Network Log Analysis

Mar 24, 2026
LetsDefend

Can “Layer 7 - Application Layer” information be obtained with Netflow analysis?

A) N

Which of the followings are not produced through Netflow logs?

A) XFF IP Information

What types of attacks can be detected with Netflow data?

A) Network Anomaly Detection

According to the NetFlow data above, what could it be to see 10k requests from different source IPs to the same destination within 2 minutes?

A) UDP Flood

Which of the following is not true according to the NetFlow data above?

A) C

Question: How many different ports did the attacker attempt to access?

A) 12

What kind of attack/activity could have been made according to the logs above?

A) Port-scan activity

How many open ports did the attacker detect?

A) 3

Will the attacker get a response from the Firewall stating that its access request was blocked?

A) Y

Which of the following is not a type of VPN?

A) DNS over VPN

Which of the followings are true for the user3 VPN User?

A) C

VPN only works on firewall devices.

A) False

Which one is true for the “letsdefend” user logs?

A) Brute-Force Attack

Proxy is only used for accessing the internet via the web.

A) False

According to the Proxy log above, which of the following is not true?

A) C

Through which logs do we verify the response from the requested target in the proxy log above? (assuming that there are Firewall, AV, DLP, IPS/IDS, EDR, WAF devices in the environment.)

A) C

When the above proxy log record turns into an alert, which action below is not required?

A) F

IDS is a system that …………. the attacks. IPS is a system that …………. the attacks.

A) B

Which of the following is not correct?

A) B

What is the IP address related to the malicious domain?

A) 172.16.2.25

Which of the following is a true statement?

A) B

Which of the following information is normally not included in the IDS/IPS alarm outputs?

A) C

Which of the following is not true according to the WAF log above?

A) B

Which of the following actions should be taken when the above WAF log is examined?

A) A

Which of the following is not an HTTP request method?

A) E

Are there any SQL injection attacks with a status code of 200?

A) True

Identify the highest requesting IP address.

A) 192.168.203.63

How many web requests are made with “DELETE” method in total?

A) 223

Are there web logs with “Nmap Scripting Engine” in the user-agent information among the web requests made?

A) True

Which of the following is not a DNS record type?

A) D

What could the suspicious activity be at the DNS and firewall logs above?

A) C

What could the suspicious activity be at the DNS log above?

A) D