Splunk Flashcards
What are the two main Splunk SIEM tool options?
Splunk® Enterprise and Splunk® Cloud
What is the purpose of Splunk tools in general?
To collect, search, monitor, and analyze log data from multiple sources to obtain full visibility into an organization’s everyday operations.
Security posture dashboard (Splunk) - Purpose?
Displays the last 24 hours of an organization’s notable security-related events and trends; helps determine if security infrastructure and policies are performing as designed; allows real-time threat monitoring and investigation.
Executive summary dashboard (Splunk) - Purpose?
Analyzes and monitors the overall health of the organization over time; helps improve security measures to reduce risk; provides high-level insights to stakeholders (e.g., summaries of incidents and trends).
Incident review dashboard (Splunk) - Purpose?
Allows analysts to identify suspicious patterns in the event of an incident; highlights higher-risk items needing immediate review; provides a visual timeline of events leading up to an incident.
Risk analysis dashboard (Splunk) - Purpose?
Helps analysts identify risk for each risk object (user, computer, IP address); shows changes in risk-related activity or behavior (e.g., unusual login times, high network traffic); helps prioritize risk mitigation efforts.
What is Chronicle?
A cloud-native SIEM tool from Google that retains, analyzes, and searches log data to identify potential security threats, risks, and vulnerabilities.
How does Chronicle allow you to collect and analyze log data?
According to a specific asset, a domain name, a user, or an IP address.
Enterprise insights dashboard (Chronicle) - Purpose?
Highlights recent alerts; identifies suspicious domain names (IOCs) with confidence scores and severity levels; helps monitor activity related to critical assets (e.g., unusual logins).
Data ingestion and health dashboard (Chronicle) - Purpose?
Shows the number of event logs, log sources, and success rates of data being processed into Chronicle; helps ensure correct log source configuration and error-free log reception.
IOC matches dashboard (Chronicle) - Purpose?
Indicates the top threats, risks, and vulnerabilities; helps observe IOCs (domain names, IP addresses, devices) over time to identify trends and prioritize security efforts.
Main dashboard (Chronicle) - Purpose?
Displays a high-level summary of data ingestion, alerting, and event activity over time; provides a timeline of security events (e.g., spikes in failed logins) to identify threat trends.
Rule detections dashboard (Chronicle) - Purpose?
Provides statistics related to incidents with the highest occurrences, severities, and detections over time; allows access to alerts triggered by specific detection rules (e.g., malicious attachments) to manage recurring incidents and establish mitigation tactics.
User sign in overview dashboard (Chronicle) - Purpose?
Provides information about user access behavior; allows access to all user sign-in events to identify unusual activity (e.g., simultaneous logins from multiple locations) and mitigate threats to user accounts and applications.
Incident response:
An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach
