 2 7.0.0.2:43936 2 7.0.0.2:3 005 ESTABLISHED

[root@baril-rozz-it-qcon2 ~]# netstat -an | grep 3 006

tcp 0 0 2 7.0.0.2:3 006 0.0.0.0:* LISTEN

tcp6 0 0 ::2:3 006 :::* LISTEN

tcp6 0 0 27 . 4.42.208:3684 27 . 4.42.220:3 006 TIME_WAIT

tcp6 0 0 2 7.0.0.2:37 46 2 7.0.0.2:3 006 TIME_WAIT

ESTABLISHED: Connection already exists

Listen: Port is opened to communicate

Time Wait: If the port is in idle position

How do you confirm and analyze whether an email is compromised or not?

How do you analyze whether the system got compromised when you open an attachment?

use case: brute force login attempt

How to confirm and analyze if your system is infected with malware

How to analyze phishing attacks

How do WAF, ROUTER, SWITCH, PROXY, IDS, IPS, EMAIL GATEWAY, etc. work?
 Cyberpr
oof
Business
Sensitive
How do you confirm whether SQL injection or XSSe attack happened and which logs you will check?
Inform
for confirmation and what actions you will take ton

>what arethetop web applicaton atacks(OWASP) and what isthe mitgaton for each atack

How do you confirm that a DOS or DDOS attack occurred and what action will you take to fix it?

likewise

2) learn each attack

Which logs will you check to confirm the attack?

3) How do you mitigate the attack?

Pluralsight

Anomaly behavioral threshold rules

Categories: Applicaton, Authentcaton, DOS, Exploit, Malware, policy, potental exploit, suspicious
activity

Why is there no high-level category in flows?

how to break the HA how to rejoin the HA

System Monitor (Sysmon)

Syslog stands for System Logging Protocol and is a standard protocol used to send system log or event.
messages to a specific server, called a syslog server. It is primarily used to collect various device logs
from several different machines in a central location for monitoring and review.

Command to check Linux version using CLI: uname -a

Linux basxtsmgtsemv02.xchanginghostng.com 3.20.0-524. 2. .el7.x86_64 #2 SMP Sun May 8 27:08: 2

EDT 027 x86_64 x86_64 x86_64 GNU/Linux

command to check windows version using CMD: winver

netstat: The netstat command is a Command Prompt command used to display very detailed
Information about how your computer is communicating with other computers or network devices.

netstat -f

The Forwarded protocol is typically used to forward events to another QRadar® Console. For example,
Console A has Console B configured as an off-site target.

IBM resilient

snare agent instead of win collect

Difference between push and urgent flag

What protocol do we use for JDBC, SQL?

 Cyberpr
oof
Business
Sensitive
How do you integrate DB, McAfee, Cisco, Checkpoint
e (what are the ports you use for them)
Informs
What are the use cases you have created? ton
Why do we need multiple consoles and what is their purpose?

McAfee ePolicy Orchestrator

protocol - JDBC

database-MSDE (Microsoft SQL Server Data Engine) 2433

-postgress DB 543

What is Oracle DB?

Sybase DB 5000

-DB 50000

Informix DB 9088

Windows without win collect - Microsoft Remote Procedure Call (MSRPC) 235

we will take the username, password, domain name

checkpoint- Protocol, port OPSEC/LEA 28284, TLS syslog 6524

Secure Internal Communication (SIC) files

Akamai Kona waf- Protocol, port (HTTPS,2 469)

Amazon AWS CloudTrail - Amazon AWS s3 REST API

How do you measure risk and threat?

From Risk Assessment perspective as per ISO 7002

the risk can be measured quantitatively or qualitatively

Quantitatively, the risk will be measured in terms of money like 000$ risk etc.

it is difficult and usually not done

Qualitatively is the common method, using this you will measure risk as Low, High, and Medium as a scale.
from 2 to 20 etc.

a value from 0-3 low

4-7 MEDIUM

8-20 HIGH

Is there a way to know which user created a rule and who edited it?
 Cyberpr
oof
Business
Sensitive
Look in these events: e
Inform
CRE Rule Modified, CRE Rule Added ton
Log Source: SIM Audit- :: hostname

When we add a log source, which database will be updated, or which location will be updated?
qradar backend

What is TCP header

CyberArk, FireEye, Forcepoint

How do you find malware on your Windows box (using the command line) netstat -ano, net
users,tasklist /svc,net localgroup administrators, Netstat –an –proto,Netstat –s
How does coalescing work, what are the parameters for coalescing to work, can we modify those?
parameters?

What is cyber kill chain analysis?

What is ransomware, types of ransomware and how do we analyze and mitigate them

What is the minimum bandwidth and latency required for a HA pair in QRadar?

What parameters will you check while calculating a license for QRadar?
Can we keep one device in a HA pair in one location and the other in another geographical location? If so, what are the
challenges we face

What parameter will you check to give the log source identifier as hostname/IP address?

What are the configuration steps you take on a firewall, proxy, email gateway, WAF, endpoint device, etc.?
to send the logs to SIEM

What are the parameters we will check to confirm if a website is secure or not?

How do you confirm or how do you analyze whether your email id is compromised or not?

When antivirus software is updating, if any virus attacks the system, will the antivirus detect it?
threat or not

How does the malware identify a normal system and a sandbox, and how does it behave differently in those?
scenarios

What are the standard parameters we will check to confirm SQL injection, XSS is performed (True
positive/false positive

False positive or false negative, which one should we be more concerned about?

What is the protocol used to collect logs from Windows devices other than Win Collect, Syslog?

How do you collect flows?

 Cyberpr
oof
Business
Sensitive
Types of DDoS attacks e
Inform
What will happen if we select annotate and drop the
ton event options: Events will be dropped and not.
captured in the offense.

Can we use custom event properties for offense index

Difference between reference set (set of elements to refer IPs, MD5, usernames, IOCs) and building block

What is the difference between defining severity, credibility, and relevance in rule actions and rules?
responses?
Difference between reference set and reference data

/opt/qradar/support/validate_deployment.sh

IBM APAR (Authorized Program Analysis Record)

How to check content in cache memory in Linux

In which layer does a DDoS attack happen?

How do you log into the server as admin using SQL injection?

What is a honeypot

Firewall:Palo Alto,cisco ASA,Juniper,checkpoint,fortnet,forcepoint

WAF:

Email secure gateway: Cisco Email Security Appliance, Clearswift SECURE Email Gateway, Fortinet
FortMail, McAfee Security for Email Servers, Microsoft Exchange Online Protection, Proofpoint Email
Protecton, Sophos Email Appliance, Symantec Email Security.cloud, Symantec Messaging Gateway,
Trend Micro InterScan Messaging Security

Webgateway: Symantec, iboss, McAfee, F5 Networks, Check

PointSoſtware,zScaler,Cisco,Barracuda,Forcepoint
Difference between host context and Host services

Difference between UDSM and LSX

How can we bypass correlation for a log source which is sending logs to QRadar
Difference between deploy changes and full deploy changes

Which component is responsible for providing the system notifications in QRadar?

Difference between UDSM, universal LEEF, Universal CEF

What is the port number for protocol DRBD (Distributed Replicated Block Device) 7789?

Parsing Enhancement vs. Parsing Override

difference between usdm and lsx in qradar

 Cyberpr
oof
Business
Sensitive
What is the minimum number of events for coalescing
e in QRadar?
Inform
How do we calculate EPS in QRadar ton
privilege escalation attack

Cross site request forgery (CSRF) aaack

How to take data/config backup using CLI (using perl script)

/opt/qradar/bin/contentManagement.pl

How can we restore a backup using CLI?

hahttps://www.ibm.com/supportt/knowledgecener/SSKMKU/com.ibm.qradar.doc_cloud/
t_cmt_importng_contint.html

What is flow bias in QRadar?

Service now app (to create the ticket from the offense)

Windows Internet Name Server (WINS)

How would you confirm that a Windows 7 system has been compromised?

What are examples of tools or logs that might be used to collect and analyze evidence?

When you suspect that an attack against the network has occurred, what information should you collect to
test the theory

What is an SSL certificate and how does it work to secure a session?

What is an IDS system and how does it work?

What is vulnerability scanning and how does it help to keep an enterprise secure?

>push vs urgent flag

PSH

TCP buffers data that you send. This means it won't send data immediately and will wait to see if you
have more. By setting the PSH flag, and confirming that you have no more data to send, TCP will 'push'
or send the buffered or collected data into the wire towards the receiver. In the receiving end, normally,
it will also buffer data. But, if it sees the PSH flag being set, it pushes it immediately to the application. If
A packet leaving the sender has the PSH field set, it only means that the sender has nothing more to
send.

URG

If you have pushed data, the receiving end will wait for all of the data first and will see the PSH flag being
set. Then it forwards the data to the application. This means, you have to wait for the receiver to get all
of the data before forwarding it and processing a new one. If the URG flag is set, this is like the sender
You do not need to wait for all of the data before sending them. Go ahead and prioritize sending.
 Cyberpr
oof
Business
Sensitive
urgent data.". This causes the receiving TCP to forward e the urgent data on a separate channel to the
application. This allows the application to process information and data out of band.
ton
The urgent pointer is the one that indicates how much of the data in the segment is urgent and where it is.
starts counting from the first byte.

exploit vulnerability payload

What is banner grabbing: getting the details of the OS.

Enumerating: The process of counting off or listing what services, applications, and protocols are
present on each identified computer

>>>>>>>>>>>>>>>>>>>>>>>>>
Tell me about recent attacks you have worked on recently.
What is SQL injection and how do you identify this attack using QRadar?
What is Cyber kill chain
What are the correlation rules you have created in Qradar
How do you integrate log sources in QRadar?

Linux, windows, firewalls

How do you mitigate log4j attack

Did you work on Splunk
How do you analyze phishing email.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>