Interpret common artifact elements from an event to identify an alert

Implementing Cisco Cybersecurity Operations (210-255)

IP Address (source/destination)

IP address artifacts are useful to help identify both the attacker and the victim in a cybersecurity incident. IP address information can also help with tracking an attacker when they pivot through other systems.

Client and Server Port Identity

Ports are critical to identifying the services in play during an incident. Although ports can be randomly chosen by programs, there are many well-known ports like 80, 443 and 25 that are standards.

Process (file or registry)

Process information can come from logs, registry entries or process monitoring tools like HIPS. Knowing what was executed and when can help with tracking an attack.

System (API Calls)

API calls between applications and the operating system can include things like file access, memory access, and other important information.

Hashes

Hashes of files and drive images are important tools to be able to verify the integrity of a file. It can also be used to identify that a copy of malware is the same as a known copy. Hashes are a mathematical tool that will produce a unique value for each input such as a file.

URI/URL

URI: Universal Resource Identifier
URL: Universal Resource Locator

Although often used interchangeably, there is a difference. Unfortunately, the RFCs are a bit ambiguous so there are multiple opinions on what constitutes a URI versus an URL. For more on the pedantic arguments, check out this article.

In terms of the CCNA CyberOps just know what a URL/URI is and how it can help identify things in logs and other evidence.