Answered step by step
Verified Expert Solution
Question
1 Approved Answer
Background Context Given recent attacks on the Healthcare sector, and some noted data breaches, FauxCura Health have engaged Quantum.LogiGuardian ( Q . LG ) ,
Background Context
Given recent attacks on the Healthcare sector, and some noted data breaches, FauxCura
Health have engaged Quantum.LogiGuardian QLG a cyber security consultancy and
analytics firm.
FauxCura believes they may have had undetected cyber security breaches within their
systems. As a caring and respectable healthcare provider, they want to examine their
historic network data to determine whether undetected breaches have occurred.
The security operations centre at FauxCura run a Security Incident and Event
Management SIEM platform called Splunk This platform collects vast quantities of
log data from servers, desktop computers, routers and other network equipment and
aggregates it in the form of reports and alerts that can be viewed by security personnel
to identify incidents that require investigation.
During an initial investigation of FauxCuras data, QLG were able to trawl through
history data to produce an initial report that provides some toplevel metrics on
incidents based on certain triggers. Incident specific data is also retained, but generally
consists of extremely large data sets.
It is hoped that the report data contains sufficient information to be able to construct an
ML model that can more accurately identify events of interest.
Data Overview
The data you are working with are records extracted from FauxCuras SIEM. The
records have already been processed and reduced to a summary of individual event
detections that were triggered by the SIEM.
The data have also been aggregated from multiple other sources and reports in the
SIEM. This means some values may be inconsistent across systems or there may be
errors in the data that need to be identified and cleaned.
Descriptions of Features:
Below is a brief explanation of the features in the data set. It is not necessary to
understand these features. It is also important to note that feature naming conventions
P a g e
are very subjective. Reliance on the meaning of a name may miss important data or
detail.
Alert Category Categorical:
This feature describes what type of alert was created by Splunk. It is largely subjective
as the alert creators can identify their own alert levels for different types of events. The
levels present in the data can be approximately summarised as:
Informational:
An event that is being logged to the system for information purposes only, it is
possible these could relate to malicious activity, but this is the lowest level of alert.
Warning:
This is a higher level of alert and typically used to identify a situation that may not
be typical.
Alert:
These are typically used for specific events that represent a security concern that
requires action.
NetworkEventType Categorical:
This is the type of event that the SIEM report believes has occurred. It can be used to
differentiate between apparently normal network traffic, to things like policy violations
and even threat detections and data exfiltration.
NormalOperation:
No specific anomalies occur in this logged event there are many reasons this
data may be logged.
PolicyViolation:
A security or business policy has been violated. This can range from attempts to
run unauthorised software on the network, to using the wrong type of webbrowser to access a database.
ThreatDetected:
A specific condition has been detected that has previously been identified as a
security thread. These could be normal operations mistagged, or they may
include malicious software or techniques in use.
NetworkInteractionType Categorical:
This is another computer metric that uses an unknown rd party plugin to identify
network interactions that are not typical.
Regular:
These appear to be normal network traffic requests.
P a g e
Elevated:
Requests that are attempting to access resources that require specific
permissions. For example, a computer trying to log in to an administrative console
or a restricted device.
Suspicious:
Generally, these are elevated network events that are unexpected, have come from
an unexpected source, or have unexpected patterns of usage.
Anomalous:
Network interactions that arent typical but may not have any relation to security
events.
Critical:
A network condition that should never occur. This could be an interaction that
indicates an attack condition, or a severe equipment outage or malfunction.
Unknown:
The interaction status is unknown
DataTransferVolume out and inNumeric:
Quantifies the amount of data transferred over the network. Values are given whether
they are into the network or out of the network.
TransactionsPerSession Integer:
The number of transactions exchanged between devices and the service they are
communicating with.
NetworkAccessFrequency Integer:
Measures how frequently network ports are accessed, with abnormal frequencies
potentially signalling unauthorized acce
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started