WK3 Security Information and Event Management (SIEM) dashboards Flashcards

1
Q

Logs

A

a log is a record of events that occur within an organization’s systems and networks. Security analysts access a variety of logs from different sources. Three common log sources include firewall logs, network logs, and server logs. Let’s explore each of these log sources in more detail.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Firewall Log

A

A firewall log is a record of attempted or established connections for incoming traffic from the internet. It also includes outbound requests to the internet from within the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Network Log

A

A network log is a record of all computers and devices that enter and leave the network. It also records connections between devices and services on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Server Log

A

A server log is a record of events related to services such as websites, emails, or file shares. It includes actions such as login, password, and username requests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SIEM Tool

A

A security information and event management, or SIEM, tool is an application that collects and analyzes log data to monitor critical activities in an organization. It provides real-time visibility, event monitoring and analysis, and automated alerts. It also stores all log data in a centralised location.

IEM tools must be configured and customized to meet each organization’s unique security needs. As new threats and vulnerabilities emerge, organizations must continually customize their SIEM tools to ensure that threats are detected and quickly addressed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SIEM Dashboards

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SIEM Dashboards

A

For example, a security analyst receives an alert about a suspicious login attempt. The analyst accesses their SIEM dashboard to gather information about this alert. Using the dashboard, the analyst discovers that there have been 500 login attempts for Ymara’s account in the span of five-minutes. They also discover that the login attempts happened from geographic locations outside of Ymara’s usual location and outside of her usual working hours.

By using a dashboard, the security analyst was able to quickly review visual representations of the timeline of the login attempts, the location, and the exact time of the activity, then determine that the activity was suspicious.

In addition to providing a comprehensive summary of security-related data, SIEM dashboards also provide stakeholders with different metrics. Metrics are key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application.

SIEM dashboards can be customized to display specific metrics or other data that are relevant to different members in an organization. For example, a security analyst may create a dashboard that displays metrics for monitoring everyday business operations, like the volume of incoming and outgoing network traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Self-hosted SIEM tools

A

Self-hosted SIEM tools require organizations to install, operate, and maintain the tool using their own physical infrastructure, such as server capacity. These applications are then managed and maintained by the organization’s IT department, rather than a third party vendor. Self-hosted SIEM tools are ideal when an organization is required to maintain physical control over confidential data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Cloud-hosted SIEM tools

A

Cloud-hosted SIEM tools are maintained and managed by the SIEM providers, making them accessible through the internet. Cloud-hosted SIEM tools are ideal for organizations that don’t want to invest in creating and maintaining their own infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Common SIEM tools

A

Splunk Enterprise, Splunk Cloud, and Chronicle are common SIEM tools that many organizations use to help protect their data and systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Splunk

A

Splunk is a data analysis platform and Splunk Enterprise provides SIEM solutions. Splunk Enterprise is a self-hosted tool used to retain, analyze, and search an organisation’s log data to provide security information and alerts in real-time.

Splunk Cloud is a cloud-hosted tool used to collect, search, and monitor log data. Splunk Cloud is helpful for organizations running hybrid or cloud-only environments, where some or all of the organization’s services are in the cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Google’s Chronicle

A

Chronicle is a cloud-native tool designed to retain, analyze, and search data. Chronicle provides log monitoring, data analysis, and data collection. Like cloud-hosted tools, cloud-native tools are also fully maintained and managed by the vendor. But cloud-native tools are specifically designed to take full advantage of cloud computing capabilities such as availability, flexibility, and scalability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Open-source tools

A

Open-source tools are often free to use and can be user friendly. The objective of open-source tools is to provide users with software that is built by the public in a collaborative way, which can result in the software being more secure.

In security, there are many tools in use that are open-source and commonly available. Two examples are Linux and Suricata.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Proprietary tools

A

Proprietary tools are developed and owned by a person or company, and users typically pay a fee for usage and training. The owners of proprietary tools are the only ones who can access and modify the source code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Splunk Dashboards

Security posture dashboard

A

The security posture dashboard is designed for security operations centers (SOCs). It displays the last 24 hours of an organization’s notable security-related events and trends and allows security professionals to determine if security infrastructure and policies are performing as designed. Security analysts can use this dashboard to monitor and investigate potential threats in real time, such as suspicious network activity originating from a specific IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Splunk Dashboards

Executive summary dashboard

A

The executive summary dashboard analyzes and monitors the overall health of the organization over time. This helps security teams improve security measures that reduce risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as generating a summary of security incidents and trends over a specific period of time.

17
Q

Splunk Dashboards

Incident review dashboard

A

The incident review dashboard allows analysts to identify suspicious patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline of the events leading up to an incident.

18
Q

Splunk Dashboards

Risk analysis dashboard

A

The risk analysis dashboard helps analysts identify risk for each risk object (e.g., a specific user, a computer, or an IP address). It shows changes in risk-related activity or behavior, such as a user logging in outside of normal working hours or unusually high network traffic from a specific computer. A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts.

19
Q

Chronicle Dashboards

Enterprise insights dashboard

A

The enterprise insights dashboard highlights recent alerts. It identifies suspicious domain names in logs, known as indicators of compromise (IOCs). Each result is labeled with a confidence score to indicate the likelihood of a threat. It also provides a severity level that indicates the significance of each threat to the organization. A security analyst might use this dashboard to monitor login or data access attempts related to a critical asset—like an application or system—from unusual locations or devices.

20
Q

Chronicle Dashboards

Data ingestion and health dashboard

A

The data ingestion and health dashboard shows the number of event logs, log sources, and success rates of data being processed into Chronicle. A security analyst might use this dashboard to ensure that log sources are correctly configured and that logs are received without error. This helps ensure that log related issues are addressed so that the security team has access to the log data they need.

21
Q

Chronicle Dashboards

IOC matches dashboard

A

The IOC (Indicators of compromise) matches dashboard indicates the top threats, risks, and vulnerabilities to the organisation. Security professionals use this dashboard to observe domain names, IP addresses, and device IOCs over time in order to identify trends. This information is then used to direct the security team’s focus to the highest priority threats. For example, security analysts can use this dashboard to search for additional activity associated with an alert, such as a suspicious user login from an unusual geographic location.

22
Q

Chronicle Dashboards

Main Dashboard

A

The main dashboard displays a high-level summary of information related to the organization’s data ingestion, alerting, and event activity over time. Security professionals can use this dashboard to access a timeline of security events—such as a spike in failed login attempts— to identify threat trends across log sources, devices, IP addresses, and physical locations.

23
Q

Chronicle Dashboards

Rule detections dashboard

A

The rule detections dashboard provides statistics related to incidents with the highest occurrences, severities, and detections over time. Security analysts can use this dashboard to access a list of all the alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user opens a known malicious attachment from an email. Analysts then use those statistics to help manage recurring incidents and establish mitigation tactics to reduce an organization’s level of risk.

24
Q

Chronicle Dashboards

User sign in overview dashboard

A

The user sign in overview dashboard provides information about user access behavior across the organization. Security analysts can use this dashboard to access a list of all user sign-in events to identify unusual user activity, such as a user signing in from multiple locations at the same time. This information is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the organization’s applications.