Splunk Flashcards
What are the two main Splunk SIEM tool options?
Splunk® Enterprise and Splunk® Cloud
What is the purpose of Splunk tools in general?
To collect, search, monitor, and analyze log data from multiple sources to obtain full visibility into an organization’s everyday operations.
Security posture dashboard (Splunk) - Purpose?
Displays the last 24 hours of an organization’s notable security-related events and trends; helps determine if security infrastructure and policies are performing as designed; allows real-time threat monitoring and investigation.
Executive summary dashboard (Splunk) - Purpose?
Analyzes and monitors the overall health of the organization over time; helps improve security measures to reduce risk; provides high-level insights to stakeholders (e.g., summaries of incidents and trends).
Incident review dashboard (Splunk) - Purpose?
Allows analysts to identify suspicious patterns in the event of an incident; highlights higher-risk items needing immediate review; provides a visual timeline of events leading up to an incident.
Risk analysis dashboard (Splunk) - Purpose?
Helps analysts identify risk for each risk object (user, computer, IP address); shows changes in risk-related activity or behavior (e.g., unusual login times, high network traffic); helps prioritize risk mitigation efforts.
What is Chronicle?
A cloud-native SIEM tool from Google that retains, analyzes, and searches log data to identify potential security threats, risks, and vulnerabilities.
How does Chronicle allow you to collect and analyze log data?
According to a specific asset, a domain name, a user, or an IP address.
Enterprise insights dashboard (Chronicle) - Purpose?
Highlights recent alerts; identifies suspicious domain names (IOCs) with confidence scores and severity levels; helps monitor activity related to critical assets (e.g., unusual logins).
Data ingestion and health dashboard (Chronicle) - Purpose?
Shows the number of event logs, log sources, and success rates of data being processed into Chronicle; helps ensure correct log source configuration and error-free log reception.
IOC matches dashboard (Chronicle) - Purpose?
Indicates the top threats, risks, and vulnerabilities; helps observe IOCs (domain names, IP addresses, devices) over time to identify trends and prioritize security efforts.
Main dashboard (Chronicle) - Purpose?
Displays a high-level summary of data ingestion, alerting, and event activity over time; provides a timeline of security events (e.g., spikes in failed logins) to identify threat trends.
Rule detections dashboard (Chronicle) - Purpose?
Provides statistics related to incidents with the highest occurrences, severities, and detections over time; allows access to alerts triggered by specific detection rules (e.g., malicious attachments) to manage recurring incidents and establish mitigation tactics.
User sign in overview dashboard (Chronicle) - Purpose?
Provides information about user access behavior; allows access to all user sign-in events to identify unusual activity (e.g., simultaneous logins from multiple locations) and mitigate threats to user accounts and applications.
Incident response:
An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach
Log:
A record of events that occur within an organization’s systems
Metrics:
ey technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application
Operating system (OS):
The interface between computer hardware and the user
Playbook:
A manual that provides details about any operational action
Security information and event management (SIEM)
An application that collects and analyzes log data to monitor critical activities in an organization
Security orchestration, automation, and response (SOAR):
A collection of applications, tools, and workflows that use automation to respond to security events
SIEM tools:
A software platform that collects, analyzes, and correlates security data from various sources across your IT infrastructure that helps identify and respond to security threats in real-time, investigate security incidents, and comply with security regulations
Splunk Cloud:
A cloud-hosted tool used to collect, search, and monitor log data
Splunk Enterprise:
A self-hosted tool used to retain, analyze, and search an organization’s log data to provide security information and alerts in real-time
