













































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam certifies foundational proficiency in using the Security Onion platform. Topics include network monitoring architecture, intrusion detection, log analysis, alert triage, and basic threat hunting workflows. Candidates demonstrate readiness to support security operations using integrated detection and monitoring tools.
Typology: Exams
1 / 85
This page cannot be seen from the preview
Don't miss anything!














































































Question 1. Which deployment model installs all Security Onion components on a single physical or virtual machine? A) Distributed B) Standalone C) Evaluation (Import) D) Hybrid Answer: B Explanation: The Standalone deployment puts the manager, sensor, and all services on one host, ideal for small environments or testing. Question 2. In a Distributed deployment, which interface is primarily used for ingesting raw network traffic? A) Management interface B) Sniffing interface C) VLAN trunk interface D) Loopback interface Answer: B Explanation: The sniffing interface captures traffic directly from the network segment; the management interface is for control traffic only. Question 3. What is the recommended minimum amount of RAM for a Security Onion sensor handling 1 Gbps traffic? A) 2 GB B) 4 GB C) 8 GB D) 16 GB Answer: C
Explanation: 8 GB provides enough memory for Suricata/Zeek processing, packet buffers, and Elasticsearch indexing at 1 Gbps. Question 4. During installation, which option allows you to choose Suricata as the primary IDS engine? A) Select “Zeek” only B) Choose “Both Suricata and Zeek” C) Pick “Suricata” from the engine list D) Enable “Snort compatibility mode” Answer: C Explanation: The installer presents a menu of engines; selecting “Suricata” configures it as the default IDS. Question 5. Which component of Security Onion stores and indexes all generated logs and alerts? A) Logstash B) Kibana C) Elasticsearch D) Filebeat Answer: C Explanation: Elasticsearch is the backend search and analytics engine that indexes log data for fast queries. Question 6. What role does Logstash play in the Elastic Stack within Security Onion? A) Visualizes data in dashboards B) Collects raw packets from the network C) Parses and transforms incoming logs before indexing D) Sends alerts to external ticketing systems
D) ssl.log Answer: B Explanation: dns.log records each DNS transaction, including query name, response code, and answer IPs. Question 10. What is the primary purpose of Stenographer in Security Onion? A) Generate IDS signatures B) Perform deep packet inspection in real time C) Capture and store full packet data for later retrieval D) Correlate alerts across multiple sensors Answer: C Explanation: Stenographer writes raw PCAP files to disk, enabling analysts to retrieve exact packet streams after an alert. Question 11. Which command updates Suricata and Zeek rule sets on a Security Onion sensor? A) so-rule-update B) so-update-rules C) suricata-update D) zeek-update-scripts Answer: A Explanation: The so-rule-update script fetches the latest Emerging Threats and other community rule sets for both engines. Question 12. In Kibana, which tab allows you to build visualizations such as time‑series charts from indexed data? A) Discover B) Dashboard
C) Visualize D) Management Answer: C Explanation: The Visualize tab lets you create charts, graphs, and maps based on Elasticsearch queries. Question 13. Which Elastic Common Schema (ECS) field standardizes the source IP address across all log types? A) source.ip B) network.src.ip C) src_ip_address D) ip.source Answer: A Explanation: ECS defines source.ip as the canonical field for the originating IP address. Question 14. When performing a pivot from an alert to raw packet data, which protocol does Security Onion use to retrieve PCAP over the network? A) HTTP B) FTP C) PCAP‑over‑IP (POIP) D) SCP Answer: C Explanation: POIP streams stored PCAP files from the sensor to the analyst’s workstation on demand. Question 15. Which Zeek log provides a summary of each TCP connection, including duration and byte counts? A) conn.log
B) Service failure or node down C) High CPU usage but healthy D) New alert queue entry Answer: B Explanation: Red status flags show critical issues such as stopped services or unreachable sensors. Question 19. Which Zeek script is responsible for generating HTTP logs? A) base/conn.zeek B) protocols/http/http.zeek C) policy/frameworks/files.zeek D) intel/blacklist.zeek Answer: B Explanation: protocols/http/http.zeek parses HTTP traffic and writes http.log entries. Question 20. What is the primary advantage of using the “Hunt” tool in the SOC over manual Kibana queries? A) It automatically resolves alerts into cases B) It supports cross‑index searches with a single UI form C) It disables all background indexing for faster results D) It exports data directly to CSV without user input Answer: B Explanation: Hunt provides a unified interface to query multiple log types (Suricata, Zeek, syslog) simultaneously. Question 21. Which file on a Security Onion sensor contains the list of network interfaces that Suricata will monitor?
A) /etc/suricata/suricata.yaml B) /etc/so/conf/sensor.yaml C) /etc/network/interfaces.d/suricata.conf D) /opt/so/engine/suricata/interfaces.cfg Answer: A Explanation: The Suricata YAML configuration defines the “af-packet” or “pfring” interface sections for traffic capture. Question 22. When configuring a new NIC for sniffing, which mode should be set to ensure the interface receives all traffic on a VLAN‑tagged trunk? A) Managed mode B) Monitor mode with promisc flag C) Access mode with native VLAN D) Bridge mode with STP disabled Answer: B Explanation: Monitor (promiscuous) mode allows the NIC to capture all frames, including those on a trunk, regardless of VLAN tags. Question 23. Which command is used to view the health of Elasticsearch clusters from the Security Onion console? A) esctl status B) so-elastic-health C) curl - XGET 'localhost:9200/_cluster/health?pretty' D) elasticsearch-cli health Answer: C Explanation: Directly querying the Elasticsearch REST API provides cluster health details (green, yellow, red).
Explanation: so-status aggregates the health of critical services and reports if any are stopped or degraded. Question 27. Which Elastic Stack component is responsible for real‑time alert enrichment with threat intelligence? A) Kibana B) Logstash C) Elasticsearch ingest pipelines D) Beats Answer: C Explanation: Ingest pipelines can attach enrichments (e.g., IP reputation) to documents as they are indexed. Question 28. When configuring an Evaluation (Import) deployment, what is the main difference compared to Standalone? A) Sensors automatically forward data to a remote manager B) The manager runs only the web UI, no IDS engines locally C) All data is stored on a shared NFS mount D) It requires a dedicated hardware appliance Answer: B Explanation: Evaluation mode is used for lab or test environments where the manager only hosts the SOC UI, while engines run elsewhere. Question 29. Which Suricata output module writes alerts to the Elasticsearch index “suricata‑alerts”? A) eve-json B) fast
C) unified D) syslog Answer: A Explanation: The eve-json module formats alerts as JSON and sends them to Elasticsearch for indexing. Question 30. What is the default port used by the Security Onion web UI (Kibana) for HTTPS access? A) 5601 B) 443 C) 80 D) 8080 Answer: A Explanation: Kibana’s default HTTPS port is 5601; Security Onion configures a reverse proxy to expose it. Question 31. Which Zeek script is responsible for generating notices for suspicious activity? A) policy/frameworks/notice.zeek B) policy/malware/blacklist.zeek C) scripts/dns/lookup.zeek D) policy/analyze/traffic.zeek Answer: A Explanation: The notice framework provides functions to raise structured alerts (notices) for various detections. Question 32. In the SOC, what does the “Filter” dropdown allow an analyst to do? A) Change the underlying Elasticsearch mapping B) Restrict displayed alerts to a specific severity or sensor
B) suricata‑* C) syslog‑* D) beats‑* Answer: A Explanation: Zeek logs are indexed under the “zeek-” prefix, e.g., zeek‑conn‑2023.07.01. Question 36. When an analyst adds a tag “false‑positive” to an alert, what is the immediate effect in the SOC? A) The alert is deleted permanently B) The alert is moved out of the active queue but retained for reference C) The alert is automatically escalated to a case D) The alert triggers an email notification to all users Answer: B Explanation: Tagging as false‑positive removes it from the active workflow while preserving audit history. Question 37. Which Security Onion component parses raw PCAP files to generate Zeek logs on demand? A) Stenographer B) Zeek (offline mode) via the “zeek - r” command C) Suricata offline mode D) Logstash file input plugin Answer: B Explanation: The “zeek - r
A) Verify that sensor hardware meets minimum specs B) Test network connectivity between manager and sensor C) Ensure that all required services are running on a sensor node D) Generate a baseline performance report Answer: C Explanation: so-sensor-check validates that Suricata, Zeek, Stenographer, and related services are active. Question 39. Which field in the Suricata alert JSON identifies the rule ID that triggered the alert? A) alert.signature_id B) event.rule_id C) alert.gid D) rule.id Answer: A Explanation: The “alert.signature_id” field contains the numeric SID of the matching rule. Question 40. In Kibana’s Discover tab, what does the “Time filter” control? A) Which Elasticsearch nodes are queried B) The time range for displayed documents C) The granularity of visualizations D) The number of results per page Answer: B Explanation: The time filter limits search results to events occurring within the selected interval. Question 41. Which Zeek log is most useful for detecting TLS certificate anomalies? A) ssl.log
A) It is logged but allowed to pass B) It is dropped silently with no notification C) The packet is rejected and a TCP RST is sent to the source D) The connection is reset only for UDP traffic Answer: C Explanation: “reject” sends a TCP reset (or ICMP unreachable for UDP) to inform the sender that the traffic was blocked. Question 45. In the SOC Grid view, what does a yellow status tile typically signify? A) Service is down B) Service is running but with warnings (e.g., high memory usage) C) No alerts have been generated yet D) The node is in maintenance mode Answer: B Explanation: Yellow indicates a non‑critical issue, such as resource thresholds being exceeded. Question 46. Which configuration file defines the Elasticsearch index lifecycle management (ILM) policies in Security Onion? A) /etc/elasticsearch/ilm.yml B) /etc/so/conf/ilm.conf C) /etc/kibana/kibana.yml D) /opt/so/elastic/ilm/policy.json Answer: A Explanation: Elasticsearch’s ilm.yml sets policies for index rollover, retention, and deletion. Question 47. What is the effect of setting “max_open_files” too low on a Security Onion sensor?
A) Suricata will drop packets due to file descriptor exhaustion B) Zeek will fail to write log files, causing data loss C) Both Suricata and Zeek may crash or stop logging D) Only Stenographer will be affected, limiting PCAP capture size Answer: C Explanation: All components rely on file descriptors; insufficient limits can cause crashes or missing logs. Question 48. Which of the following best describes the “Elastic Common Schema” (ECS) in Security Onion? A) A set of pre‑built Kibana dashboards B) A unified field naming convention for logs across data sources C) A custom encryption protocol for log transport D) A hardware requirement checklist for sensors Answer: B Explanation: ECS standardizes field names (e.g., source.ip, destination.port) to enable consistent querying. Question 49. In the SOC, what does the “Case” button do when clicked on a selected alert? A) Deletes the alert permanently B) Opens a new case record and links the alert to it C) Sends the alert to an external SIEM via API D) Marks the alert as “investigated” without creating a case Answer: B Explanation: Clicking “Case” creates a case entry, associating the alert and allowing evidence attachment.
Question 53. In the Kibana “Visualize” tab, which aggregation type would you use to count the number of unique source IPs per hour? A) Terms aggregation on source.ip with a date histogram on @timestamp (hour) b) Average aggregation on bytes_sent c) Max aggregation on destination.port d) Percentiles aggregation on response_time Answer: A Explanation: Combining a date histogram (hour) with a terms aggregation on source.ip yields unique IP counts per hour. Question 54. Which Security Onion service is responsible for forwarding logs from Filebeat to Logstash? A) filebeat.service b) logstash-forwarder.service c) beats-input.service d) filebeat-to-logstash.service Answer: A Explanation: The filebeat.service reads log files and ships them to Logstash as configured. Question 55. What does the “so-join” command facilitate? A) Merging multiple Elasticsearch indices into one b) Joining two separate Security Onion deployments into a single SOC view c) Combining alerts from Suricata and Zeek into a unified alert stream d) Concatenating PCAP files from different sensors Answer: B Explanation: so-join links remote manager nodes, allowing a central SOC to view alerts from multiple deployments.
Question 56. Which Zeek log would you examine to investigate possible SSH brute‑force attempts? A) ssh.log b) auth.log c) login.log d) netflow.log Answer: A Explanation: ssh.log records each SSH session attempt, including success/failure and authentication methods. Question 57. In a distributed Security Onion deployment, which component aggregates alerts from all sensors for display in the SOC? A) Logstash b) Elasticsearch cluster on the manager node c) Stenographer indexer d) Zeek master process Answer: B Explanation: The manager’s Elasticsearch cluster receives and indexes alerts from all sensors for central querying. Question 58. Which of the following best describes the “PCAP‑over‑IP” (POIP) feature’s security considerations? A) POIP transmits raw PCAP unencrypted, requiring network‑level protections b) POIP automatically encrypts PCAP with TLS by default c) POIP only works on localhost, eliminating remote exposure d) POIP stores PCAP in a separate encrypted filesystem Answer: A