













































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Introductory preparation for Security Onion concepts, including sensor deployment, network monitoring, alerts, logs, threat hunting basics, dashboards, and detection workflows.
Typology: Exams
1 / 53
This page cannot be seen from the preview
Don't miss anything!














































Question 1. Which deployment model of Security Onion is best suited for a single-machine proof-of-concept test? A) Distributed B) Standalone C) Evaluation (Import) D) Cloud-native Answer: B Explanation: The Standalone deployment installs all components (sensor, SOC, Elastic Stack) on one host, ideal for quick tests or small labs. Question 2. In a Distributed deployment, which interface is typically used for management traffic? A) Sniffing interface B) VLAN trunk interface C) Management interface D) DMZ interface Answer: C Explanation: The management interface handles OS updates, SSH, and web UI traffic, separating it from the high-volume sniffing interface that captures network data. Question 3. What is the recommended minimum amount of RAM for a Security Onion sensor handling up to 1 Gbps of traffic? A) 2 GB B) 4 GB C) 8 GB D) 16 GB
Answer: C Explanation: 8 GB provides enough memory for Suricata/Zeek state tables and packet buffers at 1 Gbps; lower amounts risk drops. Question 4. During installation, which option lets you choose Suricata as the IDS engine? A) select-engine B) IDS_ENGINE=suricata C) Choose “Suricata” when prompted for the engine D) set-engine suricata Answer: C Explanation: The installer presents a menu; selecting “Suricata” configures all related services automatically. Question 5. Which component of Security Onion stores raw packet capture files for later retrieval? A) Logstash B) Stenographer C) Filebeat D) Zeek Answer: B Explanation: Stenographer continuously writes PCAP data to disk and provides PCAP-over-IP retrieval. Question 6. Which Zeek log contains information about DNS queries and responses? A) conn.log B) http.log C) dns.log
C) To compress PCAP files D) To configure network interfaces Answer: B Explanation: ECS provides a common field naming convention, making it easier to query and correlate logs from Suricata, Zeek, and other sources. Question 10. Which Elastic Stack component parses incoming log data before indexing? A) Elasticsearch B) Kibana C) Logstash D) Beats Answer: C Explanation: Logstash receives raw logs, applies filters, and forwards structured events to Elasticsearch. Question 11. In Kibana, which tab allows you to create visualizations such as time-series graphs? A) Discover B) Dashboard C) Canvas D) Visualize Answer: D Explanation: The Visualize tab lets you build charts, graphs, and maps based on Elasticsearch queries. Question 12. Which Beat is responsible for shipping Windows Event logs to the Security Onion manager?
A) Filebeat B) Metricbeat C) Winlogbeat D) Packetbeat Answer: C Explanation: Winlogbeat reads Windows Event logs and forwards them over the Beats protocol. Question 13. When an alert appears in the SOC alert queue, which action marks it as investigated without closing it? A) Delete B) Acknowledge C) Escalate to Case D) Suppress Answer: B Explanation: Acknowledging an alert records that an analyst has reviewed it, while the alert remains open for further action. Question 14. The “Hunt” tool in the SOC interface is primarily used for what? A) Generating IDS signatures B) Performing ad-hoc queries across multiple log types C) Updating the Elastic Stack D) Managing user accounts Answer: B Explanation: Hunt allows analysts to write a single query that searches all indexed logs simultaneously, enabling rapid investigations.
Question 18. Which Elasticsearch API is used to test cluster health? A) _cat/health B) _cluster/health C) _node/stats D) _search/health Answer: B Explanation: The _cluster/health endpoint returns the overall health status (green, yellow, red) of the cluster. Question 19. What does the Suricata “stream” engine primarily handle? A) DNS resolution B) TCP reassembly for inspection C) HTTP header parsing only D) Log rotation Answer: B Explanation: Suricata’s stream engine reassembles TCP flows so that signatures can inspect full payloads. Question 20. Which Zeek script file contains the default logging configuration? A) local.zeek B) scripts/base/init.zeek C) policy.zeek D) zeekctl.cfg Answer: B Explanation: scripts/base/init.zeek sets up default log files like conn.log, dns.log, and http.log.
**Question 21. In Security Onion, what is the purpose of the “so-update” command? ** A) To upgrade the operating system only B) To apply updates to all Security Onion components, including the Elastic Stack C) To refresh Zeek scripts only D) To reinstall Suricata Answer: B Explanation: so-update runs apt-get, updates rule sets, and restarts services to keep the entire platform current. Question 22. Which of the following best describes “PCAP-over-IP” in Security Onion? A) A method to stream live packets to a remote analyst via HTTP B) A REST API that returns a base64-encoded PCAP file C) A service that serves stored PCAP files over a TCP port for remote retrieval D) An encrypted VPN tunnel for packet capture Answer: C Explanation: The PCAP-over-IP daemon listens on a port and streams requested PCAP files to clients like Wireshark. Question 23. What is the default port used by the Security Onion web UI (SOC)? A) 80 B) 443 C) 5601 D) 22 Answer: B
Answer: B Explanation: Promiscuous mode allows the NIC to capture all traffic on the attached segment, which is required for NSM. Question 27. Which of the following is NOT a default dashboard in Security Onion’s Kibana? A) Suricata Alerts B) Zeek Overview C) Network Top Talkers D) Windows Registry Changes Answer: D Explanation: The default dashboards focus on network data; Windows Registry monitoring is not included out-of-the-box. Question 28. Which Elastic Stack component provides the RESTful API used by the SOC to query logs? A) Logstash B) Beats C) Elasticsearch D) Kibana Answer: C Explanation: Elasticsearch stores indexed documents and exposes a HTTP API for search queries. Question 29. In Zeek, which script is responsible for generating the http.log file? A) protocols/http/zeek_http.zeek B) scripts/base/protocols/http.zeek C) policy/http.zeek D) init-http.zeek
Answer: B Explanation: scripts/base/protocols/http.zeek parses HTTP traffic and writes entries to http.log. Question 30. Which of the following best describes the function of “Filebeat” on a Security Onion sensor? A) Captures network packets B) Sends system and application logs to the manager node C) Generates IDS signatures D) Performs DNS resolution Answer: B Explanation: Filebeat tails log files (e.g., syslog, auth.log) and forwards them to Logstash/Elasticsearch. Question 31. Which of these is a recommended practice to reduce false positives from Suricata alerts? A) Disable all TLS inspection B) Increase the alert threshold in the SOC UI C) Tune rule severity and enable only relevant rule sets D) Run Suricata in passive mode only Answer: C Explanation: Selecting relevant rule categories and adjusting severity thresholds tailors detection to the environment, lowering noise. Question 32. Which Zeek log would you examine to identify potential command-and-control beaconing over DNS? A) conn.log B) dns.log
A) source.ip B) alert.id C) case.title D) observable.type Answer: B Explanation: The SOC passes the internal alert identifier (alert.id) to TheHive for traceability. Question 36. Which Zeek script enables TLS certificate extraction and writes to ssl.log? A) protocols/ssl/zeek_ssl.zeek B) scripts/base/protocols/ssl.zeek C) policy/ssl_extractor.zeek D) init-ssl.zeek Answer: B Explanation: scripts/base/protocols/ssl.zeek parses TLS handshakes and logs certificate details. Question 37. Which command would you use to manually restart the Zeek service on a sensor? A) systemctl restart zeek B) zeekctl restart C) so-restart zeek D) service zeek restart Answer: B Explanation: zeekctl is the control utility for Zeek; “restart” stops and starts the framework.
Question 38. In the SOC, what does the “Escalate to Case” button do? A) Deletes the alert permanently B) Sends the alert to an external ticketing system only C) Converts the alert into a TheHive case for further investigation D) Marks the alert as false positive Answer: C Explanation: Escalating creates a linked case in TheHive, preserving the alert context for collaborative work. Question 39. Which of the following is a primary advantage of using Stenographer over tcpdump for long-term packet capture? A) Stenographer compresses PCAP files on the fly B) Stenographer provides indexed, time-based retrieval via PCAP-over-IP C) Stenographer encrypts all captured traffic automatically D) Stenographer replaces the need for Zeek Answer: B Explanation: Stenographer writes PCAP files in a ring buffer and offers fast indexed retrieval through its daemon. Question 40. Which Elastic Stack feature allows you to create alerts based on a saved Kibana query? A) Watcher (now part of Elastic Stack’s Alerting) B) Logstash Filters C) Beats Output D) Kibana Canvas Answer: A Explanation: Watcher (Alerting) can run a saved query on a schedule and trigger notifications when conditions match.
Explanation: The SOC uses Elasticsearch DSL; “alert.severity:>2” selects alerts where severity (0-4) exceeds 2, i.e., high. Question 44. What is the primary function of “Logstash pipelines” in Security Onion? A) To store PCAP files B) To parse, enrich, and route logs to Elasticsearch C) To generate Zeek scripts automatically D) To provide a web UI for alert management Answer: B Explanation: Pipelines define input, filter, and output stages, transforming raw logs before indexing. Question 45. Which of the following is NOT a default network interface naming convention on a Security Onion sensor? A) eth0 – management B) eth1 – sniffing C) eth2 – backup D) eth3 – optional Answer: C Explanation: eth2 is not reserved for a specific role by default; only eth0 and eth have predefined purposes. Question 46. Which of these tools can be used to query Elasticsearch directly from the command line? A) curl B) netcat C) ping D) traceroute
Answer: A Explanation: curl can send HTTP requests to the Elasticsearch REST API for searches and cluster operations. Question 47. In Zeek, what does the “uid” field represent in conn.log? A) User identifier of the host OS B) Unique identifier for the connection flow C) UUID of the Zeek process D) Unified ID of the alert Answer: B Explanation: uid is a unique 16-byte string that ties together logs belonging to the same network flow. Question 48. Which of the following best describes the purpose of “ECS field mapping” in Security Onion? A) To encrypt log data at rest B) To translate vendor-specific log fields into a common schema for unified searches C) To compress old indices automatically D) To manage user permissions Answer: B Explanation: Mapping ensures that Suricata, Zeek, and other sources use consistent field names, simplifying cross-log queries. Question 49. Which command would you use to list all active Beats agents connected to the manager? A) beats-list B) filebeat status C) so-beats status
C) conn.log D) http.log Answer: A Explanation: ssh.log records SSH session details, including usernames, authentication success/failure, and client IP. Question 53. In the Elastic Stack, what is the purpose of an “index template”? A) To define the visual layout of Kibana dashboards B) To pre-configure settings and mappings for newly created indices C) To schedule automatic backups D) To manage user roles Answer: B Explanation: Index templates apply mappings, settings, and aliases to indices that match a pattern when they are created. Question 54. Which of the following is a built-in Security Onion service that provides threat intel enrichment for DNS queries? A) ThreatIntel-DNS B) passive-dns C) Intel-Enrich D) Zeek-Intel Answer: B Explanation: passive-dns (also known as pdns) stores observed DNS mappings and can be queried for enrichment. Question 55. Which Suricata configuration option controls the maximum number of concurrent TCP streams?
A) max_tcp_streams B) stream.max_sessions C) tcp.max_sessions D) stream.max_tcp Answer: B Explanation: stream.max_sessions sets the limit for simultaneous TCP flow tracking. Question 56. Which of the following is the correct syntax to search for events where the source IP is 10.0.0.5 in the SOC “Hunt” field? A) src.ip:10.0.0. B) source.ip = "10.0.0.5" C) ip.src == 10.0.0. D) source_ip:10.0.0. Answer: A Explanation: The SOC uses Elasticsearch field names; src.ip is the standard field for source addresses. Question 57. What does the “so-restart” command do? A) Reboots the entire host B) Restarts all Security Onion services without a full system reboot C) Only restarts the SOC web UI D) Flushes all Elasticsearch indices Answer: B Explanation: so-restart cycles components like Suricata, Zeek, Logstash, and Kibana, applying new configs.