nerdexam
(ISC)2

CISSP · Question #274

For network-based evidence, which of the following contains traffic details of all network sessions in order to detect anomalies?

The correct answer is D. Statistical data. Statistical data captures traffic details across all network sessions, enabling baseline comparisons and anomaly detection. It differs from other data types by focusing on session-level metrics rather than content or alerts.

Submitted by carter_n· Mar 5, 2026Security Operations

Question

For network-based evidence, which of the following contains traffic details of all network sessions in order to detect anomalies?

Options

  • AAlert data
  • BUser data
  • CContent data
  • DStatistical data

How the community answered

(29 responses)
  • A
    7% (2)
  • B
    3% (1)
  • D
    90% (26)

Why each option

Statistical data captures traffic details across all network sessions, enabling baseline comparisons and anomaly detection. It differs from other data types by focusing on session-level metrics rather than content or alerts.

AAlert data

Alert data contains notifications generated by intrusion detection/prevention systems when specific signatures or thresholds are triggered, meaning it only reflects already-identified suspicious events rather than comprehensive session traffic details.

BUser data

User data refers to the actual payload or application-layer content generated by users, not metadata or session-level traffic statistics used for anomaly detection across all network sessions.

CContent data

Content data captures the full payload of network communications (e.g., packet captures, application data), which is not the same as session-level traffic statistics used to detect behavioral anomalies across all sessions.

DStatistical dataCorrect

Statistical data contains aggregate and detailed traffic metrics for all network sessions-such as bytes transferred, session duration, packet counts, and flow records-which allows analysts to establish baselines and detect anomalies by comparing current behavior against normal patterns. This type of data is typically collected via NetFlow, IPFIX, or similar flow-based technologies and covers all sessions rather than only flagged or suspicious ones.

Concept tested: Network-based evidence types for anomaly detection

Source: https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/IPS_sig_overview.html

Topics

#Network forensics#Anomaly detection#Network traffic analysis#Security monitoring

Community Discussion

No community discussion yet for this question.

Full CISSP Practice